Ensure there's no sign-extension here.

Both e_shentsize and e_shtrndx are ELF half-words, which means C integers of rank less than int (they're quint16). That means this multiplcation was done actually as int, due to integer promotion from unsigned short. So preempt the integer promotion and force them to full- word integers (unsigned int). While the bit-pattern result of the multiplication is the same, the addition with e_shoff (a qelfoff_t = quintptr) wouldn't: the promotion from 32-bit int to 64-bit would first execute a sign-extension. Now, this shouldn't happen on regular ELF files, but it cause QLibrary to crash if a specially-crafted (or simply corrupt) plugin is found. Found by Coverity, CID 22642 Change-Id: I42e7ef1a481840699a8dffff1407e9f1282eeecf Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
2015-09-27 11:43:47 -07:00 · 2015-09-27 11:43:47 -07:00 · 1a6ac83193
commit 1a6ac83193
parent e18554d4f7
1 changed files with 1 additions and 1 deletions
--- a/src/corelib/plugin/qelfparser_p.cpp
+++ b/src/corelib/plugin/qelfparser_p.cpp
@ -148,7 +148,7 @@ int QElfParser::parse(const char *dataStart, ulong fdlen, const QString &library
 #endif

    ElfSectionHeader strtab;
-    qulonglong soff = e_shoff + e_shentsize * (e_shtrndx);
+    qulonglong soff = e_shoff + qelfword_t(e_shentsize) * qelfword_t(e_shtrndx);

    if ((soff + e_shentsize) > fdlen || soff % 4 || soff == 0) {
        if (lib)