From 429502fd324d731feb939a5db4b7e0723adac616 Mon Sep 17 00:00:00 2001
From: Roland McGrath <roland@redhat.com>
Date: Wed, 17 Feb 2010 00:49:46 -0800
Subject: [PATCH] Avoid wild section data pointers from bogus sh_offset in
 mapped files.

---
 libelf/ChangeLog   |  6 ++++++
 libelf/elf_begin.c | 22 ++++++++++++++--------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 303975b3b..38142087e 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,9 @@
+2010-02-17  Roland McGrath  <roland@redhat.com>
+
+	* elf_begin.c (file_read_elf): Leave section rawdata_base and
+	data_base pointers null when [sh_offset,sh_size) points outside
+	the mapped file.
+
 2010-02-15  Roland McGrath  <roland@redhat.com>
 
 	* Makefile.am: Use config/eu.am for common stuff.
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index 896d86b69..0b9583b26 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -338,10 +338,13 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
 	      elf->state.elf32.scns.data[cnt].elf = elf;
 	      elf->state.elf32.scns.data[cnt].shdr.e32 =
 		&elf->state.elf32.shdr[cnt];
-	      elf->state.elf32.scns.data[cnt].rawdata_base =
-		elf->state.elf32.scns.data[cnt].data_base =
-		((char *) map_address + offset
-		 + elf->state.elf32.shdr[cnt].sh_offset);
+	      if (likely (elf->state.elf32.shdr[cnt].sh_offset < maxsize)
+		  && likely (maxsize - elf->state.elf32.shdr[cnt].sh_offset
+			     <= elf->state.elf32.shdr[cnt].sh_size))
+		elf->state.elf32.scns.data[cnt].rawdata_base =
+		  elf->state.elf32.scns.data[cnt].data_base =
+		  ((char *) map_address + offset
+		   + elf->state.elf32.shdr[cnt].sh_offset);
 	      elf->state.elf32.scns.data[cnt].list = &elf->state.elf32.scns;
 
 	      /* If this is a section with an extended index add a
@@ -423,10 +426,13 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
 	      elf->state.elf64.scns.data[cnt].elf = elf;
 	      elf->state.elf64.scns.data[cnt].shdr.e64 =
 		&elf->state.elf64.shdr[cnt];
-	      elf->state.elf64.scns.data[cnt].rawdata_base =
-		elf->state.elf64.scns.data[cnt].data_base =
-		((char *) map_address + offset
-		 + elf->state.elf64.shdr[cnt].sh_offset);
+	      if (likely (elf->state.elf64.shdr[cnt].sh_offset < maxsize)
+		  && likely (maxsize - elf->state.elf64.shdr[cnt].sh_offset
+			     <= elf->state.elf64.shdr[cnt].sh_size))
+		elf->state.elf64.scns.data[cnt].rawdata_base =
+		  elf->state.elf64.scns.data[cnt].data_base =
+		  ((char *) map_address + offset
+		   + elf->state.elf64.shdr[cnt].sh_offset);
 	      elf->state.elf64.scns.data[cnt].list = &elf->state.elf64.scns;
 
 	      /* If this is a section with an extended index add a
-- 
2.47.2