This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[Bug tools/21299] heap-based buffer overflow in handle_gnu_hash (readelf.c)
- From: "mjw at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: elfutils-devel at sourceware dot org
- Date: Fri, 24 Mar 2017 11:06:45 +0000
- Subject: [Bug tools/21299] heap-based buffer overflow in handle_gnu_hash (readelf.c)
- Auto-submitted: auto-generated
- References: <bug-21299-10460@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=21299
Mark Wielaard <mjw at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mjw at redhat dot com
--- Comment #1 from Mark Wielaard <mjw at redhat dot com> ---
Thanks, it was an off-by-one sanity check.
diff --git a/src/readelf.c b/src/readelf.c
index 8d96ba3..490b6d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr,
++nsyms;
if (maxlength < ++lengths[cnt])
++maxlength;
- if (inner > max_nsyms)
+ if (inner >= max_nsyms)
goto invalid_data;
}
while ((chain[inner++] & 1) == 0);
max_nsyms is the maximum number, but inner is a zero-based index.
--
You are receiving this mail because:
You are on the CC list for the bug.