From: Roland McGrath <roland@redhat.com>
Date: Wed, 17 Feb 2010 08:49:46 +0000 (-0800)
Subject: Avoid wild section data pointers from bogus sh_offset in mapped files.
X-Git-Tag: elfutils-0.145~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=429502fd324d731feb939a5db4b7e0723adac616;p=thirdparty%2Felfutils.git

Avoid wild section data pointers from bogus sh_offset in mapped files.
---

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 303975b3b..38142087e 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,9 @@
+2010-02-17  Roland McGrath  <roland@redhat.com>
+
+	* elf_begin.c (file_read_elf): Leave section rawdata_base and
+	data_base pointers null when [sh_offset,sh_size) points outside
+	the mapped file.
+
 2010-02-15  Roland McGrath  <roland@redhat.com>
 
 	* Makefile.am: Use config/eu.am for common stuff.
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index 896d86b69..0b9583b26 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -338,10 +338,13 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
 	      elf->state.elf32.scns.data[cnt].elf = elf;
 	      elf->state.elf32.scns.data[cnt].shdr.e32 =
 		&elf->state.elf32.shdr[cnt];
-	      elf->state.elf32.scns.data[cnt].rawdata_base =
-		elf->state.elf32.scns.data[cnt].data_base =
-		((char *) map_address + offset
-		 + elf->state.elf32.shdr[cnt].sh_offset);
+	      if (likely (elf->state.elf32.shdr[cnt].sh_offset < maxsize)
+		  && likely (maxsize - elf->state.elf32.shdr[cnt].sh_offset
+			     <= elf->state.elf32.shdr[cnt].sh_size))
+		elf->state.elf32.scns.data[cnt].rawdata_base =
+		  elf->state.elf32.scns.data[cnt].data_base =
+		  ((char *) map_address + offset
+		   + elf->state.elf32.shdr[cnt].sh_offset);
 	      elf->state.elf32.scns.data[cnt].list = &elf->state.elf32.scns;
 
 	      /* If this is a section with an extended index add a
@@ -423,10 +426,13 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
 	      elf->state.elf64.scns.data[cnt].elf = elf;
 	      elf->state.elf64.scns.data[cnt].shdr.e64 =
 		&elf->state.elf64.shdr[cnt];
-	      elf->state.elf64.scns.data[cnt].rawdata_base =
-		elf->state.elf64.scns.data[cnt].data_base =
-		((char *) map_address + offset
-		 + elf->state.elf64.shdr[cnt].sh_offset);
+	      if (likely (elf->state.elf64.shdr[cnt].sh_offset < maxsize)
+		  && likely (maxsize - elf->state.elf64.shdr[cnt].sh_offset
+			     <= elf->state.elf64.shdr[cnt].sh_size))
+		elf->state.elf64.scns.data[cnt].rawdata_base =
+		  elf->state.elf64.scns.data[cnt].data_base =
+		  ((char *) map_address + offset
+		   + elf->state.elf64.shdr[cnt].sh_offset);
 	      elf->state.elf64.scns.data[cnt].list = &elf->state.elf64.scns;
 
 	      /* If this is a section with an extended index add a