While iterating the notes we could overflow the len variable if the
note name or description was too big. Fix this by adding an (unsigned)
overflow check.
https://sourceware.org/bugzilla/show_bug.cgi?id=28654
Signed-off-by: Mark Wielaard <mark@klomp.org>
+2021-12-08 Mark Wielaard <mark@klomp.org>
+
+ * dwfl_segment_report_module.c (dwfl_segment_report_module): Add
+ len overflow check while iterating notes.
+
2021-12-15 Mark Wielaard <mark@klomp.org>
* link_map.c (dwfl_link_map_report): Make sure phent is either sizeof
const GElf_Nhdr *nh = notes;
size_t len = 0;
+ size_t last_len;
while (filesz > len + sizeof (*nh))
{
const void *note_name;
const void *note_desc;
+ last_len = len;
len += sizeof (*nh);
note_name = notes + len;
len = align == 8 ? NOTE_ALIGN8 (len) : NOTE_ALIGN4 (len);
note_desc = notes + len;
- if (unlikely (filesz < len + nh->n_descsz))
+ if (unlikely (filesz < len + nh->n_descsz
+ || len < last_len
+ || len + nh->n_descsz < last_len))
break;
if (nh->n_type == NT_GNU_BUILD_ID