commit: c1759f9bf28edb910208a7c7fbb4b373fe8b1297 Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> AuthorDate: Thu Jan 25 05:19:50 2024 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Thu Jan 25 05:19:50 2024 +0000 URL: https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=c1759f9b
scanelf: fix hashtable overflow checks Make sure we use the right offset, and make sure the numbers to check don't overflow themselves -- if nbuckets & nchains are 32-bit, and if we multiply them by 4, we can easily overflow before we get a chance to see if they will fit within the memory range. Bug: https://bugs.gentoo.org/890028 Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org> scanelf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scanelf.c b/scanelf.c index 140208b..0ee1bad 100644 --- a/scanelf.c +++ b/scanelf.c @@ -315,9 +315,9 @@ static void scanelf_file_get_symtabs(elfobj *elf, const void **sym, const void * Elf32_Word sym_idx; \ Elf32_Word chained; \ \ - if (!VALID_RANGE(elf, offset, nbuckets * 4)) \ + if (!VALID_RANGE(elf, hash_offset, nbuckets * (uint64_t)4)) \ goto corrupt_hash; \ - if (!VALID_RANGE(elf, offset, nchains * 4)) \ + if (!VALID_RANGE(elf, hash_offset, nchains * (uint64_t)4)) \ goto corrupt_hash; \ \ for (b = 0; b < nbuckets; ++b) { \
