| 1234567891011121314151617181920212223242526272829303132333435363738 |
- From 7f1eec317db79627b473c5b149a22a1b20d1f68f Mon Sep 17 00:00:00 2001
- From: Mark Wielaard <mjw@redhat.com>
- Date: Wed, 9 Apr 2014 11:33:23 +0200
- Subject: [PATCH] CVE-2014-0172 Check for overflow before calling malloc to
- uncompress data.
- https://bugzilla.redhat.com/show_bug.cgi?id=1085663
- Reported-by: Florian Weimer <fweimer@redhat.com>
- Signed-off-by: Mark Wielaard <mjw@redhat.com>
- diff --git a/libdw/dwarf_begin_elf.c b/libdw/dwarf_begin_elf.c
- index 79daeac..34ea373 100644
- --- a/libdw/dwarf_begin_elf.c
- +++ b/libdw/dwarf_begin_elf.c
- @@ -1,5 +1,5 @@
- /* Create descriptor from ELF descriptor for processing file.
- - Copyright (C) 2002-2011 Red Hat, Inc.
- + Copyright (C) 2002-2011, 2014 Red Hat, Inc.
- This file is part of elfutils.
- Written by Ulrich Drepper <drepper@redhat.com>, 2002.
-
- @@ -282,6 +282,12 @@ check_section (Dwarf *result, GElf_Ehdr *ehdr, Elf_Scn *scn, bool inscngrp)
- memcpy (&size, data->d_buf + 4, sizeof size);
- size = be64toh (size);
-
- + /* Check for unsigned overflow so malloc always allocated
- + enough memory for both the Elf_Data header and the
- + uncompressed section data. */
- + if (unlikely (sizeof (Elf_Data) + size < size))
- + break;
- +
- Elf_Data *zdata = malloc (sizeof (Elf_Data) + size);
- if (unlikely (zdata == NULL))
- break;
- --
- 1.9.2
|
