From 626360da44457075f2d9026f0d1d356e5b75c002 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Mon, 3 Nov 2025 13:01:42 +1030
Subject: [PATCH] ctf-archive sanity checks

Existing code checks that the first uint64_t ctfa_magic field is
available before reading but neglects to check that the last uint64_t
ctfa_ctfs is available before reading it in ctf_arc_bufpreamble.
ctf_arc_bufopen sets up a pointer to the struct ctf_archive in
ctf_new_archive_internal.  Extend the check to cover the entire struct.

	PR 33548
	PR 33549
	* ctf-archive.c (ctf_arc_bufpreamble, ctf_arc_bufopen): Check
	that buffer contains at least an entire struct ctf_archive
	when accessing such a struct.
---
 libctf/ctf-archive.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libctf/ctf-archive.c b/libctf/ctf-archive.c
index 6c4595fcc84..63184e66244 100644
--- a/libctf/ctf-archive.c
+++ b/libctf/ctf-archive.c
@@ -395,7 +395,7 @@ const ctf_preamble_t *
 ctf_arc_bufpreamble (const ctf_sect_t *ctfsect)
 {
   if (ctfsect->cts_data != NULL
-      && ctfsect->cts_size > sizeof (uint64_t)
+      && ctfsect->cts_size >= sizeof (struct ctf_archive)
       && (le64toh ((*(uint64_t *) ctfsect->cts_data)) == CTFA_MAGIC))
     {
       struct ctf_archive *arc = (struct ctf_archive *) ctfsect->cts_data;
@@ -418,7 +418,7 @@ ctf_arc_bufopen (const ctf_sect_t *ctfsect, const ctf_sect_t *symsect,
   ctf_dict_t *fp = NULL;
 
   if (ctfsect->cts_data != NULL
-      && ctfsect->cts_size > sizeof (uint64_t)
+      && ctfsect->cts_size >= sizeof (struct ctf_archive)
       && (le64toh ((*(uint64_t *) ctfsect->cts_data)) == CTFA_MAGIC))
     {
       /* The archive is mmappable, so this operation is trivial.
-- 
2.47.3