Prevent looping in archives

PR 19256 * archive.c (bfd_generic_openr_next_archived_file): Don't allow backward file movement via "negative" sizes. * coff-alpha.c (alpha_ecoff_openr_next_archived_file): Likewise.
2015-11-18 22:12:23 +10:30 · 2015-11-18 22:12:23 +10:30 · 4978e369fb
commit 4978e369fb
parent 47daa70fe0
3 changed files with 30 additions and 9 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,10 @@
+2015-11-18  Alan Modra  <amodra@gmail.com>
+
+	PR 19256
+	* archive.c (bfd_generic_openr_next_archived_file): Don't allow
+	backward file movement via "negative" sizes.
+	* coff-alpha.c (alpha_ecoff_openr_next_archived_file): Likewise.
+
 2015-11-18  Tristan Gingold  <gingold@adacore.com>

 	* mach-o.h (struct mach_o_data_struct): Add hdr_offset field.
--- a/bfd/archive.c
+++ b/bfd/archive.c
@ -786,21 +786,29 @@ bfd_openr_next_archived_file (bfd *archive, bfd *last_file)
 bfd *
 bfd_generic_openr_next_archived_file (bfd *archive, bfd *last_file)
 {
-  file_ptr filestart;
+  ufile_ptr filestart;

  if (!last_file)
    filestart = bfd_ardata (archive)->first_file_filepos;
  else
    {
-      bfd_size_type size = arelt_size (last_file);
-
      filestart = last_file->proxy_origin;
      if (! bfd_is_thin_archive (archive))
-	filestart += size;
-      /* Pad to an even boundary...
-	 Note that last_file->origin can be odd in the case of
-	 BSD-4.4-style element with a long odd size.  */
-      filestart += filestart % 2;
+	{
+	  bfd_size_type size = arelt_size (last_file);
+
+	  filestart += size;
+	  /* Pad to an even boundary...
+	     Note that last_file->origin can be odd in the case of
+	     BSD-4.4-style element with a long odd size.  */
+	  filestart += filestart % 2;
+	  if (filestart <= last_file->proxy_origin)
+	    {
+	      /* Prevent looping.  See PR19256.  */
+	      bfd_set_error (bfd_error_malformed_archive);
+	      return NULL;
+	    }
+	}
    }

  return _bfd_get_elt_at_filepos (archive, filestart);
--- a/bfd/coff-alpha.c
+++ b/bfd/coff-alpha.c
@ -2187,7 +2187,7 @@ alpha_ecoff_get_elt_at_filepos (bfd *archive, file_ptr filepos)
 static bfd *
 alpha_ecoff_openr_next_archived_file (bfd *archive, bfd *last_file)
 {
-  file_ptr filestart;
+  ufile_ptr filestart;

  if (last_file == NULL)
    filestart = bfd_ardata (archive)->first_file_filepos;
@ -2208,6 +2208,12 @@ alpha_ecoff_openr_next_archived_file (bfd *archive, bfd *last_file)
 	 BSD-4.4-style element with a long odd size.  */
      filestart = last_file->proxy_origin + size;
      filestart += filestart % 2;
+      if (filestart <= last_file->proxy_origin)
+	{
+	  /* Prevent looping.  See PR19256.  */
+	  bfd_set_error (bfd_error_malformed_archive);
+	  return NULL;
+	}
    }

  return alpha_ecoff_get_elt_at_filepos (archive, filestart);