unstrip: Check symbol strings are terminated.

A corrupt ELF file could contain a .strtab section that wasn't
properly zero terminated. If so we could add a non-terminated string
to the dwelf_strtab functions, which could then crash because they
would read past the .strtab section data.

https://sourceware.org/bugzilla/show_bug.cgi?id=25069

Signed-off-by: Mark Wielaard <mark@klomp.org>

diff --git a/src/ChangeLog b/src/ChangeLog
index fe7ddbfd9f4bf00d6f08d87bd8f25f1a3657a440..3144c935f433c68237030f433a8298b7f5992f5c 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2019-10-26  Mark Wielaard  <mark@klomp.org>
+
+       * unstrip.c (collect_symbols): Check symbol strings are
+       terminated.
+
 2019-10-18  Mark Wielaard  <mark@klomp.org>
 
        * unstrip.c (adjust_relocs): Set versym data d_size to the actual

diff --git a/src/unstrip.c b/src/unstrip.c
index f4314d5dd80c6625fa7af22c1327f6817c0f97e7..9b8c09a14ba3b95543b5eb678ce2935646fd005a 100644 (file)
--- a/src/unstrip.c
+++ b/src/unstrip.c
@@ -854,7 +854,9 @@ collect_symbols (Elf *outelf, bool rel, Elf_Scn *symscn, Elf_Scn *strscn,
       if (sym->st_shndx != SHN_XINDEX)
        shndx = sym->st_shndx;
 
-      if (sym->st_name >= strdata->d_size)
+      if (sym->st_name >= strdata->d_size
+         || memrchr (strdata->d_buf + sym->st_name, '\0',
+                     strdata->d_size - sym->st_name) == NULL)
        error (EXIT_FAILURE, 0,
               _("invalid string offset in symbol [%zu]"), i);