From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Tue, 17 Oct 2017 21:57:29 +1030 Subject: PR22307, Heap out of bounds read in _bfd_elf_parse_gnu_properties When adding an unbounded increment to a pointer, you can't just check against the end of the buffer but also must check that overflow doesn't result in "negative" pointer movement. Pointer comparisons are signed. Better, check the increment against the space left using an unsigned comparison. PR 22307 * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz against size left rather than comparing pointers. Reorganise loop. --- bfd/elf-properties.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'bfd/elf-properties.c') diff --git a/bfd/elf-properties.c b/bfd/elf-properties.c index f367aa6..bfb106e 100644 --- a/bfd/elf-properties.c +++ b/bfd/elf-properties.c @@ -93,15 +93,20 @@ bad_size: return FALSE; } - while (1) + while (ptr != ptr_end) { - unsigned int type = bfd_h_get_32 (abfd, ptr); - unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4); + unsigned int type; + unsigned int datasz; elf_property *prop; + if ((size_t) (ptr_end - ptr) < 8) + goto bad_size; + + type = bfd_h_get_32 (abfd, ptr); + datasz = bfd_h_get_32 (abfd, ptr + 4); ptr += 8; - if ((ptr + datasz) > ptr_end) + if (datasz > (size_t) (ptr_end - ptr)) { _bfd_error_handler (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"), @@ -183,11 +188,6 @@ bad_size: next: ptr += (datasz + (align_size - 1)) & ~ (align_size - 1); - if (ptr == ptr_end) - break; - - if (ptr > (ptr_end - 8)) - goto bad_size; } return TRUE; -- cgit v1.1