Detect DT_HASH chain out-of-bounds

https://issues.oss-fuzz.com/u/1/issues/430110068 modified: p_lx_elf.cpp
2025-08-07 22:46:51 +08:00 · 2025-07-24 11:09:58 -07:00
parent 4d788083f0
commit 49fe1ca7bd
1 changed files with 8 additions and 0 deletions
--- a/src/p_lx_elf.cpp
+++ b/src/p_lx_elf.cpp
@ -8663,6 +8663,7 @@ Elf32_Sym const *PackLinuxElf32::elf_lookup(char const *name) const
                break;  // end sentinel
        }
        if (n_bucket) {
+            void const *EOM = file_size + (char const *)file_image.getVoidPtr();
            unsigned const m = elf_hash(name) % n_bucket;
            unsigned n_visit = 0;
            unsigned si;
@ -8676,6 +8677,9 @@ Elf32_Sym const *PackLinuxElf32::elf_lookup(char const *name) const
                    return &dynsym[si];
                if (l_sym <= &dynsym[n_visit++])
                    throwCantPack("circular DT_HASH chain %d\n", si);
+                // Detect next si out-of-bounds
+                if (((unsigned int const *)EOM - chains) <= si)
+                    throwCantPack("bad DT_HASH chain %d\n", si);
            }
        }
    }
@ -8764,6 +8768,7 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const
                break;  //end
        }
        if (n_bucket) { // -rust-musl can have "empty" hashtab
+            void const *const EOM = file_size + (char const *)file_image.getVoidPtr();
            unsigned const m = elf_hash(name) % n_bucket;
            unsigned n_visit = 0;
            unsigned si;
@ -8777,6 +8782,9 @@ Elf64_Sym const *PackLinuxElf64::elf_lookup(char const *name) const
                    return &dynsym[si];
                if (l_sym <= &dynsym[n_visit++])
                    throwCantPack("circular DT_HASH chain %d\n", si);
+                // Detect next si out-of-bounds
+                if (((unsigned int const *)EOM - chains) <= si)
+                    throwCantPack("bad DT_HASH chain %d\n", si);
            }
        }
    }