Fix illegal memory access when parsing a corrupt PE format file.

PR 27795 * coff-rs6000.c (_bfd_xcoff_read_ar_hdr): Check for invalid name lengths.
author: Nick Clifton <nickc@redhat.com> 2021-04-30 12:11:35 +0100
committer: Nick Clifton <nickc@redhat.com> 2021-04-30 12:11:35 +0100
commit: bceb87ef4da7948eb9f39584fb5b4a62f9ed4846 (patch)
tree: ae2633884fa07dec3bcc5ed5a25e78d29e9de9f0 /bfd/coff-rs6000.c
parent: 5536f0cc62309de740e678da87c11039dd7bfb35 (diff)
download: fsf-binutils-gdb-bceb87ef4da7948eb9f39584fb5b4a62f9ed4846.zip
fsf-binutils-gdb-bceb87ef4da7948eb9f39584fb5b4a62f9ed4846.tar.gz
fsf-binutils-gdb-bceb87ef4da7948eb9f39584fb5b4a62f9ed4846.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c
index 491efba..0745421 100644
--- a/bfd/coff-rs6000.c
+++ b/bfd/coff-rs6000.c
@@ -1619,6 +1619,8 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd)
 	return NULL;
 
       GET_VALUE_IN_FIELD (namlen, hdr.namlen, 10);
+      if (namlen > bfd_get_file_size (abfd))
+	return NULL;
       amt = sizeof (struct areltdata) + SIZEOF_AR_HDR + namlen + 1;
       ret = (struct areltdata *) bfd_malloc (amt);
       if (ret == NULL)
@@ -1646,6 +1648,8 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd)
 	return NULL;
 
       GET_VALUE_IN_FIELD (namlen, hdr.namlen, 10);
+      if (namlen > bfd_get_file_size (abfd))
+	return NULL;
       amt = sizeof (struct areltdata) + SIZEOF_AR_HDR_BIG + namlen + 1;
       ret = (struct areltdata *) bfd_malloc (amt);
       if (ret == NULL)
author	Nick Clifton <nickc@redhat.com>	2021-04-30 12:11:35 +0100
committer	Nick Clifton <nickc@redhat.com>	2021-04-30 12:11:35 +0100
commit	bceb87ef4da7948eb9f39584fb5b4a62f9ed4846 (patch)
tree	ae2633884fa07dec3bcc5ed5a25e78d29e9de9f0 /bfd/coff-rs6000.c
parent	5536f0cc62309de740e678da87c11039dd7bfb35 (diff)
download	fsf-binutils-gdb-bceb87ef4da7948eb9f39584fb5b4a62f9ed4846.zip fsf-binutils-gdb-bceb87ef4da7948eb9f39584fb5b4a62f9ed4846.tar.gz fsf-binutils-gdb-bceb87ef4da7948eb9f39584fb5b4a62f9ed4846.tar.bz2