From patchwork Tue Jun 19 11:55:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 27923 Received: (qmail 129947 invoked by alias); 19 Jun 2018 11:55:29 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 129926 invoked by uid 89); 19 Jun 2018 11:55:28 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-23.5 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=HContent-Transfer-Encoding:8bit X-HELO: albireo.enyo.de To: libc-alpha@sourceware.org Subject: [PATCH] libio: Avoid ptrdiff_t overflow in IO_validate_vtable MIME-Version: 1.0 Message-Id: From: Florian Weimer Date: Tue, 19 Jun 2018 13:55:24 +0200 If the candidate pointer is sufficiently far away from __start___libc_IO_vtables, the result might not fit into ptrdiff_t. 2018-06-19 Florian Weimer * libio/libioP.h (IO_validate_vtable): Avoid ptrdiff_t overflow. diff --git a/libio/libioP.h b/libio/libioP.h index 8afe7032e3..df2633d858 100644 --- a/libio/libioP.h +++ b/libio/libioP.h @@ -830,8 +830,8 @@ IO_validate_vtable (const struct _IO_jump_t *vtable) /* Fast path: The vtable pointer is within the __libc_IO_vtables section. */ uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables; - const char *ptr = (const char *) vtable; - uintptr_t offset = ptr - __start___libc_IO_vtables; + uintptr_t ptr = (uintptr_t) vtable; + uintptr_t offset = ptr - (uintptr_t) __start___libc_IO_vtables; if (__glibc_unlikely (offset >= section_length)) /* The vtable pointer is not in the expected section. Use the slow path, which will terminate the process if necessary. */