From: Mark Wielaard <mark@klomp.org>
Date: Fri, 24 Mar 2017 14:06:04 +0000 (+0100)
Subject: libelf: Check compression ratio before trying to allocate output buffer.
X-Git-Tag: elfutils-0.169~32
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8dcc4bf791469a32c3a09ebcc23b309bf75c795f;p=thirdparty%2Felfutils.git

libelf: Check compression ratio before trying to allocate output buffer.

The maximum compression factor (http://www.zlib.net/zlib_tech.html) is
1032:1. Add a sanity check for that before trying to allocate lots of
memory and trying to decompress lots of bogus data.

https://sourceware.org/bugzilla/show_bug.cgi?id=21301

Signed-off-by: Mark Wielaard <mark@klomp.org>
---

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 8539cb56f..35e5271d2 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2017-03-24  Mark Wielaard  <mark@klomp.org>
+
+	* elf_compress.c (__libelf_decompress): Check insane compression
+	ratios before trying to allocate output buffer.
+
 2016-10-11  Akihiko Odaki  <akihiko.odaki.4i@stu.hosei.ac.jp>
 	    Mark Wielaard  <mjw@redhat.com>
 
diff --git a/libelf/elf_compress.c b/libelf/elf_compress.c
index dac0ac6d0..711be591b 100644
--- a/libelf/elf_compress.c
+++ b/libelf/elf_compress.c
@@ -211,6 +211,15 @@ void *
 internal_function
 __libelf_decompress (void *buf_in, size_t size_in, size_t size_out)
 {
+  /* Catch highly unlikely compression ratios so we don't allocate
+     some giant amount of memory for nothing. The max compression
+     factor 1032:1 comes from http://www.zlib.net/zlib_tech.html  */
+  if (unlikely (size_out / 1032 > size_in))
+    {
+      __libelf_seterrno (ELF_E_INVALID_DATA);
+      return NULL;
+    }
+
   void *buf_out = malloc (size_out);
   if (unlikely (buf_out == NULL))
     {