diff options
author | Mark Wielaard <mjw@redhat.com> | 2014-12-25 22:50:21 +0100 |
---|---|---|
committer | Mark Wielaard <mjw@redhat.com> | 2015-01-12 22:02:46 +0100 |
commit | 68588d628a464698031323d8eb42a961c0846ba9 (patch) | |
tree | d8d60c63001038466bfb3a8035ee9204c4a63983 | |
parent | 8f2f5801a16626b56546f2c95be4c85a59c2e53a (diff) | |
download | android_external_elfutils-68588d628a464698031323d8eb42a961c0846ba9.tar.gz android_external_elfutils-68588d628a464698031323d8eb42a961c0846ba9.tar.bz2 android_external_elfutils-68588d628a464698031323d8eb42a961c0846ba9.zip |
libelf: ar_size cannot be negative. Fix max ar size.
Elf_Arhdr ar_size is loff_t, which is signed. Make sure it isn't negative.
When the parent start_offset is non-zero maxsize should include it to
compensate for ar offset.
Found with afl-fuzz.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
-rw-r--r-- | libelf/ChangeLog | 5 | ||||
-rw-r--r-- | libelf/elf_begin.c | 9 |
2 files changed, 13 insertions, 1 deletions
diff --git a/libelf/ChangeLog b/libelf/ChangeLog index 447c3546..f2b3f215 100644 --- a/libelf/ChangeLog +++ b/libelf/ChangeLog @@ -1,3 +1,8 @@ +2014-12-25 Mark Wielaard <mjw@redhat.com> + + * elf_begin.c (__libelf_next_arhdr_wrlock): ar_size cannot be + negative. Include start_offset in maxsize. + 2014-12-28 Alexander Cherepanov <cherepan@mccme.ru> * elf_begin.c (read_long_names): Don't miss '/' right after diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c index cd3756cc..ae1e7124 100644 --- a/libelf/elf_begin.c +++ b/libelf/elf_begin.c @@ -921,9 +921,16 @@ __libelf_next_arhdr_wrlock (elf) INT_FIELD (ar_mode); INT_FIELD (ar_size); + if (elf_ar_hdr->ar_size < 0) + { + __libelf_seterrno (ELF_E_INVALID_ARCHIVE); + return -1; + } + /* Truncated file? */ size_t maxsize; - maxsize = elf->maximum_size - elf->state.ar.offset - sizeof (struct ar_hdr); + maxsize = (elf->start_offset + elf->maximum_size + - elf->state.ar.offset - sizeof (struct ar_hdr)); if ((size_t) elf_ar_hdr->ar_size > maxsize) elf_ar_hdr->ar_size = maxsize; |