FreeChainXenon/binutils-gdb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

readelf looping in process_archive

Browse source 
With a crafted "negative" ar_hdr.ar_size it is possible to make
readelf loop.  This patch catches the overflow in a file offset
calculation.

	* readelf.c (process_archive): Prevent endless loop.
This commit is contained in:
Alan Modra 2020-03-25 22:25:37 +10:30
parent aac88046e6
commit 4c83662712
2 changed files with 8 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
binutils/ChangeLog
View file

@ -1,3 +1,7 @@
2020-03-25 Alan Modra <amodra@gmail.com>
* readelf.c (process_archive): Prevent endless loop.
2020-03-24 H.J. Lu <hongjiu.lu@intel.com> 2020-03-24 H.J. Lu <hongjiu.lu@intel.com>
PR binutils/25708 PR binutils/25708

6
binutils/readelf.c
View file

@ -20505,11 +20505,13 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
{ {
free (name); free (name);
archive_file_offset = arch.next_arhdr_offset; archive_file_offset = arch.next_arhdr_offset;
arch.next_arhdr_offset += archive_file_size;
filedata->file_name = qualified_name; filedata->file_name = qualified_name;
if (! process_object (filedata)) if (! process_object (filedata))
ret = FALSE; ret = FALSE;
arch.next_arhdr_offset += archive_file_size;
/* Stop looping with "negative" archive_file_size. */
if (arch.next_arhdr_offset < archive_file_size)
break;
} }
free (qualified_name); free (qualified_name);