[Bug libelf/21301] memory allocation failure in __libelf_decompress

mjw at redhat dot com sourceware-bugzilla@sourceware.org
Fri Mar 24 13:53:00 GMT 2017


Mark Wielaard <mjw at redhat dot com> changed:

           What    |Removed                     |Added
                 CC|                            |mjw at redhat dot com

--- Comment #1 from Mark Wielaard <mjw at redhat dot com> ---
That is slightly tricky. We do have to trust the input data to give us the
expected output size. We won't know if that was correct till we decompressed
the input. We do actually double check the given output size was correct at the
end of the decompression. But we could catch some really bogus sizes before
trying to allocate a giant amount of memory and decompressing stuff for nothing
(like in this case).

diff --git a/libelf/elf_compress.c b/libelf/elf_compress.c
index dac0ac6..711be59 100644
--- a/libelf/elf_compress.c
+++ b/libelf/elf_compress.c
@@ -211,6 +211,15 @@ void *
 __libelf_decompress (void *buf_in, size_t size_in, size_t size_out)
+  /* Catch highly unlikely compression ratios so we don't allocate
+     some giant amount of memory for nothing. The max compression
+     factor 1032:1 comes from http://www.zlib.net/zlib_tech.html  */
+  if (unlikely (size_out / 1032 > size_in))
+    {
+      __libelf_seterrno (ELF_E_INVALID_DATA);
+      return NULL;
+    }
   void *buf_out = malloc (size_out);
   if (unlikely (buf_out == NULL))

You are receiving this mail because:
You are on the CC list for the bug.

More information about the Elfutils-devel mailing list