nlist: Check whether sh_link is within bounds

The sh_link members should be >= e_shnum, otherwise we might do out of
bounds read accesses on the shdr array.

Reported-by: Daniel Hodson <daniel@elttam.com.au>
Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au>
Signed-off-by: Guillem Jover <guillem@hadrons.org>

diff --git a/src/nlist.c b/src/nlist.c
index 2aa2eeefee0f4b54333e4dc87bb3fa9c6edd8c78..e2a7949b33dcfc8a63d3e4dfa88ef0fc3dac9e4a 100644 (file)
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -172,6 +172,9 @@ __fdnlist(int fd, struct nlist *list)
         */
        for (i = 0; i < ehdr.e_shnum; i++) {
                if (shdr[i].sh_type == SHT_SYMTAB) {
+                       if (shdr[i].sh_link >= ehdr.e_shnum)
+                               goto done;
+
                        symoff = shdr[i].sh_offset;
                        symsize = shdr[i].sh_size;
                        symstroff = shdr[shdr[i].sh_link].sh_offset;