From e9529d9b4a7833049d34b4ec3bf018bdfe68c807 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@hadrons.org>
Date: Sat, 15 Jun 2019 14:33:32 +0200
Subject: [PATCH] nlist: Check that e_shnum and e_shentsize are within bounds

The e_shnum must not be 0, otherwise we will do a zero sized allocation
and further processing of the executable will lead to out of bounds
read/write accesses. The e_shentsize must be equal to sizeof(Elf_Shdr),
otherwise we will perform out of bounds read accesses on the shdr array.

Reported-by: Daniel Hodson <daniel@elttam.com.au>
Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au>
Signed-off-by: Guillem Jover <guillem@hadrons.org>
---
 src/nlist.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/nlist.c b/src/nlist.c
index 776d315..2aa2eee 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -141,6 +141,12 @@ __fdnlist(int fd, struct nlist *list)
 	    fstat(fd, &st) < 0)
 		return (-1);
 
+	if (ehdr.e_shnum == 0 ||
+	    ehdr.e_shentsize != sizeof(Elf_Shdr)) {
+		errno = ERANGE;
+		return (-1);
+	}
+
 	/* calculate section header table size */
 	shdr_size = ehdr.e_shentsize * ehdr.e_shnum;
 
-- 
2.47.3