scanelf: fix hashtable overflow checks

Make sure we use the right offset, and make sure the numbers to check don't overflow themselves -- if nbuckets & nchains are 32-bit, and if we multiply them by 4, we can easily overflow before we get a chance to see if they will fit within the memory range. Bug: https://bugs.gentoo.org/890028 Signed-off-by: Mike Frysinger <[email protected]>
gentoo · Jan 25, 2024 · c1759f9 · c1759f9
1 parent 77bf161
commit c1759f9
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/scanelf.c b/scanelf.c
@@ -315,9 +315,9 @@ static void scanelf_file_get_symtabs(elfobj *elf, const void **sym, const void *
 			Elf32_Word sym_idx; \
 			Elf32_Word chained; \
 			\
-			if (!VALID_RANGE(elf, offset, nbuckets * 4)) \
+			if (!VALID_RANGE(elf, hash_offset, nbuckets * (uint64_t)4)) \
 				goto corrupt_hash; \
-			if (!VALID_RANGE(elf, offset, nchains * 4)) \
+			if (!VALID_RANGE(elf, hash_offset, nchains * (uint64_t)4)) \
 				goto corrupt_hash; \
 			\
 			for (b = 0; b < nbuckets; ++b) { \