aboutsummaryrefslogtreecommitdiff
path: root/elf/dl-cache.c
diff options
context:
space:
mode:
authorAndreas Schwab <schwab@suse.de>2018-10-23 09:40:14 +0200
committerAndreas Schwab <schwab@suse.de>2018-10-24 16:34:02 +0200
commit2954daf00bb4dc27c69a48e6798d5960ea320741 (patch)
tree1515d3e310cfb3fc2e2547bcaea0c0a8fb3cac01 /elf/dl-cache.c
parenta27a4f4721837a5fb36ace833764b06a64c5af1c (diff)
downloadglibc-2954daf00bb4dc27c69a48e6798d5960ea320741.zip
glibc-2954daf00bb4dc27c69a48e6798d5960ea320741.tar.gz
glibc-2954daf00bb4dc27c69a48e6798d5960ea320741.tar.bz2
Add more checks for valid ld.so.cache file (bug 18093)
Diffstat (limited to 'elf/dl-cache.c')
-rw-r--r--elf/dl-cache.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/elf/dl-cache.c b/elf/dl-cache.c
index 6ee5153..6dd99a3 100644
--- a/elf/dl-cache.c
+++ b/elf/dl-cache.c
@@ -204,7 +204,10 @@ _dl_load_cache_lookup (const char *name)
- only the new format
The following checks if the cache contains any of these formats. */
if (file != MAP_FAILED && cachesize > sizeof *cache
- && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0)
+ && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0
+ /* Check for corruption, avoiding overflow. */
+ && ((cachesize - sizeof *cache) / sizeof (struct file_entry)
+ >= ((struct cache_file *) file)->nlibs))
{
size_t offset;
/* Looks ok. */