From: Mark Wielaard <mjw@redhat.com>
Date: Sun, 30 Nov 2014 20:03:57 +0000 (+0100)
Subject: readelf: Fix overflow check in handle_sysv_hash64.
X-Git-Tag: elfutils-0.161~58
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0ed4f98a89fd465c25eb8ac2ef75c10a82f9c5e0;p=thirdparty%2Felfutils.git

readelf: Fix overflow check in handle_sysv_hash64.

Since all values are 64bit, not 32bit as in other hashes, we need to
explicitly check for overflow.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---

diff --git a/src/ChangeLog b/src/ChangeLog
index d3828d9cb..0819c1e1c 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2014-11-30  Mark Wielaard  <mjw@redhat.com>
+
+	* readelf.c (handle_sysv_hash64): Fix overflow check.
+
 2014-11-28  Mark Wielaard  <mjw@redhat.com>
 
 	* readelf.c (handle_relocs_rel): Don't reuse destshdr to store
diff --git a/src/readelf.c b/src/readelf.c
index 69ae5d0d0..89b175470 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3055,8 +3055,10 @@ handle_sysv_hash64 (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
   Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0];
   Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1];
 
-  uint64_t used_buf = (2ULL + nchain + nbucket) * sizeof (Elf64_Xword);
-  if (used_buf > data->d_size)
+  uint64_t maxwords = data->d_size / sizeof (Elf64_Xword);
+  if (maxwords < 2
+      || maxwords - 2 < nbucket
+      || maxwords - 2 - nbucket < nchain)
     goto invalid_data;
 
   Elf64_Xword *bucket = &((Elf64_Xword *) data->d_buf)[2];