scanelf: fix hashtable overflow checks

Make sure we use the right offset, and make sure the numbers to check don't overflow themselves -- if nbuckets & nchains are 32-bit, and if we multiply them by 4, we can easily overflow before we get a chance to see if they will fit within the memory range. Bug: https://bugs.gentoo.org/890028 Signed-off-by: Mike Frysinger <vapier@gentoo.org>
author: Mike Frysinger <vapier@gentoo.org> 2024-01-25 00:19:50 -0500
committer: Mike Frysinger <vapier@gentoo.org> 2024-01-25 00:19:50 -0500
commit: c1759f9bf28edb910208a7c7fbb4b373fe8b1297 (patch)
tree: 0eba80fa07f9ca8e09950582506c848e18cb1cda
parent: ar: switch from alloca to malloc (diff)
download: pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.tar.gz
pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.tar.bz2
pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/scanelf.c b/scanelf.c
index 140208b..0ee1bad 100644
--- a/scanelf.c
+++ b/scanelf.c
@@ -315,9 +315,9 @@ static void scanelf_file_get_symtabs(elfobj *elf, const void **sym, const void *
 			Elf32_Word sym_idx; \
 			Elf32_Word chained; \
 			\
-			if (!VALID_RANGE(elf, offset, nbuckets * 4)) \
+			if (!VALID_RANGE(elf, hash_offset, nbuckets * (uint64_t)4)) \
 				goto corrupt_hash; \
-			if (!VALID_RANGE(elf, offset, nchains * 4)) \
+			if (!VALID_RANGE(elf, hash_offset, nchains * (uint64_t)4)) \
 				goto corrupt_hash; \
 			\
 			for (b = 0; b < nbuckets; ++b) { \
author	Mike Frysinger <vapier@gentoo.org>	2024-01-25 00:19:50 -0500
committer	Mike Frysinger <vapier@gentoo.org>	2024-01-25 00:19:50 -0500
commit	c1759f9bf28edb910208a7c7fbb4b373fe8b1297 (patch)
tree	0eba80fa07f9ca8e09950582506c848e18cb1cda
parent	ar: switch from alloca to malloc (diff)
download	pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.tar.gz pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.tar.bz2 pax-utils-c1759f9bf28edb910208a7c7fbb4b373fe8b1297.zip