summary refs log tree commit diff
path: root/elf
diff options
context:
space:
mode:
authorJeff Law <law@redhat.com>2012-06-21 09:26:41 -0600
committerJeff Law <law@redhat.com>2012-06-21 09:26:41 -0600
commit28363bbf705830cb35791af679401559376eaa75 (patch)
treed04ba0e96581b43edcfe7eaaea5e4bdce8870886 /elf
parent09615db4a954a51014bb75e6def15ec05d4f0da9 (diff)
downloadglibc-28363bbf705830cb35791af679401559376eaa75.tar.gz
glibc-28363bbf705830cb35791af679401559376eaa75.tar.xz
glibc-28363bbf705830cb35791af679401559376eaa75.zip
2012-06-21 Jeff Law <law@redhat.com>
        [BZ #13882]
        * elf/dl-deps.c (_dl_map_object_deps): Fix cycle detection.  Use
        uint16_t for elements in the "seen" array to avoid char overflows.
        * elf/dl-fini.c (_dl_sort_fini): Likewise.
        * elf/dl-open.c (dl_open_worker): Likewise.
Diffstat (limited to 'elf')
-rw-r--r--elf/dl-deps.c8
-rw-r--r--elf/dl-fini.c8
-rw-r--r--elf/dl-open.c8
3 files changed, 12 insertions, 12 deletions
diff --git a/elf/dl-deps.c b/elf/dl-deps.c
index fb1c3058c0..69aec461fb 100644
--- a/elf/dl-deps.c
+++ b/elf/dl-deps.c
@@ -1,5 +1,5 @@
 /* Load the dependencies of a mapped object.
-   Copyright (C) 1996-2003, 2004, 2005, 2006, 2007, 2010, 2011
+   Copyright (C) 1996-2003, 2004-2007, 2010-2012
    Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -632,7 +632,7 @@ Filters not supported with LD_TRACE_PRELINKING"));
       /* We can skip looking for the binary itself which is at the front
 	 of the search list.  */
       i = 1;
-      char seen[nlist];
+      uint16_t seen[nlist];
       memset (seen, 0, nlist * sizeof (seen[0]));
       while (1)
 	{
@@ -658,13 +658,13 @@ Filters not supported with LD_TRACE_PRELINKING"));
 			       (k - i) * sizeof (l_initfini[0]));
 		      l_initfini[k] = thisp;
 
-		      if (seen[i + 1] > 1)
+		      if (seen[i + 1] > nlist - i)
 			{
 			  ++i;
 			  goto next_clear;
 			}
 
-		      char this_seen = seen[i];
+		      uint16_t this_seen = seen[i];
 		      memmove (&seen[i], &seen[i + 1],
 			       (k - i) * sizeof (seen[0]));
 		      seen[k] = this_seen;
diff --git a/elf/dl-fini.c b/elf/dl-fini.c
index 05146b3795..87cf2f1d33 100644
--- a/elf/dl-fini.c
+++ b/elf/dl-fini.c
@@ -1,5 +1,5 @@
 /* Call the termination functions of loaded shared objects.
-   Copyright (C) 1995,96,1998-2002,2004-2005,2009,2011
+   Copyright (C) 1995, 1996, 1998-2002, 2004-2005, 2009, 2011-2012
    Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -38,7 +38,7 @@ _dl_sort_fini (struct link_map **maps, size_t nmaps, char *used, Lmid_t ns)
   /* We can skip looking for the binary itself which is at the front
      of the search list for the main namespace.  */
   unsigned int i = ns == LM_ID_BASE;
-  char seen[nmaps];
+  uint16_t seen[nmaps];
   memset (seen, 0, nmaps * sizeof (seen[0]));
   while (1)
     {
@@ -78,13 +78,13 @@ _dl_sort_fini (struct link_map **maps, size_t nmaps, char *used, Lmid_t ns)
 		      used[k] = here_used;
 		    }
 
-		  if (seen[i + 1] > 1)
+		  if (seen[i + 1] > nmaps - i)
 		    {
 		      ++i;
 		      goto next_clear;
 		    }
 
-		  char this_seen = seen[i];
+		  uint16_t this_seen = seen[i];
 		  memmove (&seen[i], &seen[i + 1], (k - i) * sizeof (seen[0]));
 		  seen[k] = this_seen;
 
diff --git a/elf/dl-open.c b/elf/dl-open.c
index 570c5f8791..9fe0a7ff6a 100644
--- a/elf/dl-open.c
+++ b/elf/dl-open.c
@@ -1,5 +1,5 @@
 /* Load a shared object at runtime, relocate it, and run its initializer.
-   Copyright (C) 1996-2007, 2009, 2010, 2011, 2012 Free Software Foundation, Inc.
+   Copyright (C) 1996-2007, 2009-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -325,7 +325,7 @@ dl_open_worker (void *a)
   while (l != NULL);
   if (nmaps > 1)
     {
-      char seen[nmaps];
+      uint16_t seen[nmaps];
       memset (seen, '\0', nmaps);
       size_t i = 0;
       while (1)
@@ -351,13 +351,13 @@ dl_open_worker (void *a)
 			       (k - i) * sizeof (maps[0]));
 		      maps[k] = thisp;
 
-		      if (seen[i + 1] > 1)
+		      if (seen[i + 1] > nmaps - i)
 			{
 			  ++i;
 			  goto next_clear;
 			}
 
-		      char this_seen = seen[i];
+		      uint16_t this_seen = seen[i];
 		      memmove (&seen[i], &seen[i + 1],
 			       (k - i) * sizeof (seen[0]));
 		      seen[k] = this_seen;