Avoid wild section data pointers from bogus sh_offset in mapped files.

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 303975b3b57655ec44c2a9c09f2c69394e58604a..38142087ef6c483da63e43dab86ea220e68f8060 100644 (file)
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,9 @@
+2010-02-17  Roland McGrath  <roland@redhat.com>
+
+       * elf_begin.c (file_read_elf): Leave section rawdata_base and
+       data_base pointers null when [sh_offset,sh_size) points outside
+       the mapped file.
+
 2010-02-15  Roland McGrath  <roland@redhat.com>
 
        * Makefile.am: Use config/eu.am for common stuff.

diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index 896d86b69d7e3b327ffb682464929dde616ec976..0b9583b263cbf45e0b8aaf3d58ad6d3f6a646227 100644 (file)
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -338,10 +338,13 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
              elf->state.elf32.scns.data[cnt].elf = elf;
              elf->state.elf32.scns.data[cnt].shdr.e32 =
                &elf->state.elf32.shdr[cnt];
-             elf->state.elf32.scns.data[cnt].rawdata_base =
-               elf->state.elf32.scns.data[cnt].data_base =
-               ((char *) map_address + offset
-                + elf->state.elf32.shdr[cnt].sh_offset);
+             if (likely (elf->state.elf32.shdr[cnt].sh_offset < maxsize)
+                 && likely (maxsize - elf->state.elf32.shdr[cnt].sh_offset
+                            <= elf->state.elf32.shdr[cnt].sh_size))
+               elf->state.elf32.scns.data[cnt].rawdata_base =
+                 elf->state.elf32.scns.data[cnt].data_base =
+                 ((char *) map_address + offset
+                  + elf->state.elf32.shdr[cnt].sh_offset);
              elf->state.elf32.scns.data[cnt].list = &elf->state.elf32.scns;
 
              /* If this is a section with an extended index add a
@@ -423,10 +426,13 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
              elf->state.elf64.scns.data[cnt].elf = elf;
              elf->state.elf64.scns.data[cnt].shdr.e64 =
                &elf->state.elf64.shdr[cnt];
-             elf->state.elf64.scns.data[cnt].rawdata_base =
-               elf->state.elf64.scns.data[cnt].data_base =
-               ((char *) map_address + offset
-                + elf->state.elf64.shdr[cnt].sh_offset);
+             if (likely (elf->state.elf64.shdr[cnt].sh_offset < maxsize)
+                 && likely (maxsize - elf->state.elf64.shdr[cnt].sh_offset
+                            <= elf->state.elf64.shdr[cnt].sh_size))
+               elf->state.elf64.scns.data[cnt].rawdata_base =
+                 elf->state.elf64.scns.data[cnt].data_base =
+                 ((char *) map_address + offset
+                  + elf->state.elf64.shdr[cnt].sh_offset);
              elf->state.elf64.scns.data[cnt].list = &elf->state.elf64.scns;
 
              /* If this is a section with an extended index add a