libio: Avoid ptrdiff_t overflow in IO_validate_vtable

Message ID E1fVFEK-0000Ie-PL@mid.deneb.enyo.de
State New
Headers show
Series
  • libio: Avoid ptrdiff_t overflow in IO_validate_vtable
Related show

Commit Message

Florian Weimer June 19, 2018, 11:55 a.m.
If the candidate pointer is sufficiently far away from
__start___libc_IO_vtables, the result might not fit into ptrdiff_t.

2018-06-19  Florian Weimer  <fweimer@redhat.com>

	* libio/libioP.h (IO_validate_vtable): Avoid ptrdiff_t overflow.

Comments

Andreas Schwab June 19, 2018, 12:05 p.m. | #1
On Jun 19 2018, Florian Weimer <fw@deneb.enyo.de> wrote:

> 	* libio/libioP.h (IO_validate_vtable): Avoid ptrdiff_t overflow.


Ok.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

Patch

diff --git a/libio/libioP.h b/libio/libioP.h
index 8afe7032e3..df2633d858 100644
--- a/libio/libioP.h
+++ b/libio/libioP.h
@@ -830,8 +830,8 @@  IO_validate_vtable (const struct _IO_jump_t *vtable)
   /* Fast path: The vtable pointer is within the __libc_IO_vtables
      section.  */
   uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables;
-  const char *ptr = (const char *) vtable;
-  uintptr_t offset = ptr - __start___libc_IO_vtables;
+  uintptr_t ptr = (uintptr_t) vtable;
+  uintptr_t offset = ptr - (uintptr_t) __start___libc_IO_vtables;
   if (__glibc_unlikely (offset >= section_length))
     /* The vtable pointer is not in the expected section.  Use the
        slow path, which will terminate the process if necessary.  */