From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8951 invoked by alias); 15 Jan 2019 14:09:23 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 5510 invoked by uid 48); 15 Jan 2019 14:09:18 -0000 From: "mark at klomp dot org" To: elfutils-devel@sourceware.org Subject: [Bug libelf/24085] An Out of Memory problem was discovered in function in read_long_names in elf_begin.c in libelf Date: Tue, 15 Jan 2019 14:09:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: elfutils X-Bugzilla-Component: libelf X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mark at klomp dot org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2019-q1/txt/msg00045.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D24085 Mark Wielaard changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mark at klomp dot org --- Comment #2 from Mark Wielaard --- I am not sure this is a real issue. The read_long_names code does the following: newp =3D (char *) malloc (len); if (newp !=3D NULL) And if it is newp NULL is returned, which is then interpreted as an error: /* No long name table although it is reference. The archive = is broken. */ __libelf_seterrno (ELF_E_INVALID_ARCHIVE); return -1; There are also checks that no more data is read than there is in the file, = so if len is really big and malloc still succeeds that is also flagged as a corrupt file. So, yeah, a malloc call might fail on an invalid file, but nothing bad will happen. If you do feel it is an issue. We could move up the size checks, so no mall= oc is done at all if len is really weird and we know the malloc would probably fail anyway. --=20 You are receiving this mail because: You are on the CC list for the bug.