diff options
| author | Nick Clifton <nickc@redhat.com> | 2014-11-04 13:15:37 +0000 |
|---|---|---|
| committer | Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com> | 2015-02-26 17:43:40 -0300 |
| commit | fd9d073e3c0205fc89d48fe7916ba373ba2e20a7 (patch) | |
| tree | 90098525e295a5dd28232c3a8fdf885154174431 | |
| parent | cd3813a8c9e59ccba0c42f5e3664465428e0e89c (diff) | |
| download | binutils-gdb-fd9d073e3c0205fc89d48fe7916ba373ba2e20a7.tar.gz | |
Fix a seg-fault triggered by reading a mal-formed archive.
PR binutils/17533
* archive.c (_bfd_slurp_extended_name_table): Handle archives with
corrupt extended name tables.
| -rw-r--r-- | bfd/ChangeLog | 6 | ||||
| -rw-r--r-- | bfd/archive.c | 9 |
2 files changed, 13 insertions, 2 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 3509da7db11..831b3932a48 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2014-11-04 Nick Clifton <nickc@redhat.com> + + PR binutils/17533 + * archive.c (_bfd_slurp_extended_name_table): Handle archives with + corrupt extended name tables. + 2015-01-22 Thomas Preud'homme <thomas.preudhomme@arm.com> Backport from mainline diff --git a/bfd/archive.c b/bfd/archive.c index 32b07a718a2..05a25dbc707 100644 --- a/bfd/archive.c +++ b/bfd/archive.c @@ -1292,6 +1292,9 @@ _bfd_slurp_extended_name_table (bfd *abfd) amt = namedata->parsed_size; if (amt + 1 == 0) goto byebye; + /* PR binutils/17533: A corrupt archive can contain an invalid size. */ + if (amt > (bfd_size_type) bfd_get_size (abfd)) + goto byebye; bfd_ardata (abfd)->extended_names_size = amt; bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1); @@ -1299,6 +1302,8 @@ _bfd_slurp_extended_name_table (bfd *abfd) { byebye: free (namedata); + bfd_ardata (abfd)->extended_names = NULL; + bfd_ardata (abfd)->extended_names_size = 0; return FALSE; } @@ -1307,7 +1312,6 @@ _bfd_slurp_extended_name_table (bfd *abfd) if (bfd_get_error () != bfd_error_system_call) bfd_set_error (bfd_error_malformed_archive); bfd_release (abfd, (bfd_ardata (abfd)->extended_names)); - bfd_ardata (abfd)->extended_names = NULL; goto byebye; } @@ -1315,11 +1319,12 @@ _bfd_slurp_extended_name_table (bfd *abfd) text, the entries in the list are newline-padded, not null padded. In SVR4-style archives, the names also have a trailing '/'. DOS/NT created archive often have \ in them - We'll fix all problems here.. */ + We'll fix all problems here. */ { char *ext_names = bfd_ardata (abfd)->extended_names; char *temp = ext_names; char *limit = temp + namedata->parsed_size; + for (; temp < limit; ++temp) { if (*temp == ARFMAG[1]) |