Fix illegal memory access when parsing a corrupt PE format file.

PR 27795 * coff-rs6000.c (_bfd_xcoff_read_ar_hdr): Check for invalid name lengths.
2025-04-24 14:53:34 +08:00 · 2021-04-30 12:11:35 +01:00 · 2021-04-30 12:11:35 +01:00 · bceb87ef4d
commit bceb87ef4d
parent 5536f0cc62
2 changed files with 10 additions and 0 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,9 @@
+2021-04-30  Nick Clifton  <nickc@redhat.com>
+
+	PR 27795
+	* coff-rs6000.c (_bfd_xcoff_read_ar_hdr): Check for invalid name
+	lengths.
+
 2021-04-29  Nick Clifton  <nickc@redhat.com>

 	PR 27793
--- a/bfd/coff-rs6000.c
+++ b/bfd/coff-rs6000.c
@ -1619,6 +1619,8 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd)
 	return NULL;

      GET_VALUE_IN_FIELD (namlen, hdr.namlen, 10);
+      if (namlen > bfd_get_file_size (abfd))
+	return NULL;
      amt = sizeof (struct areltdata) + SIZEOF_AR_HDR + namlen + 1;
      ret = (struct areltdata *) bfd_malloc (amt);
      if (ret == NULL)
@ -1646,6 +1648,8 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd)
 	return NULL;

      GET_VALUE_IN_FIELD (namlen, hdr.namlen, 10);
+      if (namlen > bfd_get_file_size (abfd))
+	return NULL;
      amt = sizeof (struct areltdata) + SIZEOF_AR_HDR_BIG + namlen + 1;
      ret = (struct areltdata *) bfd_malloc (amt);
      if (ret == NULL)