We sanity check to make sure we don't index outside the chain array by testing inner > max_nsyms. But inner is a zero-based index, while max_nsyms is the maximum number. Change the check to inner >= max_nsyms.
https://sourceware.org/bugzilla/show_bug.cgi?id=21299 Signed-off-by: Mark Wielaard <m...@klomp.org> --- src/ChangeLog | 5 +++++ src/readelf.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/ChangeLog b/src/ChangeLog index 0601198..9dd76c0 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2017-03-24 Mark Wielaard <m...@redhat.com> + + * readelf.c (handle_gnu_hash): Check inner < max_nsyms before + indexing into chain array. + 2017-02-16 Ulf Hermann <ulf.herm...@qt.io> * addr2line.c: Include printversion.h diff --git a/src/readelf.c b/src/readelf.c index 8d96ba3..490b6d5 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx) ++nsyms; if (maxlength < ++lengths[cnt]) ++maxlength; - if (inner > max_nsyms) + if (inner >= max_nsyms) goto invalid_data; } while ((chain[inner++] & 1) == 0); -- 1.8.3.1
