diff options
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | elf/cache.c | 5 | ||||
| -rw-r--r-- | elf/dl-cache.c | 5 |
3 files changed, 16 insertions, 1 deletions
@@ -1,3 +1,10 @@ +2018-10-24 Andreas Schwab <schwab@suse.de> + + [BZ #18093] + * elf/dl-cache.c (_dl_load_cache_lookup): Check for truncated old + format cache. + * elf/cache.c (print_cache): Likewise. + 2018-10-24 Albert ARIBAUD <albert.aribaud@3adev.fr> * bits/timesize.h: New file. diff --git a/elf/cache.c b/elf/cache.c index e63979d..c4cd825 100644 --- a/elf/cache.c +++ b/elf/cache.c @@ -199,6 +199,11 @@ print_cache (const char *cache_name) } else { + /* Check for corruption, avoiding overflow. */ + if ((cache_size - sizeof (struct cache_file)) / sizeof (struct file_entry) + < cache->nlibs) + error (EXIT_FAILURE, 0, _("File is not a cache file.\n")); + size_t offset = ALIGN_CACHE (sizeof (struct cache_file) + (cache->nlibs * sizeof (struct file_entry))); diff --git a/elf/dl-cache.c b/elf/dl-cache.c index 6ee5153..6dd99a3 100644 --- a/elf/dl-cache.c +++ b/elf/dl-cache.c @@ -204,7 +204,10 @@ _dl_load_cache_lookup (const char *name) - only the new format The following checks if the cache contains any of these formats. */ if (file != MAP_FAILED && cachesize > sizeof *cache - && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0) + && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0 + /* Check for corruption, avoiding overflow. */ + && ((cachesize - sizeof *cache) / sizeof (struct file_entry) + >= ((struct cache_file *) file)->nlibs)) { size_t offset; /* Looks ok. */ |