diff options
| author | Alan Modra <amodra@gmail.com> | 2024-05-04 19:15:49 +0930 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2024-05-04 19:20:24 +0930 |
| commit | c7a1fe2286e6f68c8bd0cef12feca4ade2451a25 (patch) | |
| tree | 059133eb6c68d3c7c238609549af730cfc9a7227 /bfd/libbfd.c | |
| parent | c479e964a86984cbf3278845615c04ada8adfb50 (diff) | |
| download | binutils-c7a1fe2286e6f68c8bd0cef12feca4ade2451a25.zip binutils-c7a1fe2286e6f68c8bd0cef12feca4ade2451a25.tar.gz binutils-c7a1fe2286e6f68c8bd0cef12feca4ade2451a25.tar.bz2 | |
bus error with fuzzed archive element
* libbfd.c (bfd_mmap_local): Sanity check rsize against actual
file offset and size, not an archive element offset and size.
Diffstat (limited to 'bfd/libbfd.c')
| -rw-r--r-- | bfd/libbfd.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/bfd/libbfd.c b/bfd/libbfd.c index 747b69e..5386847 100644 --- a/bfd/libbfd.c +++ b/bfd/libbfd.c @@ -1072,7 +1072,18 @@ static void * bfd_mmap_local (bfd *abfd, size_t rsize, int prot, void **map_addr, size_t *map_size) { - ufile_ptr filesize = bfd_get_file_size (abfd); + /* We mmap on the underlying file. In an archive it might be nice + to limit RSIZE to the element size, but that can be fuzzed and + the offset returned by bfd_tell is relative to the start of the + element. Therefore to reliably stop access beyond the end of a + file (and resulting bus errors) we must work with the underlying + file offset and size, and trust that callers will limit access to + within an archive element. */ + while (abfd->my_archive != NULL + && !bfd_is_thin_archive (abfd->my_archive)) + abfd = abfd->my_archive; + + ufile_ptr filesize = bfd_get_size (abfd); ufile_ptr offset = bfd_tell (abfd); if (filesize < offset || filesize - offset < rsize) { |