diff options
| author | Thiago Macieira <thiago.macieira@intel.com> | 2015-09-27 11:43:47 -0700 |
|---|---|---|
| committer | Thiago Macieira <thiago.macieira@intel.com> | 2015-09-28 06:39:05 +0000 |
| commit | 1a6ac8319313b6e024305397512513387afcafb8 (patch) | |
| tree | fd645127eb7a2b07bf6ce5b87f0405ce1b3043f9 | |
| parent | e18554d4f7722b7fc5b576efb7ca429112789a05 (diff) | |
Ensure there's no sign-extension here.
Both e_shentsize and e_shtrndx are ELF half-words, which means C
integers of rank less than int (they're quint16). That means this
multiplcation was done actually as int, due to integer promotion from
unsigned short. So preempt the integer promotion and force them to full-
word integers (unsigned int).
While the bit-pattern result of the multiplication is the same, the
addition with e_shoff (a qelfoff_t = quintptr) wouldn't: the promotion
from 32-bit int to 64-bit would first execute a sign-extension.
Now, this shouldn't happen on regular ELF files, but it cause QLibrary
to crash if a specially-crafted (or simply corrupt) plugin is found.
Found by Coverity, CID 22642
Change-Id: I42e7ef1a481840699a8dffff1407e9f1282eeecf
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
| -rw-r--r-- | src/corelib/plugin/qelfparser_p.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/corelib/plugin/qelfparser_p.cpp b/src/corelib/plugin/qelfparser_p.cpp index d93be439e0..3798231383 100644 --- a/src/corelib/plugin/qelfparser_p.cpp +++ b/src/corelib/plugin/qelfparser_p.cpp @@ -148,7 +148,7 @@ int QElfParser::parse(const char *dataStart, ulong fdlen, const QString &library #endif ElfSectionHeader strtab; - qulonglong soff = e_shoff + e_shentsize * (e_shtrndx); + qulonglong soff = e_shoff + qelfword_t(e_shentsize) * qelfword_t(e_shtrndx); if ((soff + e_shentsize) > fdlen || soff % 4 || soff == 0) { if (lib) |