PR24644, OOM-Bug in _bfd_archive_64_bit_slurp_armap

	PR 24644
	* archive64.c (_bfd_archive_64_bit_slurp_armap): Properly check
	for overflow in expressions involving nsymz.

2 files changed, 14 insertions, 1 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index ae30d7e..6958ed7 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2019-08-07  Alan Modra  <amodra@gmail.com>
+
+	PR 24644
+	* archive64.c (_bfd_archive_64_bit_slurp_armap): Properly check
+	for overflow in expressions involving nsymz.
+
 2019-08-01  Ilia Diachkov  <ilia.diachkov@optimitech.com>
 
 	* elfnn-riscv.c (_bfd_riscv_relax_lui): Set lui relax safety area to
diff --git a/bfd/archive64.c b/bfd/archive64.c
index 42f6ed9..a2c628e 100644
--- a/bfd/archive64.c
+++ b/bfd/archive64.c
@@ -90,7 +90,14 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
   ptrsize = 8 * nsymz;
 
   amt = carsym_size + stringsize + 1;
-  if (carsym_size < nsymz || ptrsize < nsymz || amt < nsymz)
+  if (/* Catch overflow in stringsize (and ptrsize) expression.  */
+      nsymz >= (bfd_size_type) -1 / 8
+      || stringsize > parsed_size
+      /* Catch overflow in carsym_size expression.  */
+      || nsymz > (bfd_size_type) -1 / sizeof (carsym)
+      /* Catch overflow in amt expression.  */
+      || amt <= carsym_size
+      || amt <= stringsize)
     {
       bfd_set_error (bfd_error_malformed_archive);
       return FALSE;