This is the mail archive of the elfutils-devel@sourceware.org mailing list for the elfutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug tools/21299] heap-based buffer overflow in handle_gnu_hash (readelf.c)

From: "mjw at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: elfutils-devel at sourceware dot org
Date: Fri, 24 Mar 2017 11:06:45 +0000
Subject: [Bug tools/21299] heap-based buffer overflow in handle_gnu_hash (readelf.c)
Auto-submitted: auto-generated
References: <bug-21299-10460@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=21299

Mark Wielaard <mjw at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mjw at redhat dot com

--- Comment #1 from Mark Wielaard <mjw at redhat dot com> ---
Thanks, it was an off-by-one sanity check.

diff --git a/src/readelf.c b/src/readelf.c
index 8d96ba3..490b6d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, 
            ++nsyms;
            if (maxlength < ++lengths[cnt])
              ++maxlength;
-           if (inner > max_nsyms)
+           if (inner >= max_nsyms)
              goto invalid_data;
          }
        while ((chain[inner++] & 1) == 0);

max_nsyms is the maximum number, but inner is a zero-based index.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug tools/21299] New: heap-based buffer overflow in handle_gnu_hash (readelf.c)
  - From: ago at gentoo dot org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]