This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[PATCH] readelf: Fix overflow check in handle_sysv_hash64.
- From: Mark Wielaard <mjw at redhat dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Sun, 30 Nov 2014 21:58:54 +0100
- Subject: [PATCH] readelf: Fix overflow check in handle_sysv_hash64.
Since all values are 64bit, not 32bit as in other hashes, we need to
explicitly check for overflow.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
src/ChangeLog | 4 ++++
src/readelf.c | 6 ++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index d3828d9..0819c1e 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2014-11-30 Mark Wielaard <mjw@redhat.com>
+
+ * readelf.c (handle_sysv_hash64): Fix overflow check.
+
2014-11-28 Mark Wielaard <mjw@redhat.com>
* readelf.c (handle_relocs_rel): Don't reuse destshdr to store
diff --git a/src/readelf.c b/src/readelf.c
index 69ae5d0..89b1754 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3055,8 +3055,10 @@ handle_sysv_hash64 (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0];
Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1];
- uint64_t used_buf = (2ULL + nchain + nbucket) * sizeof (Elf64_Xword);
- if (used_buf > data->d_size)
+ uint64_t maxwords = data->d_size / sizeof (Elf64_Xword);
+ if (maxwords < 2
+ || maxwords - 2 < nbucket
+ || maxwords - 2 - nbucket < nchain)
goto invalid_data;
Elf64_Xword *bucket = &((Elf64_Xword *) data->d_buf)[2];
--
1.9.3