nm: Check for malloc size argument overflow in show_symbols.

Reported-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/src/ChangeLog b/src/ChangeLog
index fb9c77679526b5991184a6af9efaae92a4638f4a..f74b5dcb4444a31adfaea47bd904bc2a70890de3 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2016-03-21  Mark Wielaard  <mjw@redhat.com>
+
+       * nm.c (show_symbols): Check for malloc size argument overflow.
+
 2016-02-13  Mark Wielaard  <mjw@redhat.com>
 
        * readelf.c (print_scngrp): Call error when gelf_getshdr fails.

diff --git a/src/nm.c b/src/nm.c
index 2911afa87e50676ad44bbe61044d6d173a6b85e5..010469daf96361796ca78a770b5e1b18a8fff3f3 100644 (file)
--- a/src/nm.c
+++ b/src/nm.c
@@ -1311,6 +1311,11 @@ show_symbols (int fd, Ebl *ebl, GElf_Ehdr *ehdr,
      XXX We can use a dirty trick here.  Since GElf_Sym == Elf64_Sym we
      can use the data memory instead of copying again if what we read
      is a 64 bit file.  */
+  if (nentries > SIZE_MAX / sizeof (GElf_SymX))
+    error (EXIT_FAILURE, 0,
+          gettext ("%s: entries (%zd) in section %zd `%s' is too large"),
+          fullname, nentries, elf_ndxscn (scn),
+          elf_strptr (ebl->elf, shstrndx, shdr->sh_name));
   GElf_SymX *sym_mem;
   if (nentries * sizeof (GElf_SymX) < MAX_STACK_ALLOC)
     sym_mem = (GElf_SymX *) alloca (nentries * sizeof (GElf_SymX));