This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
[PATCH] readelf: Fix off by one sanity check in handle_gnu_hash.
- From: Mark Wielaard <mark at klomp dot org>
- To: elfutils-devel at sourceware dot org
- Cc: Mark Wielaard <mark at klomp dot org>
- Date: Fri, 24 Mar 2017 12:15:02 +0100
- Subject: [PATCH] readelf: Fix off by one sanity check in handle_gnu_hash.
- Authentication-results: sourceware.org; auth=none
We sanity check to make sure we don't index outside the chain array
by testing inner > max_nsyms. But inner is a zero-based index, while
max_nsyms is the maximum number. Change the check to inner >= max_nsyms.
https://sourceware.org/bugzilla/show_bug.cgi?id=21299
Signed-off-by: Mark Wielaard <mark@klomp.org>
---
src/ChangeLog | 5 +++++
src/readelf.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index 0601198..9dd76c0 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2017-03-24 Mark Wielaard <mjw@redhat.com>
+
+ * readelf.c (handle_gnu_hash): Check inner < max_nsyms before
+ indexing into chain array.
+
2017-02-16 Ulf Hermann <ulf.hermann@qt.io>
* addr2line.c: Include printversion.h
diff --git a/src/readelf.c b/src/readelf.c
index 8d96ba3..490b6d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
++nsyms;
if (maxlength < ++lengths[cnt])
++maxlength;
- if (inner > max_nsyms)
+ if (inner >= max_nsyms)
goto invalid_data;
}
while ((chain[inner++] & 1) == 0);
--
1.8.3.1