som: Don't loop forever reading symbol chains

	* som.c (som_bfd_count_ar_symbols): Error when file position
	of symbols on chains is not strictly increasing.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index acb545cd03cd43eeb50ab6d19fa99f1fc6e88516..75099e91b223bea037f33225bc9ae66616e07331 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,8 @@
+2020-01-14  Alan Modra  <amodra@gmail.com>
+
+       * som.c (som_bfd_count_ar_symbols): Error when file position
+       of symbols on chains is not strictly increasing.
+
 2020-01-14  Alan Modra  <amodra@gmail.com>
 
        * vms.h (VMS_DEBUG): Define as 0.

diff --git a/bfd/som.c b/bfd/som.c
index 779fd5d3883a1a5c87254bdaae10f5fcebb2d706..8e8960ed83f36db237fe5bb117243479b74e5127 100644 (file)
--- a/bfd/som.c
+++ b/bfd/som.c
@@ -5892,8 +5892,8 @@ som_bfd_count_ar_symbols (bfd *abfd,
   /* Don't forget to initialize the counter!  */
   *count = 0;
 
-  /* Read in the hash table.  The has table is an array of 32bit file offsets
-     which point to the hash chains.  */
+  /* Read in the hash table.  The hash table is an array of 32-bit
+     file offsets which point to the hash chains.  */
   amt = (bfd_size_type) lst_header->hash_size * 4;
   if (bfd_bread ((void *) hash_table, amt, abfd) != amt)
     goto error_return;
@@ -5928,6 +5928,15 @@ som_bfd_count_ar_symbols (bfd *abfd,
          if (next_entry == 0)
            break;
 
+         /* Assume symbols on a chain are in increasing file offset
+            order.  Otherwise we can loop here with fuzzed input.  */
+         if (next_entry < hash_val + sizeof (ext_lst_symbol))
+           {
+             bfd_set_error (bfd_error_bad_value);
+             goto error_return;
+           }
+         hash_val = next_entry;
+
          /* Seek to the next symbol.  */
          if (bfd_seek (abfd, lst_filepos + next_entry, SEEK_SET) != 0)
            goto error_return;