alpha-coff: large memory allocation

	* coff-alpha.c (alpha_ecoff_get_elt_at_filepos): Provide an upper
	limit to decompressed element size.

2 files changed, 14 insertions, 0 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index d37c2cd..683bcfe 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,10 @@
 2020-03-02  Alan Modra  <amodra@gmail.com>
 
+	* coff-alpha.c (alpha_ecoff_get_elt_at_filepos): Provide an upper
+	limit to decompressed element size.
+
+2020-03-02  Alan Modra  <amodra@gmail.com>
+
 	* vms-lib.c (vms_traverse_index): Add recur_count param and
 	update calls.  Fail on excessive recursion.
 
diff --git a/bfd/coff-alpha.c b/bfd/coff-alpha.c
index 4b39bcc..9a3ac089 100644
--- a/bfd/coff-alpha.c
+++ b/bfd/coff-alpha.c
@@ -2050,6 +2050,7 @@ alpha_ecoff_get_elt_at_filepos (bfd *archive, file_ptr filepos)
   bfd_size_type size;
   bfd_byte *buf, *p;
   struct bfd_in_memory *bim;
+  ufile_ptr filesize;
 
   buf = NULL;
   nbfd = _bfd_get_elt_at_filepos (archive, filepos);
@@ -2083,6 +2084,14 @@ alpha_ecoff_get_elt_at_filepos (bfd *archive, file_ptr filepos)
     goto error_return;
   size = H_GET_64 (nbfd, ab);
 
+  /* The decompression algorithm will at most expand by eight times.  */
+  filesize = bfd_get_file_size (archive);
+  if (filesize != 0 && size / 8 > filesize)
+    {
+      bfd_set_error (bfd_error_malformed_archive);
+      goto error_return;
+    }
+
   if (size != 0)
     {
       bfd_size_type left;