[PATCH] libio: Avoid ptrdiff_t overflow in IO_validate_vtable

[PATCH] libio: Avoid ptrdiff_t overflow in IO_validate_vtable

[Florian Weimer]

If the candidate pointer is sufficiently far away from
__start___libc_IO_vtables, the result might not fit into ptrdiff_t.

2018-06-19  Florian Weimer  <fweimer@redhat.com>

	* libio/libioP.h (IO_validate_vtable): Avoid ptrdiff_t overflow.

diff --git a/libio/libioP.h b/libio/libioP.h
index 8afe7032e3..df2633d858 100644
--- a/libio/libioP.h
+++ b/libio/libioP.h
@@ -830,8 +830,8 @@ IO_validate_vtable (const struct _IO_jump_t *vtable)
   /* Fast path: The vtable pointer is within the __libc_IO_vtables
      section.  */
   uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables;
-  const char *ptr = (const char *) vtable;
-  uintptr_t offset = ptr - __start___libc_IO_vtables;
+  uintptr_t ptr = (uintptr_t) vtable;
+  uintptr_t offset = ptr - (uintptr_t) __start___libc_IO_vtables;
   if (__glibc_unlikely (offset >= section_length))
     /* The vtable pointer is not in the expected section.  Use the
        slow path, which will terminate the process if necessary.  */

Re: [PATCH] libio: Avoid ptrdiff_t overflow in IO_validate_vtable

[Andreas Schwab]

On Jun 19 2018, Florian Weimer <fw@deneb.enyo.de> wrote:

> 	* libio/libioP.h (IO_validate_vtable): Avoid ptrdiff_t overflow.

Ok.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."