Limit bogus archive parsed_size

Archive element size is given by data in the archive, and thus is subject to attack by fuzzers. The only harm this allows is allocation of huge amounts of memory, but some systems don't handle that well. So limit archive element size to archive file size. * bfdio.c (bfd_get_file_size): Ignore bogus archive element sizes.
2024-11-24 10:35:12 +08:00 · 2020-02-25 12:48:43 +10:30 · 2020-02-25 12:48:43 +10:30 · b570b954bc
commit b570b954bc
parent 24a15046c0
2 changed files with 20 additions and 2 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,7 @@
+2020-02-26  Alan Modra  <amodra@gmail.com>
+
+	* bfdio.c (bfd_get_file_size): Ignore bogus archive element sizes.
+
 2020-02-25  H.J. Lu  <hongjiu.lu@intel.com>

 	PR binutils/25584
--- a/bfd/bfdio.c
+++ b/bfd/bfdio.c
@ -25,6 +25,7 @@
 #include <limits.h>
 #include "bfd.h"
 #include "libbfd.h"
+#include "aout/ar.h"

 #ifndef S_IXUSR
 #define S_IXUSR 0100    /* Execute by owner.  */
@ -460,11 +461,24 @@ DESCRIPTION
 ufile_ptr
 bfd_get_file_size (bfd *abfd)
 {
+  ufile_ptr file_size, archive_size = (ufile_ptr) -1;
+
  if (abfd->my_archive != NULL
      && !bfd_is_thin_archive (abfd->my_archive))
-    return arelt_size (abfd);
+    {
+      struct areltdata *adata = (struct areltdata *) abfd->arelt_data;
+      archive_size = adata->parsed_size;
+      /* If the archive is compressed we can't compare against file size.  */
+      if (memcmp (((struct ar_hdr *) adata->arch_header)->ar_fmag,
+		  "Z\012", 2) == 0)
+	return archive_size;
+      abfd = abfd->my_archive;
+    }

-  return bfd_get_size (abfd);
+  file_size = bfd_get_size (abfd);
+  if (archive_size < file_size)
+    return archive_size;
+  return file_size;
 }

 /*