From: Mark Wielaard <mjw@redhat.com>
Date: Fri, 14 Nov 2014 16:05:08 +0000 (+0100)
Subject: libelf: gelf_getnote check for offset overflow.
X-Git-Tag: elfutils-0.161~88
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df2fe50346828e8229185d297ac803428c727d2a;p=thirdparty%2Felfutils.git

libelf: gelf_getnote check for offset overflow.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 45e220d09..4fbe94c93 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,7 @@
+2014-11-14  Mark Wielaard  <mjw@redhat.com>
+
+	* gelf_getnote.c (gelf_getnote): Check offset overflow.
+
 2014-11-13  Mark Wielaard  <mjw@redhat.com>
 
 	* elf_getdata.c (__libelf_set_rawdata_wrlock): Fix unsigned overflow
diff --git a/libelf/gelf_getnote.c b/libelf/gelf_getnote.c
index 1a3685533..8bb78c166 100644
--- a/libelf/gelf_getnote.c
+++ b/libelf/gelf_getnote.c
@@ -1,5 +1,5 @@
 /* Get note information at the supplied offset.
-   Copyright (C) 2007 Red Hat, Inc.
+   Copyright (C) 2007, 2014 Red Hat, Inc.
    This file is part of elfutils.
 
    This file is free software; you can redistribute it and/or modify
@@ -62,7 +62,8 @@ gelf_getnote (data, offset, result, name_offset, desc_offset)
 
   /* The data is already in the correct form.  Just make sure the
      offset is OK.  */
-  if (unlikely (offset + sizeof (GElf_Nhdr) > data->d_size))
+  if (unlikely (offset > data->d_size
+		|| data->d_size - offset < sizeof (GElf_Nhdr)))
     {
       __libelf_seterrno (ELF_E_OFFSET_RANGE);
       offset = 0;