From 0bd65ce30a869559251a34da105fbe45df5a85b3 Mon Sep 17 00:00:00 2001 From: Nick Alcock Date: Thu, 25 Mar 2021 16:32:46 +0000 Subject: libctf: don't dereference out-of-bounds locations in the qualifier hashtab isqualifier, which is used by ctf_lookup_by_name to figure out if a given word in a type name is a qualifier, takes the address of a possibly out-of-bounds location before checking its bounds. In any reasonable compiler this will just lead to a harmless address computation that is then discarded if out-of-bounds, but it's still undefined behaviour and the sanitizer rightly complains. libctf/ChangeLog 2021-03-25 Nick Alcock PR libctf/27628 * ctf-lookup.c (isqualifier): Don't dereference out-of-bounds qhash values. --- libctf/ChangeLog | 6 ++++++ libctf/ctf-lookup.c | 10 +++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/libctf/ChangeLog b/libctf/ChangeLog index 32268f8..c5d52f2 100644 --- a/libctf/ChangeLog +++ b/libctf/ChangeLog @@ -1,5 +1,11 @@ 2021-03-25 Nick Alcock + PR libctf/27628 + * ctf-lookup.c (isqualifier): Don't dereference out-of-bounds + qhash values. + +2021-03-25 Nick Alcock + * ctf-open-bfd.c (ctf_bfdopen_ctfsect): Initialize debugging. 2021-03-25 Nick Alcock diff --git a/libctf/ctf-lookup.c b/libctf/ctf-lookup.c index 9d1e6d8..fe66bc4 100644 --- a/libctf/ctf-lookup.c +++ b/libctf/ctf-lookup.c @@ -111,10 +111,14 @@ isqualifier (const char *s, size_t len) }; int h = s[len - 1] + (int) len - 105; - const struct qual *qp = &qhash[h]; + const struct qual *qp; - return (h >= 0 && (size_t) h < sizeof (qhash) / sizeof (qhash[0]) - && (size_t) len == qp->q_len && + if (h < 0 || (size_t) h >= sizeof (qhash) / sizeof (qhash[0])) + return 0; + + qp = &qhash[h]; + + return ((size_t) len == qp->q_len && strncmp (qp->q_name, s, qp->q_len) == 0); } -- cgit v1.1