* [PATCH] libelf: ar_size cannot be negative. Fix max ar size.
@ 2014-12-25 22:28 Mark Wielaard
0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2014-12-25 22:28 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 1503 bytes --]
Elf_Arhdr ar_size is loff_t, which is signed. Make sure it isn't negative.
When the parent start_offset is non-zero maxsize should include it to
compensate for ar offset.
Found with afl-fuzz.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
libelf/ChangeLog | 5 +++++
libelf/elf_begin.c | 9 ++++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 3b88d03..6a1c925 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-25 Mark Wielaard <mjw@redhat.com>
+
+ * elf_begin.c (__libelf_next_arhdr_wrlock): ar_size cannot be
+ negative. Include start_offset in maxsize.
+
2014-12-18 Ulrich Drepper <drepper@gmail.com>
* Makefile.am: Suppress output of textrel_check command.
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index 30abe0b..947b0ed 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -924,9 +924,16 @@ __libelf_next_arhdr_wrlock (elf)
INT_FIELD (ar_mode);
INT_FIELD (ar_size);
+ if (elf_ar_hdr->ar_size < 0)
+ {
+ __libelf_seterrno (ELF_E_INVALID_ARCHIVE);
+ return -1;
+ }
+
/* Truncated file? */
size_t maxsize;
- maxsize = elf->maximum_size - elf->state.ar.offset - sizeof (struct ar_hdr);
+ maxsize = (elf->start_offset + elf->maximum_size
+ - elf->state.ar.offset - sizeof (struct ar_hdr));
if ((size_t) elf_ar_hdr->ar_size > maxsize)
elf_ar_hdr->ar_size = maxsize;
--
1.8.3.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] libelf: ar_size cannot be negative. Fix max ar size.
@ 2015-01-12 21:04 Mark Wielaard
0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2015-01-12 21:04 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 265 bytes --]
On Thu, 2014-12-25 at 23:28 +0100, Mark Wielaard wrote:
> Elf_Arhdr ar_size is loff_t, which is signed. Make sure it isn't negative.
> When the parent start_offset is non-zero maxsize should include it to
> compensate for ar offset.
I pushed this to master.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-01-12 21:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-12-25 22:28 [PATCH] libelf: ar_size cannot be negative. Fix max ar size Mark Wielaard
2015-01-12 21:04 Mark Wielaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).