From bceb87ef4da7948eb9f39584fb5b4a62f9ed4846 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 30 Apr 2021 12:11:35 +0100
Subject: Fix illegal memory access when parsing a corrupt PE format file.

	PR 27795
	* coff-rs6000.c (_bfd_xcoff_read_ar_hdr): Check for invalid name
	lengths.
---
 bfd/coff-rs6000.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'bfd/coff-rs6000.c')

diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c
index 491efba..0745421 100644
--- a/bfd/coff-rs6000.c
+++ b/bfd/coff-rs6000.c
@@ -1619,6 +1619,8 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd)
 	return NULL;
 
       GET_VALUE_IN_FIELD (namlen, hdr.namlen, 10);
+      if (namlen > bfd_get_file_size (abfd))
+	return NULL;
       amt = sizeof (struct areltdata) + SIZEOF_AR_HDR + namlen + 1;
       ret = (struct areltdata *) bfd_malloc (amt);
       if (ret == NULL)
@@ -1646,6 +1648,8 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd)
 	return NULL;
 
       GET_VALUE_IN_FIELD (namlen, hdr.namlen, 10);
+      if (namlen > bfd_get_file_size (abfd))
+	return NULL;
       amt = sizeof (struct areltdata) + SIZEOF_AR_HDR_BIG + namlen + 1;
       ret = (struct areltdata *) bfd_malloc (amt);
       if (ret == NULL)
-- 
cgit v1.1