aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Modra <amodra@gmail.com>2020-03-25 22:25:37 +1030
committerAlan Modra <amodra@gmail.com>2020-03-25 22:31:07 +1030
commit4c83662712f80abe9a7d8ef645123347a9de7adb (patch)
tree69a20581d3c5783b3e51f0a959f0124a9b387ee2
parentaac88046e6cccf13fc408fc4e515aaf2548fe898 (diff)
downloadgdb-4c83662712f80abe9a7d8ef645123347a9de7adb.zip
gdb-4c83662712f80abe9a7d8ef645123347a9de7adb.tar.gz
gdb-4c83662712f80abe9a7d8ef645123347a9de7adb.tar.bz2
readelf looping in process_archive
With a crafted "negative" ar_hdr.ar_size it is possible to make readelf loop. This patch catches the overflow in a file offset calculation. * readelf.c (process_archive): Prevent endless loop.
-rw-r--r--binutils/ChangeLog4
-rw-r--r--binutils/readelf.c6
2 files changed, 8 insertions, 2 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index accd265..2f551f1 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,7 @@
+2020-03-25 Alan Modra <amodra@gmail.com>
+
+ * readelf.c (process_archive): Prevent endless loop.
+
2020-03-24 H.J. Lu <hongjiu.lu@intel.com>
PR binutils/25708
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 1f0f492..9bc15e4 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -20505,11 +20505,13 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
{
free (name);
archive_file_offset = arch.next_arhdr_offset;
- arch.next_arhdr_offset += archive_file_size;
-
filedata->file_name = qualified_name;
if (! process_object (filedata))
ret = FALSE;
+ arch.next_arhdr_offset += archive_file_size;
+ /* Stop looping with "negative" archive_file_size. */
+ if (arch.next_arhdr_offset < archive_file_size)
+ break;
}
free (qualified_name);