aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2024-01-25 00:19:50 -0500
committerMike Frysinger <vapier@gentoo.org>2024-01-25 00:19:50 -0500
commitc1759f9bf28edb910208a7c7fbb4b373fe8b1297 (patch)
tree0eba80fa07f9ca8e09950582506c848e18cb1cda
parentar: switch from alloca to malloc (diff)
downloadpax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.tar.gz
pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.tar.bz2
pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.zip
scanelf: fix hashtable overflow checks
Make sure we use the right offset, and make sure the numbers to check don't overflow themselves -- if nbuckets & nchains are 32-bit, and if we multiply them by 4, we can easily overflow before we get a chance to see if they will fit within the memory range. Bug: https://bugs.gentoo.org/890028 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
-rw-r--r--scanelf.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/scanelf.c b/scanelf.c
index 140208b..0ee1bad 100644
--- a/scanelf.c
+++ b/scanelf.c
@@ -315,9 +315,9 @@ static void scanelf_file_get_symtabs(elfobj *elf, const void **sym, const void *
Elf32_Word sym_idx; \
Elf32_Word chained; \
\
- if (!VALID_RANGE(elf, offset, nbuckets * 4)) \
+ if (!VALID_RANGE(elf, hash_offset, nbuckets * (uint64_t)4)) \
goto corrupt_hash; \
- if (!VALID_RANGE(elf, offset, nchains * 4)) \
+ if (!VALID_RANGE(elf, hash_offset, nchains * (uint64_t)4)) \
goto corrupt_hash; \
\
for (b = 0; b < nbuckets; ++b) { \