libelf: Correct ELF64 section offset check in file_read_elf.

The ELF64 case didn't check for overflow and accidentially used the 32bit
Shdr size.

Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index e4c58499a299bec93cb3ed524f8f599032189f03..cf168e7f9fe3a3a7c64906429c2711012daeed61 100644 (file)
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,7 @@
+2014-12-11  Mark Wielaard  <mjw@redhat.com>
+
+       * elf_begin.c (file_read_elf): Correct ELF64 section offset check.
+
 2014-12-11  Mark Wielaard  <mjw@redhat.com>
 
        * elf_begin.c (read_long_names): Check for offset overflow.

diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index 99a9c0a099719b30402aae956bf792931425dea2..7fb5fa5be2fefdbd3a9e917fb3d9ca80229f9ba8 100644 (file)
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -412,8 +412,8 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
          elf->state.elf64.ehdr = ehdr;
 
          if (unlikely (ehdr->e_shoff >= maxsize)
-             || unlikely (ehdr->e_shoff
-                          + scncnt * sizeof (Elf32_Shdr) > maxsize))
+             || unlikely (maxsize - ehdr->e_shoff
+                          < scncnt * sizeof (Elf64_Shdr)))
            goto free_and_out;
          elf->state.elf64.shdr
            = (Elf64_Shdr *) ((char *) ehdr + ehdr->e_shoff);