aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2017-02-11 01:54:49 -0500
committerMike Frysinger <vapier@gentoo.org>2017-02-11 01:54:49 -0500
commite577c5b7e230c52e5fc4fa40e4e9014c634b3c1d (patch)
tree9e87f278aa5d0109c804a078ba1bb78d1e4af140
parentdumpelf: check for invalid notes (diff)
downloadpax-utils-e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d.tar.gz
pax-utils-e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d.tar.bz2
pax-utils-e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d.zip
scanelf: check range of hash bucket
Make sure we don't walk off the end of the ELF with a corrupt hash table. URL: https://bugs.gentoo.org/608766 Reported-by: Agostino Sarubbo <ago@gentoo.org>
-rw-r--r--scanelf.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/scanelf.c b/scanelf.c
index 79ce59c..70856f3 100644
--- a/scanelf.c
+++ b/scanelf.c
@@ -332,7 +332,8 @@ static void scanelf_file_get_symtabs(elfobj *elf, void **sym, void **str)
if (!buckets[b]) \
continue; \
for (sym_idx = buckets[b], chained = 0; \
- sym_idx < nchains && sym_idx && chained <= nchains; \
+ (sym_idx < nchains && sym_idx && chained <= nchains && \
+ (void *)&chains[sym_idx] + sizeof(*chains) < elf->data_end); \
sym_idx = chains[sym_idx], ++chained) { \
if (max_sym_idx < sym_idx) \
max_sym_idx = sym_idx; \