readelf: Check count fits and doesn't overflow fptr in handle_file_note.

author Mark Wielaard <mjw@redhat.com>

Tue, 9 Dec 2014 11:58:07 +0000 (12:58 +0100)

committer Mark Wielaard <mjw@redhat.com>

Fri, 12 Dec 2014 12:04:19 +0000 (13:04 +0100)
author Mark Wielaard <mjw@redhat.com>
Tue, 9 Dec 2014 11:58:07 +0000 (12:58 +0100)
committer Mark Wielaard <mjw@redhat.com>
Fri, 12 Dec 2014 12:04:19 +0000 (13:04 +0100)
diff --git a/src/ChangeLog b/src/ChangeLog

index ae3a3d4dcc0be62bb85b551ca30d256b130a2439..76244c59a4345f0a9203e94cf49ee799a742c8a3 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-09  Mark Wielaard  <mjw@redhat.com>
+
+       * readelf.c (handle_file_note): Check count fits data section and
+       doesn't overflow fptr.
+
  2014-12-08  Mark Wielaard  <mjw@redhat.com>
  
         * readelf.c (print_debug_exception_table): Report invalid data if
diff --git a/src/readelf.c b/src/readelf.c

index 1db54c6d9caffaf2bfcf6b7c29c704026e07ba00..c6d10f7bd8b01757a03986f44c1b182465c13b64 100644 (file)
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -9017,9 +9017,13 @@ handle_file_note (Elf *core, GElf_Word descsz, GElf_Off desc_pos)
        return;
      }
  
+  size_t addrsize = gelf_fsize (core, ELF_T_ADDR, 1, EV_CURRENT);
+  uint64_t maxcount = (size_t) (end - ptr) / (3 * addrsize);
+  if (count > maxcount)
+    goto fail;
+
    /* Where file names are stored.  */
-  unsigned char const *const fstart
-    = ptr + 3 * count * gelf_fsize (core, ELF_T_ADDR, 1, EV_CURRENT);
+  unsigned char const *const fstart = ptr + 3 * count * addrsize;
    char const *fptr = (char *) fstart;
  
    printf ("    %" PRId64 " files:\n", count);
author	Mark Wielaard <mjw@redhat.com>
	Tue, 9 Dec 2014 11:58:07 +0000 (12:58 +0100)
committer	Mark Wielaard <mjw@redhat.com>
	Fri, 12 Dec 2014 12:04:19 +0000 (13:04 +0100)
src/ChangeLog		patch \| blob \| blame \| history
src/readelf.c		patch \| blob \| blame \| history