From patchwork Sun Mar 19 11:53:04 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alan Modra <amodra@gmail.com>
X-Patchwork-Id: 71753
Return-Path: <binutils-bounces+ouuuleilei=gmail.com@sourceware.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp689207wrt;
        Sun, 19 Mar 2023 04:53:36 -0700 (PDT)
X-Google-Smtp-Source: 
 AK7set+aCLdX2RnFEyu383c5Fp5XW4lrVuRk+wkIP4qBFZ++96a4W1giIDVhjG/8aRcVQIg9ygTF
X-Received: by 2002:aa7:cb03:0:b0:4fc:7201:6e2 with SMTP id
 s3-20020aa7cb03000000b004fc720106e2mr8237351edt.34.1679226816320;
        Sun, 19 Mar 2023 04:53:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1679226816; cv=none;
        d=google.com; s=arc-20160816;
        b=h1dYKuhqu6H+U2FtwBHZI00WJcVprWcAqcUPFYgdLdPxHWwb3EjLJ7zRdvRRkdIDaZ
         LzQCblDCTyndoWsMqViq/RYlBge4mfD7/vbEx31FYfSd7hqJ/9aolhtp9aEO315UC+oC
         sQXsdA6N6IMhsCflPX3hE9bI1SLIMj8g+TivpoznwC/TgBPi6cmwhV8zo2Z6rtJwd81Q
         T71x/m/FdPWNKazQSqbIwEaj0f7HSin33glb+s8OGq3KVDQgLn+WvgNUf6qQdyDU35cy
         grwlRqvoqscl6CzEZV8GUNPq5pIxn2jVhly7apMk60CK26N6WJ8Jo41nQwnUW+kzHk8D
         CTBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post
         :list-archive:list-unsubscribe:list-id:precedence
         :content-disposition:mime-version:message-id:subject:to:date
         :dmarc-filter:delivered-to:dkim-signature:dkim-filter;
        bh=WRH7dsVLtuIfRMbvsXI9/0CEVSR/iVRRM8zbpLbE2jc=;
        b=YBOTKV//rbUSyqeKJy8Q0RfjeElxfTD/Y2RyV070cSK19ORQ+CeNuJaypqPi2DohxX
         Pk+4sf9WHYF0Xu5yfOnB3yKsezNnWaBrP8FEc03eV2DgfWkQbabTReqIUaxcMjNgZmOj
         bsHP1wcWB29nhtawvFfNPc3OGDqe0aSfzQ6QknZVJtv4gby3LrJh7t7oTwf53H6gmNUL
         sNHzBPJJTW3T7UHlk83R9PfsRW4tsGJYCwlr/6fCQ/Hk8/7AVkY2DIiRPvAFHbEBwPkB
         ZFjTNXQYHISACxn2y5b9zh6sGn+fIwksJ9dgvQANlc9s+cM9vw6Uiz2eyvpiBPNY+9TD
         gE/g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sourceware.org header.s=default header.b=i3XSQXu2;
       spf=pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as
 permitted sender)
 smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org
Received: from sourceware.org (server2.sourceware.org. [8.43.85.97])
        by mx.google.com with ESMTPS id
 u2-20020aa7d882000000b004acef3d53b7si7630915edq.269.2023.03.19.04.53.36
        for <ouuuleilei@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 19 Mar 2023 04:53:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as
 permitted sender) client-ip=8.43.85.97;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sourceware.org header.s=default header.b=i3XSQXu2;
       spf=pass (google.com: domain of
 binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as
 permitted sender)
 smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 5FC21385841D
	for <ouuuleilei@gmail.com>; Sun, 19 Mar 2023 11:53:35 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5FC21385841D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1679226815;
	bh=WRH7dsVLtuIfRMbvsXI9/0CEVSR/iVRRM8zbpLbE2jc=;
	h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=i3XSQXu276q+dTqL2zFIEQy+v+ACMTd2IrLIW3P1lifed+v3L6O//6J7+2l8M/Az7
	 x8KtAXckIiNNpiKMUt2YjYUguxzEX7XYmydxLFmkVfqiO4qG5OeCuf9FLKRdehqjlA
	 vCCvcZhaxQYS0qpr7+KbKZo2sO5u6rR3q95HsXXM=
X-Original-To: binutils@sourceware.org
Delivered-To: binutils@sourceware.org
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com
 [IPv6:2607:f8b0:4864:20::1031])
 by sourceware.org (Postfix) with ESMTPS id 059733858280
 for <binutils@sourceware.org>; Sun, 19 Mar 2023 11:53:08 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 059733858280
Received: by mail-pj1-x1031.google.com with SMTP id
 p3-20020a17090a74c300b0023f69bc7a68so5196165pjl.4
 for <binutils@sourceware.org>; Sun, 19 Mar 2023 04:53:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1679226787;
 h=content-disposition:mime-version:message-id:subject:to:from:date
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=WRH7dsVLtuIfRMbvsXI9/0CEVSR/iVRRM8zbpLbE2jc=;
 b=zgFctOM/zL57TPmLKSBwoenXN4fZgOOx4+rB//3+N7O9chz8cNblWyBCy07YcTn6mu
 Dl7lAzbCXTaKFW5I44e3ThCLUB/9LZoY0iaGWhaRrc5rhXIkTM0qFMUq1UtOwguJGT7a
 9GZ8+nvzzEhP3I9aYNh9/g1EJyYUKjP9SNB+yknJoT8IKiliMYaGda8GRRpmoQVCFQD6
 jUd0zqqZ6fxE3Pz1sjQC7S6zwK0/UhU7dcnnxS7zSZJHCq7HjY0RIdNWqs/V4ablOW5y
 D13xmONoBYja03WmCSoWLBtss0wGKZcxZaBBWq9TZg3GiRTg7ellwM0NzeC3oSq4P8yj
 7tsg==
X-Gm-Message-State: AO0yUKXE6zXC1dku3oMEEWgMi2UPrnvO4B8Fq6AdiOM4xntvdE2gXgKV
 WdWrot+IeGZ3Vy8vbtT84BayE/0fX48=
X-Received: by 2002:a05:6a21:7893:b0:c6:bd82:ea2d with SMTP id
 bf19-20020a056a21789300b000c6bd82ea2dmr17557826pzc.2.1679226786924;
 Sun, 19 Mar 2023 04:53:06 -0700 (PDT)
Received: from squeak.grove.modra.org
 ([2406:3400:51d:8cc0:5f2b:8556:6720:fff5])
 by smtp.gmail.com with ESMTPSA id
 j23-20020a62b617000000b005d22639b577sm4455874pff.165.2023.03.19.04.53.06
 for <binutils@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 19 Mar 2023 04:53:06 -0700 (PDT)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
 id 8394C1142CE7; Sun, 19 Mar 2023 22:23:04 +1030 (ACDT)
Date: Sun, 19 Mar 2023 22:23:04 +1030
To: binutils@sourceware.org
Subject: XCOFF archive sanity check
Message-ID: <ZBb3oOZ4J35lf6nK@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Disposition: inline
X-Spam-Status: No, score=-3034.7 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Alan Modra via Binutils <binutils@sourceware.org>
From: Alan Modra <amodra@gmail.com>
Reply-To: Alan Modra <amodra@gmail.com>
Errors-To: binutils-bounces+ouuuleilei=gmail.com@sourceware.org
Sender: "Binutils" <binutils-bounces+ouuuleilei=gmail.com@sourceware.org>
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1760796937877629019?=
X-GMAIL-MSGID: =?utf-8?q?1760796937877629019?=

XCOFF archive elements are in a linked list.  Add a little more sanity
checking.  This of course doesn't stop the fuzzers finding a way to
make a loop, but this check is cheap.

	* coff-rs6000.c (_bfd_xcoff_openr_next_archived_file): Sanity
	check that next element isn't pointing back to the header.

diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c
index 4b7b5d315df..735d434951e 100644
--- a/bfd/coff-rs6000.c
+++ b/bfd/coff-rs6000.c
@@ -1714,8 +1714,11 @@ _bfd_xcoff_openr_next_archived_file (bfd *archive, bfd *last_file)
 	  laststart -= SIZEOF_AR_HDR + arel->extra_size;
 	}
 
-      /* Sanity check that we aren't pointing into the previous element.  */
-      if (filestart != 0 && filestart >= laststart && filestart < lastend)
+      /* Sanity check that we aren't pointing into the previous element,
+	 or into the header.  */
+      if (filestart != 0
+	  && (filestart < SIZEOF_AR_FILE_HDR
+	      || (filestart >= laststart && filestart < lastend)))
 	{
 	  bfd_set_error (bfd_error_malformed_archive);
 	  return NULL;
@@ -1747,8 +1750,11 @@ _bfd_xcoff_openr_next_archived_file (bfd *archive, bfd *last_file)
 	  laststart -= SIZEOF_AR_HDR_BIG + arel->extra_size;
 	}
 
-      /* Sanity check that we aren't pointing into the previous element.  */
-      if (filestart != 0 && filestart >= laststart && filestart < lastend)
+      /* Sanity check that we aren't pointing into the previous element
+	 or into the header.  */
+      if (filestart != 0
+	  && (filestart < SIZEOF_AR_FILE_HDR_BIG
+	      || (filestart >= laststart && filestart < lastend)))
 	{
 	  bfd_set_error (bfd_error_malformed_archive);
 	  return NULL;