From d9ae096e74b04d3567aa89db234204fd4b11dd3f Mon Sep 17 00:00:00 2001
From: Abseil Team <absl-team@google.com>
Date: Tue, 21 Feb 2023 11:19:15 -0800
Subject: absl: fix potential int overflow in ELF reading

Both e_shentsize and e_shstrndx are uint16, so the product
  elf_header.e_shentsize * elf_header.e_shstrndx
can overflow the promoted type int (MAX_UINT16 * MAX_UINT16 > MAX_INT),
which is undefined behavior. Not sure if it can affect any real cases
or not, though.

Cast e_shentsize to loff_t instead of e_shoff.
This makes both multiplication and addition to use loff_t type.

PiperOrigin-RevId: 511254775
Change-Id: I39c493bfb539cca6742aae807c50718d31e7c001
---
 absl/debugging/symbolize_elf.inc | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'absl/debugging')

diff --git a/absl/debugging/symbolize_elf.inc b/absl/debugging/symbolize_elf.inc
index ffb4eecf..0fee89f2 100644
--- a/absl/debugging/symbolize_elf.inc
+++ b/absl/debugging/symbolize_elf.inc
@@ -532,6 +532,11 @@ bool ForEachSection(int fd,
     return false;
   }
 
+  // Technically it can be larger, but in practice this never happens.
+  if (elf_header.e_shentsize != sizeof(ElfW(Shdr))) {
+    return false;
+  }
+
   ElfW(Shdr) shstrtab;
   off_t shstrtab_offset = static_cast<off_t>(elf_header.e_shoff) +
                           elf_header.e_shentsize * elf_header.e_shstrndx;
@@ -584,6 +589,11 @@ bool GetSectionHeaderByName(int fd, const char *name, size_t name_len,
     return false;
   }
 
+  // Technically it can be larger, but in practice this never happens.
+  if (elf_header.e_shentsize != sizeof(ElfW(Shdr))) {
+    return false;
+  }
+
   ElfW(Shdr) shstrtab;
   off_t shstrtab_offset = static_cast<off_t>(elf_header.e_shoff) +
                           elf_header.e_shentsize * elf_header.e_shstrndx;
-- 
cgit v1.2.3