diff options
| author | Ben Wiederhake <BenWiederhake.GitHub@gmx.de> | 2021-01-30 04:11:50 +0100 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2021-01-30 09:25:02 +0100 |
| commit | ec91f8ad1d569b09ec5a222544b9064b33441e7a (patch) | |
| tree | 0b40101c214fd9b68ff87c2a74c61605491a0ff8 /Userland | |
| parent | 4332dfb9640f28ef7daafe340b061d2586d2fc28 (diff) | |
| download | serenity-ec91f8ad1d569b09ec5a222544b9064b33441e7a.zip | |
LibELF: Avoid quadratic memory usage weakness
Section names are referred to by offset and length. We do not check
(and probably should not check) whether these names overlap in any way.
This opened the door to many sections (in this example: about 2700)
forcing ELF::Image::m_sections to contain endless copies of the same
huge string (in this case: 882K).
Fix this by loading only the first PAGE_SIZE bytes of each name.
Since section names are only relevant for relocations and debug
information and most section names are hard-coded (and far below 4096
bytes) anyway, this should be no restriction at all for 'normal'
executables.
Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29187
Diffstat (limited to 'Userland')
| -rw-r--r-- | Userland/Libraries/LibELF/Image.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/Userland/Libraries/LibELF/Image.cpp b/Userland/Libraries/LibELF/Image.cpp index 190c758f4f..7f39c3ca95 100644 --- a/Userland/Libraries/LibELF/Image.cpp +++ b/Userland/Libraries/LibELF/Image.cpp @@ -207,7 +207,7 @@ StringView Image::table_string(unsigned table_index, unsigned offset) const dbgln("SHENANIGANS! Image::table_string() computed offset outside image."); return {}; } - size_t max_length = m_size - computed_offset; + size_t max_length = min(m_size - computed_offset, (size_t)PAGE_SIZE); size_t length = strnlen(raw_data(sh.sh_offset + offset), max_length); return { raw_data(sh.sh_offset + offset), length }; } |