commit: e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> AuthorDate: Sat Feb 11 06:54:49 2017 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Sat Feb 11 06:54:49 2017 +0000 URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=e577c5b7
scanelf: check range of hash bucket Make sure we don't walk off the end of the ELF with a corrupt hash table. URL: https://bugs.gentoo.org/608766 Reported-by: Agostino Sarubbo <ago <AT> gentoo.org> scanelf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scanelf.c b/scanelf.c index 79ce59c..70856f3 100644 --- a/scanelf.c +++ b/scanelf.c @@ -332,7 +332,8 @@ static void scanelf_file_get_symtabs(elfobj *elf, void **sym, void **str) if (!buckets[b]) \ continue; \ for (sym_idx = buckets[b], chained = 0; \ - sym_idx < nchains && sym_idx && chained <= nchains; \ + (sym_idx < nchains && sym_idx && chained <= nchains && \ + (void *)&chains[sym_idx] + sizeof(*chains) < elf->data_end); \ sym_idx = chains[sym_idx], ++chained) { \ if (max_sym_idx < sym_idx) \ max_sym_idx = sym_idx; \
