Since all values are 64bit, not 32bit as in other hashes, we need to explicitly check for overflow.
Signed-off-by: Mark Wielaard <[email protected]> --- src/ChangeLog | 4 ++++ src/readelf.c | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index d3828d9..0819c1e 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,7 @@ +2014-11-30 Mark Wielaard <[email protected]> + + * readelf.c (handle_sysv_hash64): Fix overflow check. + 2014-11-28 Mark Wielaard <[email protected]> * readelf.c (handle_relocs_rel): Don't reuse destshdr to store diff --git a/src/readelf.c b/src/readelf.c index 69ae5d0..89b1754 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -3055,8 +3055,10 @@ handle_sysv_hash64 (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx) Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0]; Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1]; - uint64_t used_buf = (2ULL + nchain + nbucket) * sizeof (Elf64_Xword); - if (used_buf > data->d_size) + uint64_t maxwords = data->d_size / sizeof (Elf64_Xword); + if (maxwords < 2 + || maxwords - 2 < nbucket + || maxwords - 2 - nbucket < nchain) goto invalid_data; Elf64_Xword *bucket = &((Elf64_Xword *) data->d_buf)[2]; -- 1.9.3
