https://bugzilla.redhat.com/show_bug.cgi?id=1085663
Reported-by: Florian Weimer <[email protected]> Signed-off-by: Mark Wielaard <[email protected]> --- libdw/ChangeLog | 5 +++++ libdw/dwarf_begin_elf.c | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletions(-) diff --git a/libdw/ChangeLog b/libdw/ChangeLog index 1d9b9a3..e8f0eb8 100644 --- a/libdw/ChangeLog +++ b/libdw/ChangeLog @@ -1,3 +1,8 @@ +2014-04-09 Mark Wielaard <[email protected]> + + * dwarf_begin_elf.c (check_section): Check for unsigned overflow + before calling malloc to uncompress data. + 2014-03-03 Jan Kratochvil <[email protected]> Fix abort() on missing section headers. diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c index 79daeac..34ea373 100644 --- a/libdw/dwarf_begin_elf.c +++ b/libdw/dwarf_begin_elf.c @@ -1,5 +1,5 @@ /* Create descriptor from ELF descriptor for processing file. - Copyright (C) 2002-2011 Red Hat, Inc. + Copyright (C) 2002-2011, 2014 Red Hat, Inc. This file is part of elfutils. Written by Ulrich Drepper <[email protected]>, 2002. @@ -282,6 +282,12 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp) memcpy (&size, data->d_buf + 4, sizeof size); size = be64toh (size); + /* Check for unsigned overflow so malloc always allocated + enough memory for both the Elf_Data header and the + uncompressed section data. */ + if (unlikely (sizeof (Elf_Data) + size < size)) + break; + Elf_Data *zdata = malloc (sizeof (Elf_Data) + size); if (unlikely (zdata == NULL)) break; -- 1.7.1
