diff options
author | Mike Frysinger <vapier@gentoo.org> | 2024-01-25 00:19:50 -0500 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2024-01-25 00:19:50 -0500 |
commit | c1759f9bf28edb910208a7c7fbb4b373fe8b1297 (patch) | |
tree | 0eba80fa07f9ca8e09950582506c848e18cb1cda | |
parent | ar: switch from alloca to malloc (diff) | |
download | pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.tar.gz pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.tar.bz2 pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.zip |
scanelf: fix hashtable overflow checks
Make sure we use the right offset, and make sure the numbers to check
don't overflow themselves -- if nbuckets & nchains are 32-bit, and if
we multiply them by 4, we can easily overflow before we get a chance
to see if they will fit within the memory range.
Bug: https://bugs.gentoo.org/890028
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
-rw-r--r-- | scanelf.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -315,9 +315,9 @@ static void scanelf_file_get_symtabs(elfobj *elf, const void **sym, const void * Elf32_Word sym_idx; \ Elf32_Word chained; \ \ - if (!VALID_RANGE(elf, offset, nbuckets * 4)) \ + if (!VALID_RANGE(elf, hash_offset, nbuckets * (uint64_t)4)) \ goto corrupt_hash; \ - if (!VALID_RANGE(elf, offset, nchains * 4)) \ + if (!VALID_RANGE(elf, hash_offset, nchains * (uint64_t)4)) \ goto corrupt_hash; \ \ for (b = 0; b < nbuckets; ++b) { \ |