Further harden the pad note parsing code. Bug: http://b/386192920 Test: cd /data/fuzz/arm64/ElfReader_fuzzer && ./ElfReader_fuzzer corpus/ Change-Id: I8788cf87b0684bd3b97cd15b1fabb0fa72ac8f55

commit: 93d81944ed41a74693a5f38a7fba2690eca9a376 [log] [tgz]
author: Elliott Hughes <enh@google.com> Mon Jan 13 07:56:11 2025 -0800
committer: Elliott Hughes <enh@google.com> Mon Jan 13 07:56:11 2025 -0800
tree: 9e05007bd2929db63fb8129a1287af4dd4695562
parent: 19584059da9cef30ea5b7bdd5915ba5b45d58878 [diff]
diff --git a/libc/bionic/elf_note.cpp b/libc/bionic/elf_note.cpp
index efe3844..28a400a 100644
--- a/libc/bionic/elf_note.cpp
+++ b/libc/bionic/elf_note.cpp

@@ -42,10 +42,12 @@
 
   ElfW(Addr) p = note_addr;
   ElfW(Addr) note_end = p + phdr_note->p_memsz;
-  while (p + sizeof(ElfW(Nhdr)) <= note_end) {
+  while (p < note_end) {
     // Parse the note and check it's structurally valid.
     const ElfW(Nhdr)* note = reinterpret_cast<const ElfW(Nhdr)*>(p);
-    p += sizeof(ElfW(Nhdr));
+    if (__builtin_add_overflow(p, sizeof(ElfW(Nhdr)), &p) || p >= note_end) {
+      return false;
+    }
     const char* name = reinterpret_cast<const char*>(p);
     if (__builtin_add_overflow(p, __builtin_align_up(note->n_namesz, 4), &p)) {
       return false;
commit	93d81944ed41a74693a5f38a7fba2690eca9a376	[log] [tgz]
author	Elliott Hughes <enh@google.com>	Mon Jan 13 07:56:11 2025 -0800
committer	Elliott Hughes <enh@google.com>	Mon Jan 13 07:56:11 2025 -0800
tree	9e05007bd2929db63fb8129a1287af4dd4695562
parent	19584059da9cef30ea5b7bdd5915ba5b45d58878 [diff]