diff options
-rw-r--r-- | bfd/ChangeLog | 6 | ||||
-rw-r--r-- | bfd/archive64.c | 9 |
2 files changed, 14 insertions, 1 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index ae30d7e..6958ed7 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2019-08-07 Alan Modra <amodra@gmail.com> + + PR 24644 + * archive64.c (_bfd_archive_64_bit_slurp_armap): Properly check + for overflow in expressions involving nsymz. + 2019-08-01 Ilia Diachkov <ilia.diachkov@optimitech.com> * elfnn-riscv.c (_bfd_riscv_relax_lui): Set lui relax safety area to diff --git a/bfd/archive64.c b/bfd/archive64.c index 42f6ed9..a2c628e 100644 --- a/bfd/archive64.c +++ b/bfd/archive64.c @@ -90,7 +90,14 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) ptrsize = 8 * nsymz; amt = carsym_size + stringsize + 1; - if (carsym_size < nsymz || ptrsize < nsymz || amt < nsymz) + if (/* Catch overflow in stringsize (and ptrsize) expression. */ + nsymz >= (bfd_size_type) -1 / 8 + || stringsize > parsed_size + /* Catch overflow in carsym_size expression. */ + || nsymz > (bfd_size_type) -1 / sizeof (carsym) + /* Catch overflow in amt expression. */ + || amt <= carsym_size + || amt <= stringsize) { bfd_set_error (bfd_error_malformed_archive); return FALSE; |