libelf: Fix unbounded stack usage in elf_getarsym for !ALLOW_UNALIGNED case.

The number of entries in the index can be large, don't use alloca to
read in temporary data, use malloc (which is freed after out).

Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index b749c0851af5f4ad7395fcb888b98076a797231e..4fd3f9f5604a296136832d43088e17ab803305db 100644 (file)
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-31  Mark Wielaard  <mjw@redhat.com>
+
+       * elf_getarsym.c (elf_getarsym): Allocate temporary file_date with
+       malloc, not alloca also in !ALLOW_UNALIGNED case.
+
 2015-05-30  Mark Wielaard  <mjw@redhat.com>
 
        * gelf_xlate.c (elf_cvt_Byte): Only call memmove with non-zero size.

diff --git a/libelf/elf_getarsym.c b/libelf/elf_getarsym.c
index 4f2080a84d93e59788ab0ffc0dc33e4b9ef4afc1..832424410d48bc8ba74488467ded2ee5a3c2c9df 100644 (file)
--- a/libelf/elf_getarsym.c
+++ b/libelf/elf_getarsym.c
@@ -255,7 +255,15 @@ elf_getarsym (elf, ptr)
              file_data = (void *) (elf->map_address + off);
              if (!ALLOW_UNALIGNED
                  && ((uintptr_t) file_data & -(uintptr_t) n) != 0)
-               file_data = memcpy (alloca (sz), elf->map_address + off, sz);
+               {
+                 temp_data = malloc (sz);
+                 if (unlikely (temp_data == NULL))
+                   {
+                     __libelf_seterrno (ELF_E_NOMEM);
+                     goto out;
+                   }
+                 file_data = memcpy (temp_data, elf->map_address + off, sz);
+               }
              str_data = (char *) (elf->map_address + off + sz);
            }