From: Mark Wielaard <mjw@redhat.com>
Date: Tue, 18 Nov 2014 08:56:01 +0000 (+0100)
Subject: libelf: Check for overflow in version_xlate elf_cvt_Verdef and elf_cvt_Verneed.
X-Git-Tag: elfutils-0.161~78
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9b5fa6b59461896bb64e339174f8b38562164c2f;p=thirdparty%2Felfutils.git

libelf: Check for overflow in version_xlate elf_cvt_Verdef and elf_cvt_Verneed.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 9ae24a9be..c7e8d307f 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2014-11-18  Mark Wielaard  <mjw@redhat.com>
+
+	* version_xlate.h (elf_cvt_Verdef): Check for overflow.
+	(elf_cvt_Verneed): Likewise.
+
 2014-11-17  Mark Wielaard  <mjw@redhat.com>
 
 	* elf-knowledge.h (SECTION_STRIP_P): Check name is not NULL.
diff --git a/libelf/version_xlate.h b/libelf/version_xlate.h
index 935f77ab0..16eaa19cd 100644
--- a/libelf/version_xlate.h
+++ b/libelf/version_xlate.h
@@ -61,7 +61,7 @@ elf_cvt_Verdef (void *dest, const void *src, size_t len, int encode)
       GElf_Verdaux *asrc;
 
       /* Test for correct offset.  */
-      if (def_offset + sizeof (GElf_Verdef) > len)
+      if (def_offset > len || len - def_offset < sizeof (GElf_Verdef))
 	return;
 
       /* Work the tree from the first record.  */
@@ -90,7 +90,7 @@ elf_cvt_Verdef (void *dest, const void *src, size_t len, int encode)
 	  GElf_Verdaux *adest;
 
 	  /* Test for correct offset.  */
-	  if (aux_offset + sizeof (GElf_Verdaux) > len)
+	  if (aux_offset > len || len - aux_offset < sizeof (GElf_Verdaux))
 	    return;
 
 	  adest = (GElf_Verdaux *) ((char *) dest + aux_offset);
@@ -155,7 +155,7 @@ elf_cvt_Verneed (void *dest, const void *src, size_t len, int encode)
       GElf_Vernaux *asrc;
 
       /* Test for correct offset.  */
-      if (need_offset + sizeof (GElf_Verneed) > len)
+      if (need_offset > len || len - need_offset < sizeof (GElf_Verneed))
 	return;
 
       /* Work the tree from the first record.  */
@@ -182,7 +182,7 @@ elf_cvt_Verneed (void *dest, const void *src, size_t len, int encode)
 	  GElf_Vernaux *adest;
 
 	  /* Test for correct offset.  */
-	  if (aux_offset + sizeof (GElf_Vernaux) > len)
+	  if (aux_offset > len || len - aux_offset < sizeof (GElf_Vernaux))
 	    return;
 
 	  adest = (GElf_Vernaux *) ((char *) dest + aux_offset);