+2018-08-18 Mark Wielaard <mark@klomp.org>
+
+ * elflint.c (check_sysv_hash): Calculate needed size using unsigned
+ long long int to prevent overflow.
+ (check_sysv_hash64): Calculate maxwords used separately before
+ comparison to prevent overflow.
+
2018-07-24 Mark Wielaard <mark@klomp.org>
* unstrip.c (compare_unalloc_sections): Also compare sh_size.
Elf32_Word nbucket = ((Elf32_Word *) data->d_buf)[0];
Elf32_Word nchain = ((Elf32_Word *) data->d_buf)[1];
- if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf32_Word))
+ if (shdr->sh_size < (2ULL + nbucket + nchain) * sizeof (Elf32_Word))
{
ERROR (gettext ("\
section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),
Elf64_Xword nbucket = ((Elf64_Xword *) data->d_buf)[0];
Elf64_Xword nchain = ((Elf64_Xword *) data->d_buf)[1];
- if (shdr->sh_size < (2 + nbucket + nchain) * sizeof (Elf64_Xword))
+ uint64_t maxwords = shdr->sh_size / sizeof (Elf64_Xword);
+ if (maxwords < 2
+ || maxwords - 2 < nbucket
+ || maxwords - 2 - nbucket < nchain)
{
ERROR (gettext ("\
section [%2d] '%s': hash table section is too small (is %ld, expected %ld)\n"),