From 97b031c5d6d42ff2b1758a8a8c332cb44ba9c06f Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 7 Aug 2019 18:53:09 +0930 Subject: [PATCH] PR24644, OOM-Bug in _bfd_archive_64_bit_slurp_armap PR 24644 * archive64.c (_bfd_archive_64_bit_slurp_armap): Properly check for overflow in expressions involving nsymz. --- bfd/ChangeLog | 6 ++++++ bfd/archive64.c | 9 ++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index ae30d7e94b9..6958ed70f17 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2019-08-07 Alan Modra + + PR 24644 + * archive64.c (_bfd_archive_64_bit_slurp_armap): Properly check + for overflow in expressions involving nsymz. + 2019-08-01 Ilia Diachkov * elfnn-riscv.c (_bfd_riscv_relax_lui): Set lui relax safety area to diff --git a/bfd/archive64.c b/bfd/archive64.c index 42f6ed92f09..a2c628e2b55 100644 --- a/bfd/archive64.c +++ b/bfd/archive64.c @@ -90,7 +90,14 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) ptrsize = 8 * nsymz; amt = carsym_size + stringsize + 1; - if (carsym_size < nsymz || ptrsize < nsymz || amt < nsymz) + if (/* Catch overflow in stringsize (and ptrsize) expression. */ + nsymz >= (bfd_size_type) -1 / 8 + || stringsize > parsed_size + /* Catch overflow in carsym_size expression. */ + || nsymz > (bfd_size_type) -1 / sizeof (carsym) + /* Catch overflow in amt expression. */ + || amt <= carsym_size + || amt <= stringsize) { bfd_set_error (bfd_error_malformed_archive); return FALSE; -- 2.30.2