Large memory allocation reading fuzzed 64-bit archive
This patch adds a sanity check for the size of an armap. * archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size against file size before allocating memory. Use bfd_alloc rather than bfd_zalloc for carsym/strings memory.
This commit is contained in:
parent
8a7adb414e
commit
6f8f95b4c4
|
@ -1,3 +1,9 @@
|
||||||
|
2020-03-05 Alan Modra <amodra@gmail.com>
|
||||||
|
|
||||||
|
* archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size
|
||||||
|
against file size before allocating memory. Use bfd_alloc rather
|
||||||
|
than bfd_zalloc for carsym/strings memory.
|
||||||
|
|
||||||
2020-03-04 Alan Modra <amodra@gmail.com>
|
2020-03-04 Alan Modra <amodra@gmail.com>
|
||||||
|
|
||||||
* elf.c (elf_fake_sections): Ensure sh_addralign is such that
|
* elf.c (elf_fake_sections): Ensure sh_addralign is such that
|
||||||
|
|
|
@ -47,6 +47,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
|
||||||
bfd_byte *raw_armap = NULL;
|
bfd_byte *raw_armap = NULL;
|
||||||
carsym *carsyms;
|
carsym *carsyms;
|
||||||
bfd_size_type amt;
|
bfd_size_type amt;
|
||||||
|
ufile_ptr filesize;
|
||||||
|
|
||||||
ardata->symdefs = NULL;
|
ardata->symdefs = NULL;
|
||||||
|
|
||||||
|
@ -76,6 +77,13 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
|
||||||
parsed_size = mapdata->parsed_size;
|
parsed_size = mapdata->parsed_size;
|
||||||
free (mapdata);
|
free (mapdata);
|
||||||
|
|
||||||
|
filesize = bfd_get_file_size (abfd);
|
||||||
|
if (filesize != 0 && parsed_size > filesize)
|
||||||
|
{
|
||||||
|
bfd_set_error (bfd_error_malformed_archive);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
if (bfd_bread (int_buf, 8, abfd) != 8)
|
if (bfd_bread (int_buf, 8, abfd) != 8)
|
||||||
{
|
{
|
||||||
if (bfd_get_error () != bfd_error_system_call)
|
if (bfd_get_error () != bfd_error_system_call)
|
||||||
|
@ -102,7 +110,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
|
||||||
bfd_set_error (bfd_error_malformed_archive);
|
bfd_set_error (bfd_error_malformed_archive);
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
ardata->symdefs = (struct carsym *) bfd_zalloc (abfd, amt);
|
ardata->symdefs = (struct carsym *) bfd_alloc (abfd, amt);
|
||||||
if (ardata->symdefs == NULL)
|
if (ardata->symdefs == NULL)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
carsyms = ardata->symdefs;
|
carsyms = ardata->symdefs;
|
||||||
|
|
Loading…
Reference in New Issue