[PATCH] readelf: Fix overflow check in handle_sysv_hash64.

[PATCH] readelf: Fix overflow check in handle_sysv_hash64.

[Mark Wielaard]

[-- Attachment #1: Type: text/plain, Size: 1330 bytes --]

Since all values are 64bit, not 32bit as in other hashes, we need to
explicitly check for overflow.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 src/ChangeLog | 4 ++++
 src/readelf.c | 6 ++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index d3828d9..0819c1e 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2014-11-30  Mark Wielaard  <mjw@redhat.com>
+
+	* readelf.c (handle_sysv_hash64): Fix overflow check.
+
 2014-11-28  Mark Wielaard  <mjw@redhat.com>
 
 	* readelf.c (handle_relocs_rel): Don't reuse destshdr to store
diff --git a/src/readelf.c b/src/readelf.c
index 69ae5d0..89b1754 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3055,8 +3055,10 @@ handle_sysv_hash64 (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
   Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0];
   Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1];
 
-  uint64_t used_buf = (2ULL + nchain + nbucket) * sizeof (Elf64_Xword);
-  if (used_buf > data->d_size)
+  uint64_t maxwords = data->d_size / sizeof (Elf64_Xword);
+  if (maxwords < 2
+      || maxwords - 2 < nbucket
+      || maxwords - 2 - nbucket < nchain)
     goto invalid_data;
 
   Elf64_Xword *bucket = &((Elf64_Xword *) data->d_buf)[2];
-- 
1.9.3

Re: [PATCH] readelf: Fix overflow check in handle_sysv_hash64.

[Mark Wielaard]

[-- Attachment #1: Type: text/plain, Size: 310 bytes --]

On Sun, 2014-11-30 at 21:58 +0100, Mark Wielaard wrote:
> Since all values are 64bit, not 32bit as in other hashes, we need to
> explicitly check for overflow.
>
> +2014-11-30  Mark Wielaard  <mjw@redhat.com>
> +
> +	* readelf.c (handle_sysv_hash64): Fix overflow check.

I pushed this to master now.