The sanity checks for how many words were needed in the section could overflow causing errors. Fix the checks.
https://sourceware.org/bugzilla/show_bug.cgi?id=23542 Signed-off-by: Mark Wielaard <m...@klomp.org> --- src/ChangeLog | 7 +++++++ src/elflint.c | 7 +++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index a01bd756..8c89f83d 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,10 @@ +2018-08-18 Mark Wielaard <m...@klomp.org> + + * elflint.c (check_sysv_hash): Calculate needed size using unsigned + long long int to prevent overflow. + (check_sysv_hash64): Calculate maxwords used separately before + comparison to prevent overflow. + 2018-07-24 Mark Wielaard <m...@klomp.org> * unstrip.c (compare_unalloc_sections): Also compare sh_size. diff --git a/src/elflint.c b/src/elflint.c index eec799b2..90e8fed4 100644 --- a/src/elflint.c +++ b/src/elflint.c @@ -2023,7 +2023,7 @@ check_sysv_hash (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx, Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0]; Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1]; - if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf32_Word)) + if (shdr->sh_size < (2ULL + nbucket + nchain) * sizeof (Elf32_Word)) { ERROR (gettext ("\ section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"), @@ -2077,7 +2077,10 @@ check_sysv_hash64 (Ebl *ebl, GElf_Shdr *shdr, Elf_Data *data, int idx, Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0]; Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1]; - if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf64_Xword)) + uint64_t maxwords = shdr->sh_size / sizeof (Elf64_Xword); + if (maxwords < 2 + || maxwords - 2 < nbucket + || maxwords - 2 - nbucket < nchain) { ERROR (gettext ("\ section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"), -- 2.18.0
