diff options
author | Mark Wielaard <mjw@redhat.com> | 2015-05-16 21:30:41 +0200 |
---|---|---|
committer | Mark Wielaard <mjw@redhat.com> | 2015-05-27 23:04:31 +0200 |
commit | bfb9a752c323b97bfcfb11f4f9dbf4ca25fe3c95 (patch) | |
tree | 933cb01b7ddedd67b62d76503a215f3d71f7607f /libelf | |
parent | 6f2e64a03bdf10d5b0ab730e58aedb8dfb76b6d8 (diff) | |
download | android_external_elfutils-bfb9a752c323b97bfcfb11f4f9dbf4ca25fe3c95.tar.gz android_external_elfutils-bfb9a752c323b97bfcfb11f4f9dbf4ca25fe3c95.tar.bz2 android_external_elfutils-bfb9a752c323b97bfcfb11f4f9dbf4ca25fe3c95.zip |
libelf: Fix possible unbounded stack usage in elf_getarsym.
The number of entries in the index can be large, don't use alloca to
read in temporary data, use malloc (and free after out).
Signed-off-by: Mark Wielaard <mjw@redhat.com>
Diffstat (limited to 'libelf')
-rw-r--r-- | libelf/ChangeLog | 5 | ||||
-rw-r--r-- | libelf/elf_getarsym.c | 14 |
2 files changed, 17 insertions, 2 deletions
diff --git a/libelf/ChangeLog b/libelf/ChangeLog index ed2ddd88..17ab7406 100644 --- a/libelf/ChangeLog +++ b/libelf/ChangeLog @@ -1,3 +1,8 @@ +2015-05-16 Mark Wielaard <mjw@redhat.com> + + * elf_getarsym.c (elf_getarsym): Allocate temporary file_date with + malloc, not alloca. Call free after out. + 2015-05-14 Mark Wielaard <mjw@redhat.com> * elf_update.c (write_file): Use posix_fallocate instead of diff --git a/libelf/elf_getarsym.c b/libelf/elf_getarsym.c index 40633aa8..4f2080a8 100644 --- a/libelf/elf_getarsym.c +++ b/libelf/elf_getarsym.c @@ -1,5 +1,5 @@ /* Return symbol table of archive. - Copyright (C) 1998-2000, 2002, 2005, 2009, 2012, 2014 Red Hat, Inc. + Copyright (C) 1998-2000, 2002, 2005, 2009, 2012, 2014, 2015 Red Hat, Inc. This file is part of elfutils. Written by Ulrich Drepper <drepper@redhat.com>, 1998. @@ -106,6 +106,9 @@ elf_getarsym (elf, ptr) /* In case we find no index remember this for the next call. */ elf->state.ar.ar_sym = (Elf_Arsym *) -1l; + /* We might have to allocate some temporary data for reading. */ + void *temp_data = NULL; + struct ar_hdr *index_hdr; if (elf->map_address == NULL) { @@ -210,7 +213,13 @@ elf_getarsym (elf, ptr) if (elf->map_address == NULL) { - file_data = alloca (sz); + temp_data = malloc (sz); + if (unlikely (temp_data == NULL)) + { + __libelf_seterrno (ELF_E_NOMEM); + goto out; + } + file_data = temp_data; ar_sym_len += index_size - n * w; Elf_Arsym *newp = (Elf_Arsym *) realloc (elf->state.ar.ar_sym, @@ -299,6 +308,7 @@ elf_getarsym (elf, ptr) result = elf->state.ar.ar_sym; out: + free (temp_data); rwlock_unlock (elf->lock); } |