From 4c83662712f80abe9a7d8ef645123347a9de7adb Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 25 Mar 2020 22:25:37 +1030
Subject: [PATCH] readelf looping in process_archive

With a crafted "negative" ar_hdr.ar_size it is possible to make
readelf loop.  This patch catches the overflow in a file offset
calculation.

	* readelf.c (process_archive): Prevent endless loop.
---
 binutils/ChangeLog | 4 ++++
 binutils/readelf.c | 6 ++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index accd265007e..2f551f10316 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,7 @@
+2020-03-25  Alan Modra  <amodra@gmail.com>
+
+	* readelf.c (process_archive): Prevent endless loop.
+
 2020-03-24  H.J. Lu  <hongjiu.lu@intel.com>
 
 	PR binutils/25708
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 1f0f49222fd..9bc15e4d0b2 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -20505,11 +20505,13 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
 	{
 	  free (name);
 	  archive_file_offset = arch.next_arhdr_offset;
-	  arch.next_arhdr_offset += archive_file_size;
-
 	  filedata->file_name = qualified_name;
 	  if (! process_object (filedata))
 	    ret = FALSE;
+	  arch.next_arhdr_offset += archive_file_size;
+	  /* Stop looping with "negative" archive_file_size.  */
+	  if (arch.next_arhdr_offset < archive_file_size)
+	    break;
 	}
 
       free (qualified_name);
-- 
2.30.2