aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2024-05-04 19:15:49 +0930
committerAlan Modra <amodra@gmail.com>2024-05-04 19:20:24 +0930
commitc7a1fe2286e6f68c8bd0cef12feca4ade2451a25 (patch)
tree059133eb6c68d3c7c238609549af730cfc9a7227
parentc479e964a86984cbf3278845615c04ada8adfb50 (diff)
downloadgdb-c7a1fe2286e6f68c8bd0cef12feca4ade2451a25.zip
gdb-c7a1fe2286e6f68c8bd0cef12feca4ade2451a25.tar.gz
gdb-c7a1fe2286e6f68c8bd0cef12feca4ade2451a25.tar.bz2
bus error with fuzzed archive element
* libbfd.c (bfd_mmap_local): Sanity check rsize against actual file offset and size, not an archive element offset and size.
-rw-r--r--bfd/libbfd.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/bfd/libbfd.c b/bfd/libbfd.c
index 747b69e..5386847 100644
--- a/bfd/libbfd.c
+++ b/bfd/libbfd.c
@@ -1072,7 +1072,18 @@ static void *
bfd_mmap_local (bfd *abfd, size_t rsize, int prot, void **map_addr,
size_t *map_size)
{
- ufile_ptr filesize = bfd_get_file_size (abfd);
+ /* We mmap on the underlying file. In an archive it might be nice
+ to limit RSIZE to the element size, but that can be fuzzed and
+ the offset returned by bfd_tell is relative to the start of the
+ element. Therefore to reliably stop access beyond the end of a
+ file (and resulting bus errors) we must work with the underlying
+ file offset and size, and trust that callers will limit access to
+ within an archive element. */
+ while (abfd->my_archive != NULL
+ && !bfd_is_thin_archive (abfd->my_archive))
+ abfd = abfd->my_archive;
+
+ ufile_ptr filesize = bfd_get_size (abfd);
ufile_ptr offset = bfd_tell (abfd);
if (filesize < offset || filesize - offset < rsize)
{