libelf: ar_size cannot be negative. Fix max ar size.

Elf_Arhdr ar_size is loff_t, which is signed. Make sure it isn't negative.
When the parent start_offset is non-zero maxsize should include it to
compensate for ar offset.

Found with afl-fuzz.

Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 447c35465c132e5232ef7d3a1f7806def4716d3b..f2b3f2151d727daaac5199fadcbe444cc8e1a0fc 100644 (file)
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-25  Mark Wielaard  <mjw@redhat.com>
+
+       * elf_begin.c (__libelf_next_arhdr_wrlock): ar_size cannot be
+       negative. Include start_offset in maxsize.
+
 2014-12-28  Alexander Cherepanov  <cherepan@mccme.ru>
 
        * elf_begin.c (read_long_names): Don't miss '/' right after

diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index cd3756ccb2c9c7464f69afb7fd0ecf079c00ed86..ae1e7124a6a1349b31288bab9736564007276554 100644 (file)
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -921,9 +921,16 @@ __libelf_next_arhdr_wrlock (elf)
   INT_FIELD (ar_mode);
   INT_FIELD (ar_size);
 
+  if (elf_ar_hdr->ar_size < 0)
+    {
+      __libelf_seterrno (ELF_E_INVALID_ARCHIVE);
+      return -1;
+    }
+
   /* Truncated file?  */
   size_t maxsize;
-  maxsize = elf->maximum_size - elf->state.ar.offset - sizeof (struct ar_hdr);
+  maxsize = (elf->start_offset + elf->maximum_size
+            - elf->state.ar.offset - sizeof (struct ar_hdr));
   if ((size_t) elf_ar_hdr->ar_size > maxsize)
     elf_ar_hdr->ar_size = maxsize;