aports/main/elfutils/CVE-2017-7607.patch

From: Mark Wielaard <mark at klomp dot org>
To: elfutils-devel at sourceware dot org
Cc: Mark Wielaard <mark at klomp dot org>
Subject: [PATCH] readelf: Fix off by one sanity check in handle_gnu_hash.
Date: Fri, 24 Mar 2017 12:15:02 +0100
Message-Id: <1490354102-21353-1-git-send-email-mark@klomp.org>
X-Mailer: git-send-email 1.8.3.1

We sanity check to make sure we don't index outside the chain array
by testing inner > max_nsyms. But inner is a zero-based index, while
max_nsyms is the maximum number. Change the check to inner >= max_nsyms.

https://sourceware.org/bugzilla/show_bug.cgi?id=21299

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 src/readelf.c | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/readelf.c b/src/readelf.c
index 8d96ba3..490b6d5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
 	    ++nsyms;
 	    if (maxlength < ++lengths[cnt])
 	      ++maxlength;
-	    if (inner > max_nsyms)
+	    if (inner >= max_nsyms)
 	      goto invalid_data;
 	  }
 	while ((chain[inner++] & 1) == 0);
-- 
1.8.3.1