From 6f8f95b4c4785e053f96b473039e244473a85ee5 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Thu, 5 Mar 2020 09:42:41 +1030 Subject: [PATCH] Large memory allocation reading fuzzed 64-bit archive This patch adds a sanity check for the size of an armap. * archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size against file size before allocating memory. Use bfd_alloc rather than bfd_zalloc for carsym/strings memory. --- bfd/ChangeLog | 6 ++++++ bfd/archive64.c | 10 +++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 821978cf6a8..9f1a9424ae4 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2020-03-05 Alan Modra + + * archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size + against file size before allocating memory. Use bfd_alloc rather + than bfd_zalloc for carsym/strings memory. + 2020-03-04 Alan Modra * elf.c (elf_fake_sections): Ensure sh_addralign is such that diff --git a/bfd/archive64.c b/bfd/archive64.c index d4b0c3cf0cf..5e1443932ce 100644 --- a/bfd/archive64.c +++ b/bfd/archive64.c @@ -47,6 +47,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) bfd_byte *raw_armap = NULL; carsym *carsyms; bfd_size_type amt; + ufile_ptr filesize; ardata->symdefs = NULL; @@ -76,6 +77,13 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) parsed_size = mapdata->parsed_size; free (mapdata); + filesize = bfd_get_file_size (abfd); + if (filesize != 0 && parsed_size > filesize) + { + bfd_set_error (bfd_error_malformed_archive); + return FALSE; + } + if (bfd_bread (int_buf, 8, abfd) != 8) { if (bfd_get_error () != bfd_error_system_call) @@ -102,7 +110,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) bfd_set_error (bfd_error_malformed_archive); return FALSE; } - ardata->symdefs = (struct carsym *) bfd_zalloc (abfd, amt); + ardata->symdefs = (struct carsym *) bfd_alloc (abfd, amt); if (ardata->symdefs == NULL) return FALSE; carsyms = ardata->symdefs; -- 2.30.2