[Bug tools/21299] heap-based buffer overflow in handle_gnu_hash (readelf.c)

mjw at redhat dot com sourceware-bugzilla@sourceware.org
Fri Mar 24 11:06:00 GMT 2017


Mark Wielaard <mjw at redhat dot com> changed:

           What    |Removed                     |Added
                 CC|                            |mjw at redhat dot com

--- Comment #1 from Mark Wielaard <mjw at redhat dot com> ---
Thanks, it was an off-by-one sanity check.

diff --git a/src/readelf.c b/src/readelf.c
index 8d96ba3..490b6d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, 
            if (maxlength < ++lengths[cnt])
-           if (inner > max_nsyms)
+           if (inner >= max_nsyms)
              goto invalid_data;
        while ((chain[inner++] & 1) == 0);

max_nsyms is the maximum number, but inner is a zero-based index.

You are receiving this mail because:
You are on the CC list for the bug.

More information about the Elfutils-devel mailing list