libio: Avoid ptrdiff_t overflow in IO_validate_vtable

If the candidate pointer is sufficiently far away from
__start___libc_IO_vtables, the result might not fit into ptrdiff_t.

diff --git a/ChangeLog b/ChangeLog
index 90b65fd3a67e71435176da43286e5015994314af..672fbd3fd51c13ca4399068ac2a838d38c8eaf64 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2018-06-20  Florian Weimer  <fweimer@redhat.com>
+
+       * libio/libioP.h (IO_validate_vtable): Avoid ptrdiff_t overflow.
+
 2018-06-19  Joseph Myers  <joseph@codesourcery.com>
 
        [BZ #23280]

diff --git a/libio/libioP.h b/libio/libioP.h
index 8afe7032e3f6b1d6f0376783a0e22f1fed114c6a..df2633d8581366d83d5594f3b33aee12704f767c 100644 (file)
--- a/libio/libioP.h
+++ b/libio/libioP.h
@@ -830,8 +830,8 @@ IO_validate_vtable (const struct _IO_jump_t *vtable)
   /* Fast path: The vtable pointer is within the __libc_IO_vtables
      section.  */
   uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables;
-  const char *ptr = (const char *) vtable;
-  uintptr_t offset = ptr - __start___libc_IO_vtables;
+  uintptr_t ptr = (uintptr_t) vtable;
+  uintptr_t offset = ptr - (uintptr_t) __start___libc_IO_vtables;
   if (__glibc_unlikely (offset >= section_length))
     /* The vtable pointer is not in the expected section.  Use the
        slow path, which will terminate the process if necessary.  */