From 72af8466ac0e86dc4a4999f289dd082369bcaedc Mon Sep 17 00:00:00 2001
From: Rob Landley <rob@landley.net>
Date: Sat, 28 Jul 2018 12:04:33 -0500
Subject: Check for integer overflow in pathologically broken elf files by
 moving the sh_size>file length test inside the loop and changing the vars to
 unsigned.

---
 toys/posix/file.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'toys')

diff --git a/toys/posix/file.c b/toys/posix/file.c
index 49c7b22a..715c3e86 100644
--- a/toys/posix/file.c
+++ b/toys/posix/file.c
@@ -160,17 +160,19 @@ static void do_elf_file(int fd)
     } else if (sh_type == 7 /*SHT_NOTE*/) {
       char *note = map+sh_offset;
 
-      if (sh_offset+sh_size>TT.len) goto bad;
-
       // An ELF note is a sequence of entries, each consisting of an
       // ndhr followed by n_namesz+n_descsz bytes of data (each of those
       // rounded up to the next 4 bytes, without this being reflected in
       // the header byte counts themselves).
       while (sh_size >= 3*4) { // Don't try to read a truncated entry.
-        int n_namesz = elf_int(note, 4);
-        int n_descsz = elf_int(note+4, 4);
-        int n_type = elf_int(note+8, 4);
-        int notesz = 3*4 + ((n_namesz+3)&~3) + ((n_descsz+3)&~3);
+        unsigned n_namesz, n_descsz, n_type, notesz;
+
+        if (sh_offset+sh_size>TT.len) goto bad;
+
+        n_namesz = elf_int(note, 4);
+        n_descsz = elf_int(note+4, 4);
+        n_type = elf_int(note+8, 4);
+        notesz = 3*4 + ((n_namesz+3)&~3) + ((n_descsz+3)&~3);
 
         if (n_namesz==4 && !memcmp(note+12, "GNU", 4)) {
           if (n_type==3 /*NT_GNU_BUILD_ID*/) {
-- 
cgit v1.2.3