From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 19043 invoked by alias); 24 Mar 2017 14:06:08 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 19031 invoked by uid 89); 24 Mar 2017 14:06:08 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-24.3 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY autolearn=ham version=3.3.2 spammy=D*ac.jp, giant, insane, highly X-Spam-Status: No, score=-24.3 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org From: Mark Wielaard To: elfutils-devel@sourceware.org Cc: Mark Wielaard Subject: [PATCH] libelf: Check compression ratio before trying to allocate output buffer. Date: Fri, 24 Mar 2017 14:06:00 -0000 Message-Id: <1490364364-15085-1-git-send-email-mark@klomp.org> X-Mailer: git-send-email 1.8.3.1 X-SW-Source: 2017-q1/txt/msg00114.txt.bz2 The maximum compression factor (http://www.zlib.net/zlib_tech.html) is 1032:1. Add a sanity check for that before trying to allocate lots of memory and trying to decompress lots of bogus data. https://sourceware.org/bugzilla/show_bug.cgi?id=21301 Signed-off-by: Mark Wielaard --- libelf/ChangeLog | 5 +++++ libelf/elf_compress.c | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/libelf/ChangeLog b/libelf/ChangeLog index 8539cb5..35e5271 100644 --- a/libelf/ChangeLog +++ b/libelf/ChangeLog @@ -1,3 +1,8 @@ +2017-03-24 Mark Wielaard + + * elf_compress.c (__libelf_decompress): Check insane compression + ratios before trying to allocate output buffer. + 2016-10-11 Akihiko Odaki Mark Wielaard diff --git a/libelf/elf_compress.c b/libelf/elf_compress.c index dac0ac6..711be59 100644 --- a/libelf/elf_compress.c +++ b/libelf/elf_compress.c @@ -211,6 +211,15 @@ void * internal_function __libelf_decompress (void *buf_in, size_t size_in, size_t size_out) { + /* Catch highly unlikely compression ratios so we don't allocate + some giant amount of memory for nothing. The max compression + factor 1032:1 comes from http://www.zlib.net/zlib_tech.html */ + if (unlikely (size_out / 1032 > size_in)) + { + __libelf_seterrno (ELF_E_INVALID_DATA); + return NULL; + } + void *buf_out = malloc (size_out); if (unlikely (buf_out == NULL)) { -- 1.8.3.1