The maximum compression factor (http://www.zlib.net/zlib_tech.html) is 1032:1. Add a sanity check for that before trying to allocate lots of memory and trying to decompress lots of bogus data.
https://sourceware.org/bugzilla/show_bug.cgi?id=21301 Signed-off-by: Mark Wielaard <m...@klomp.org> --- libelf/ChangeLog | 5 +++++ libelf/elf_compress.c | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/libelf/ChangeLog b/libelf/ChangeLog index 8539cb5..35e5271 100644 --- a/libelf/ChangeLog +++ b/libelf/ChangeLog @@ -1,3 +1,8 @@ +2017-03-24 Mark Wielaard <m...@klomp.org> + + * elf_compress.c (__libelf_decompress): Check insane compression + ratios before trying to allocate output buffer. + 2016-10-11 Akihiko Odaki <akihiko.odaki...@stu.hosei.ac.jp> Mark Wielaard <m...@redhat.com> diff --git a/libelf/elf_compress.c b/libelf/elf_compress.c index dac0ac6..711be59 100644 --- a/libelf/elf_compress.c +++ b/libelf/elf_compress.c @@ -211,6 +211,15 @@ void * internal_function __libelf_decompress (void *buf_in, size_t size_in, size_t size_out) { + /* Catch highly unlikely compression ratios so we don't allocate + some giant amount of memory for nothing. The max compression + factor 1032:1 comes from http://www.zlib.net/zlib_tech.html */ + if (unlikely (size_out / 1032 > size_in)) + { + __libelf_seterrno (ELF_E_INVALID_DATA); + return NULL; + } + void *buf_out = malloc (size_out); if (unlikely (buf_out == NULL)) { -- 1.8.3.1
