nlist: Fix unbounded malloc() calls

There are a couple of malloc() calls with unbounded size arguments,
coming from the parsed file. We need to make sure the size is not
larger than the file being parsed, otherwise we might end up with
out of memory conditions.

Reported-by: Daniel Hodson <daniel@elttam.com.au>
Signed-off-by: Guillem Jover <guillem@hadrons.org>

diff --git a/src/nlist.c b/src/nlist.c
index d01fa55ea27006ba0560c83cb6ccc0b4c79cd3bd..8aa46a23bdca94baa1953e9ad00f1c433e3a0014 100644 (file)
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -151,7 +151,7 @@ __fdnlist(int fd, struct nlist *list)
        shdr_size = ehdr.e_shentsize * ehdr.e_shnum;
 
        /* Make sure it's not too big to mmap */
-       if (shdr_size > SIZE_T_MAX) {
+       if (shdr_size > SIZE_T_MAX || shdr_size > st.st_size) {
                errno = EFBIG;
                return (-1);
        }
@@ -184,7 +184,7 @@ __fdnlist(int fd, struct nlist *list)
        }
 
        /* Check for files too large to mmap. */
-       if (symstrsize > SIZE_T_MAX) {
+       if (symstrsize > SIZE_T_MAX || symstrsize > st.st_size) {
                errno = EFBIG;
                goto done;
        }