commit d9ae096e74b04d3567aa89db234204fd4b11dd3f
author Abseil Team <absl-team@google.com> Tue Feb 21 11:19:15 2023 -0800
committer Copybara-Service <copybara-worker@google.com> Tue Feb 21 11:20:22 2023 -0800
tree 855048c79d9d582cbc12e03de6a7a521cbfe9cbc
parent bd624d9f9825f76f14453beb3df81d82b9e17062

absl: fix potential int overflow in ELF reading

Both e_shentsize and e_shstrndx are uint16, so the product
  elf_header.e_shentsize * elf_header.e_shstrndx
can overflow the promoted type int (MAX_UINT16 * MAX_UINT16 > MAX_INT),
which is undefined behavior. Not sure if it can affect any real cases
or not, though.

Cast e_shentsize to loff_t instead of e_shoff.
This makes both multiplication and addition to use loff_t type.

PiperOrigin-RevId: 511254775
Change-Id: I39c493bfb539cca6742aae807c50718d31e7c001

absl/debugging/symbolize_elf.inc

diff --git a/absl/debugging/symbolize_elf.inc b/absl/debugging/symbolize_elf.inc
index ffb4eec..0fee89f 100644
--- a/absl/debugging/symbolize_elf.inc
+++ b/absl/debugging/symbolize_elf.inc
@@ -532,6 +532,11 @@
     return false;
   }
 
+  // Technically it can be larger, but in practice this never happens.
+  if (elf_header.e_shentsize != sizeof(ElfW(Shdr))) {
+    return false;
+  }
+
   ElfW(Shdr) shstrtab;
   off_t shstrtab_offset = static_cast<off_t>(elf_header.e_shoff) +
                           elf_header.e_shentsize * elf_header.e_shstrndx;
@@ -584,6 +589,11 @@
     return false;
   }
 
+  // Technically it can be larger, but in practice this never happens.
+  if (elf_header.e_shentsize != sizeof(ElfW(Shdr))) {
+    return false;
+  }
+
   ElfW(Shdr) shstrtab;
   off_t shstrtab_offset = static_cast<off_t>(elf_header.e_shoff) +
                           elf_header.e_shentsize * elf_header.e_shstrndx;