diff options
| author | Florian Weimer <fweimer@redhat.com> | 2018-06-20 09:45:19 +0200 |
|---|---|---|
| committer | Florian Weimer <fweimer@redhat.com> | 2018-06-20 09:45:19 +0200 |
| commit | 2d1c89a5d7c872a1109768f50e2508cf9a4b0348 (patch) | |
| tree | e81572572f2a074b00e25caa3610efd138af62ca | |
| parent | 646c2833ee84aa5ecc7e219f0cc6156e61c371d3 (diff) | |
| download | glibc-2d1c89a5d7c872a1109768f50e2508cf9a4b0348.zip glibc-2d1c89a5d7c872a1109768f50e2508cf9a4b0348.tar.gz glibc-2d1c89a5d7c872a1109768f50e2508cf9a4b0348.tar.bz2 | |
libio: Avoid ptrdiff_t overflow in IO_validate_vtable
If the candidate pointer is sufficiently far away from
__start___libc_IO_vtables, the result might not fit into ptrdiff_t.
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | libio/libioP.h | 4 |
2 files changed, 6 insertions, 2 deletions
@@ -1,3 +1,7 @@ +2018-06-20 Florian Weimer <fweimer@redhat.com> + + * libio/libioP.h (IO_validate_vtable): Avoid ptrdiff_t overflow. + 2018-06-19 Joseph Myers <joseph@codesourcery.com> [BZ #23280] diff --git a/libio/libioP.h b/libio/libioP.h index 8afe703..df2633d 100644 --- a/libio/libioP.h +++ b/libio/libioP.h @@ -830,8 +830,8 @@ IO_validate_vtable (const struct _IO_jump_t *vtable) /* Fast path: The vtable pointer is within the __libc_IO_vtables section. */ uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables; - const char *ptr = (const char *) vtable; - uintptr_t offset = ptr - __start___libc_IO_vtables; + uintptr_t ptr = (uintptr_t) vtable; + uintptr_t offset = ptr - (uintptr_t) __start___libc_IO_vtables; if (__glibc_unlikely (offset >= section_length)) /* The vtable pointer is not in the expected section. Use the slow path, which will terminate the process if necessary. */ |