diff options
| author | Alan Modra <amodra@gmail.com> | 2021-11-01 18:55:19 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2021-11-01 22:30:33 +1030 |
| commit | c908dea26fb62df567bfd3761f762168ea7b0746 (patch) | |
| tree | c91bd1df4b3a833e4117476e8facefa34de8488d /bfd | |
| parent | c27cdb4c534e0b52ea877b6800f832756ee16a2f (diff) | |
| download | gdb-c908dea26fb62df567bfd3761f762168ea7b0746.zip gdb-c908dea26fb62df567bfd3761f762168ea7b0746.tar.gz gdb-c908dea26fb62df567bfd3761f762168ea7b0746.tar.bz2 | |
macho-o archive sanity checks
Anti-fuzzing checks.
* mach-o.c (bfd_mach_o_fat_archive_p): Sanity check entry offset
and size against file size.
Diffstat (limited to 'bfd')
| -rw-r--r-- | bfd/mach-o.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/bfd/mach-o.c b/bfd/mach-o.c index 31a109b..1f0d4700 100644 --- a/bfd/mach-o.c +++ b/bfd/mach-o.c @@ -5509,6 +5509,7 @@ bfd_mach_o_fat_archive_p (bfd *abfd) struct mach_o_fat_header_external hdr; unsigned long i; size_t amt; + ufile_ptr filesize; if (bfd_seek (abfd, 0, SEEK_SET) != 0 || bfd_bread (&hdr, sizeof (hdr), abfd) != sizeof (hdr)) @@ -5538,6 +5539,7 @@ bfd_mach_o_fat_archive_p (bfd *abfd) if (adata->archentries == NULL) goto error; + filesize = bfd_get_file_size (abfd); for (i = 0; i < adata->nfat_arch; i++) { struct mach_o_fat_arch_external arch; @@ -5548,6 +5550,15 @@ bfd_mach_o_fat_archive_p (bfd *abfd) adata->archentries[i].offset = bfd_getb32 (arch.offset); adata->archentries[i].size = bfd_getb32 (arch.size); adata->archentries[i].align = bfd_getb32 (arch.align); + if (filesize != 0 + && (adata->archentries[i].offset > filesize + || (adata->archentries[i].size + > filesize - adata->archentries[i].offset))) + { + bfd_release (abfd, adata); + bfd_set_error (bfd_error_malformed_archive); + return NULL; + } } abfd->tdata.mach_o_fat_data = adata; |