diff options
author | Alan Modra <amodra@gmail.com> | 2020-03-25 22:25:37 +1030 |
---|---|---|
committer | Alan Modra <amodra@gmail.com> | 2020-03-25 22:31:07 +1030 |
commit | 4c83662712f80abe9a7d8ef645123347a9de7adb (patch) | |
tree | 69a20581d3c5783b3e51f0a959f0124a9b387ee2 | |
parent | aac88046e6cccf13fc408fc4e515aaf2548fe898 (diff) | |
download | gdb-4c83662712f80abe9a7d8ef645123347a9de7adb.zip gdb-4c83662712f80abe9a7d8ef645123347a9de7adb.tar.gz gdb-4c83662712f80abe9a7d8ef645123347a9de7adb.tar.bz2 |
readelf looping in process_archive
With a crafted "negative" ar_hdr.ar_size it is possible to make
readelf loop. This patch catches the overflow in a file offset
calculation.
* readelf.c (process_archive): Prevent endless loop.
-rw-r--r-- | binutils/ChangeLog | 4 | ||||
-rw-r--r-- | binutils/readelf.c | 6 |
2 files changed, 8 insertions, 2 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index accd265..2f551f1 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,7 @@ +2020-03-25 Alan Modra <amodra@gmail.com> + + * readelf.c (process_archive): Prevent endless loop. + 2020-03-24 H.J. Lu <hongjiu.lu@intel.com> PR binutils/25708 diff --git a/binutils/readelf.c b/binutils/readelf.c index 1f0f492..9bc15e4 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -20505,11 +20505,13 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive) { free (name); archive_file_offset = arch.next_arhdr_offset; - arch.next_arhdr_offset += archive_file_size; - filedata->file_name = qualified_name; if (! process_object (filedata)) ret = FALSE; + arch.next_arhdr_offset += archive_file_size; + /* Stop looping with "negative" archive_file_size. */ + if (arch.next_arhdr_offset < archive_file_size) + break; } free (qualified_name); |