diff options
author | Nick Clifton <nickc@redhat.com> | 2021-04-30 12:11:35 +0100 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2021-04-30 12:11:35 +0100 |
commit | bceb87ef4da7948eb9f39584fb5b4a62f9ed4846 (patch) | |
tree | ae2633884fa07dec3bcc5ed5a25e78d29e9de9f0 /bfd/coff-rs6000.c | |
parent | 5536f0cc62309de740e678da87c11039dd7bfb35 (diff) | |
download | fsf-binutils-gdb-bceb87ef4da7948eb9f39584fb5b4a62f9ed4846.zip fsf-binutils-gdb-bceb87ef4da7948eb9f39584fb5b4a62f9ed4846.tar.gz fsf-binutils-gdb-bceb87ef4da7948eb9f39584fb5b4a62f9ed4846.tar.bz2 |
Fix illegal memory access when parsing a corrupt PE format file.
PR 27795
* coff-rs6000.c (_bfd_xcoff_read_ar_hdr): Check for invalid name
lengths.
Diffstat (limited to 'bfd/coff-rs6000.c')
-rw-r--r-- | bfd/coff-rs6000.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c index 491efba..0745421 100644 --- a/bfd/coff-rs6000.c +++ b/bfd/coff-rs6000.c @@ -1619,6 +1619,8 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd) return NULL; GET_VALUE_IN_FIELD (namlen, hdr.namlen, 10); + if (namlen > bfd_get_file_size (abfd)) + return NULL; amt = sizeof (struct areltdata) + SIZEOF_AR_HDR + namlen + 1; ret = (struct areltdata *) bfd_malloc (amt); if (ret == NULL) @@ -1646,6 +1648,8 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd) return NULL; GET_VALUE_IN_FIELD (namlen, hdr.namlen, 10); + if (namlen > bfd_get_file_size (abfd)) + return NULL; amt = sizeof (struct areltdata) + SIZEOF_AR_HDR_BIG + namlen + 1; ret = (struct areltdata *) bfd_malloc (amt); if (ret == NULL) |