Mark Wielaard 561f4c0
commit 7f1eec317db79627b473c5b149a22a1b20d1f68f
Mark Wielaard 561f4c0
Author: Mark Wielaard <mjw@redhat.com>
Mark Wielaard 561f4c0
Date:   Wed Apr 9 11:33:23 2014 +0200
Mark Wielaard 561f4c0
Mark Wielaard 561f4c0
    CVE-2014-0172 Check for overflow before calling malloc to uncompress data.
Mark Wielaard 561f4c0
    
Mark Wielaard 561f4c0
    https://bugzilla.redhat.com/show_bug.cgi?id=1085663
Mark Wielaard 561f4c0
    
Mark Wielaard 561f4c0
    Reported-by: Florian Weimer <fweimer@redhat.com>
Mark Wielaard 561f4c0
    Signed-off-by: Mark Wielaard <mjw@redhat.com>
Mark Wielaard 561f4c0
Mark Wielaard 561f4c0
diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
Mark Wielaard 561f4c0
index 79daeac..34ea373 100644
Mark Wielaard 561f4c0
--- a/libdw/dwarf_begin_elf.c
Mark Wielaard 561f4c0
+++ b/libdw/dwarf_begin_elf.c
Mark Wielaard 561f4c0
@@ -282,6 +282,12 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
Mark Wielaard 561f4c0
 	    memcpy (&size, data->d_buf + 4, sizeof size);
Mark Wielaard 561f4c0
 	    size = be64toh (size);
Mark Wielaard 561f4c0
 
Mark Wielaard 561f4c0
+	    /* Check for unsigned overflow so malloc always allocated
Mark Wielaard 561f4c0
+	       enough memory for both the Elf_Data header and the
Mark Wielaard 561f4c0
+	       uncompressed section data.  */
Mark Wielaard 561f4c0
+	    if (unlikely (sizeof (Elf_Data) + size < size))
Mark Wielaard 561f4c0
+	      break;
Mark Wielaard 561f4c0
+
Mark Wielaard 561f4c0
 	    Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
Mark Wielaard 561f4c0
 	    if (unlikely (zdata == NULL))
Mark Wielaard 561f4c0
 	      break;