More fixes for memory access violations exposed by fuzzed binaries.

[thirdparty/binutils-gdb.git] / bfd / archive.c

diff --git a/bfd/archive.c b/bfd/archive.c
index 40a3395ba09be7cd60bc0220efa7b2ebe563e246..0ab4f6e103c293cd526498846548bbfe0e27aae9 100644 (file)
--- a/bfd/archive.c
+++ b/bfd/archive.c
@@ -1038,12 +1038,19 @@ do_slurp_coff_armap (bfd *abfd)
     }
 
   /* OK, build the carsyms.  */
-  for (i = 0; i < nsymz; i++)
+  for (i = 0; i < nsymz && stringsize > 0; i++)
     {
+      bfd_size_type len;
+
       rawptr = raw_armap + i;
       carsyms->file_offset = swap ((bfd_byte *) rawptr);
       carsyms->name = stringbase;
-      stringbase += strlen (stringbase) + 1;
+      /* PR 17512: file: 4a1d50c1.  */
+      len = strnlen (stringbase, stringsize);
+      if (len < stringsize)
+       len ++;
+      stringbase += len;
+      stringsize -= len;
       carsyms++;
     }
   *stringbase = 0;
@@ -1300,6 +1307,8 @@ _bfd_slurp_extended_name_table (bfd *abfd)
        {
        byebye:
          free (namedata);
+         bfd_ardata (abfd)->extended_names = NULL;
+         bfd_ardata (abfd)->extended_names_size = 0;
          return FALSE;
        }
 
@@ -1316,11 +1325,12 @@ _bfd_slurp_extended_name_table (bfd *abfd)
         text, the entries in the list are newline-padded, not null
         padded. In SVR4-style archives, the names also have a
         trailing '/'.  DOS/NT created archive often have \ in them
-        We'll fix all problems here..  */
+        We'll fix all problems here.  */
       {
        char *ext_names = bfd_ardata (abfd)->extended_names;
        char *temp = ext_names;
        char *limit = temp + namedata->parsed_size;
+
        for (; temp < limit; ++temp)
          {
            if (*temp == ARFMAG[1])