readelf: Fix overflow check in handle_sysv_hash64.

Since all values are 64bit, not 32bit as in other hashes, we need to explicitly check for overflow. Signed-off-by: Mark Wielaard <mjw@redhat.com>
author: Mark Wielaard <mjw@redhat.com> 2014-11-30 21:03:57 +0100
committer: Mark Wielaard <mjw@redhat.com> 2014-12-04 14:47:43 +0100
commit: 0ed4f98a89fd465c25eb8ac2ef75c10a82f9c5e0 (patch)
tree: 32a8c3f4277bd1e94c74de143c4584b3707f8cbc /src/readelf.c
parent: 99581b6c837cc3fccb75fa75c4caeac8c5c3ec5b (diff)
download: android_external_elfutils-0ed4f98a89fd465c25eb8ac2ef75c10a82f9c5e0.tar.gz
android_external_elfutils-0ed4f98a89fd465c25eb8ac2ef75c10a82f9c5e0.tar.bz2
android_external_elfutils-0ed4f98a89fd465c25eb8ac2ef75c10a82f9c5e0.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/src/readelf.c b/src/readelf.c
index 69ae5d0d..89b17547 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3055,8 +3055,10 @@ handle_sysv_hash64 (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
   Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0];
   Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1];
 
-  uint64_t used_buf = (2ULL + nchain + nbucket) * sizeof (Elf64_Xword);
-  if (used_buf > data->d_size)
+  uint64_t maxwords = data->d_size / sizeof (Elf64_Xword);
+  if (maxwords < 2
+      || maxwords - 2 < nbucket
+      || maxwords - 2 - nbucket < nchain)
     goto invalid_data;
 
   Elf64_Xword *bucket = &((Elf64_Xword *) data->d_buf)[2];
author	Mark Wielaard <mjw@redhat.com>	2014-11-30 21:03:57 +0100
committer	Mark Wielaard <mjw@redhat.com>	2014-12-04 14:47:43 +0100
commit	0ed4f98a89fd465c25eb8ac2ef75c10a82f9c5e0 (patch)
tree	32a8c3f4277bd1e94c74de143c4584b3707f8cbc /src/readelf.c
parent	99581b6c837cc3fccb75fa75c4caeac8c5c3ec5b (diff)
download	android_external_elfutils-0ed4f98a89fd465c25eb8ac2ef75c10a82f9c5e0.tar.gz android_external_elfutils-0ed4f98a89fd465c25eb8ac2ef75c10a82f9c5e0.tar.bz2 android_external_elfutils-0ed4f98a89fd465c25eb8ac2ef75c10a82f9c5e0.zip