[PATCH 5/8] libctf: don't dereference out-of-bounds locations in the qualifier hashtab
Nick Alcock
nick.alcock@oracle.com
Wed Mar 24 01:21:55 GMT 2021
isqualifier, which is used by ctf_lookup_by_name to figure out if a
given word in a type name is a qualifier, takes the address of a
possibly out-of-bounds location before checking its bounds.
In any reasonable compiler this will just lead to a harmless address
computation that is then discarded if out-of-bounds, but it's still
undefined behaviour and the sanitizer rightly complains.
libctf/ChangeLog
2021-03-23 Nick Alcock <nick.alcock@oracle.com>
PR libctf/27628
* ctf-lookup.c (isqualifier): Don't dereference out-of-bounds
qhash values.
---
libctf/ctf-lookup.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libctf/ctf-lookup.c b/libctf/ctf-lookup.c
index 9d1e6d8a4a2..e50c868c5b8 100644
--- a/libctf/ctf-lookup.c
+++ b/libctf/ctf-lookup.c
@@ -111,10 +111,13 @@ isqualifier (const char *s, size_t len)
};
int h = s[len - 1] + (int) len - 105;
+
+ if (h < 0 || (size_t) h >= sizeof (qhash) / sizeof (qhash[0]))
+ return 0;
+
const struct qual *qp = &qhash[h];
- return (h >= 0 && (size_t) h < sizeof (qhash) / sizeof (qhash[0])
- && (size_t) len == qp->q_len &&
+ return ((size_t) len == qp->q_len &&
strncmp (qp->q_name, s, qp->q_len) == 0);
}
--
2.31.0.253.gdec51257f3
More information about the Binutils
mailing list