From: Mark Wielaard <mark@klomp.org>
Date: Sat, 26 Oct 2019 20:54:49 +0000 (+0200)
Subject: unstrip: Check symbol strings are terminated.
X-Git-Tag: elfutils-0.178~23
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b2dddd3389a8005a7e93bc21b2932156899e1aac;p=thirdparty%2Felfutils.git

unstrip: Check symbol strings are terminated.

A corrupt ELF file could contain a .strtab section that wasn't
properly zero terminated. If so we could add a non-terminated string
to the dwelf_strtab functions, which could then crash because they
would read past the .strtab section data.

https://sourceware.org/bugzilla/show_bug.cgi?id=25069

Signed-off-by: Mark Wielaard <mark@klomp.org>
---

diff --git a/src/ChangeLog b/src/ChangeLog
index fe7ddbfd9..3144c935f 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2019-10-26  Mark Wielaard  <mark@klomp.org>
+
+	* unstrip.c (collect_symbols): Check symbol strings are
+	terminated.
+
 2019-10-18  Mark Wielaard  <mark@klomp.org>
 
 	* unstrip.c (adjust_relocs): Set versym data d_size to the actual
diff --git a/src/unstrip.c b/src/unstrip.c
index f4314d5dd..9b8c09a14 100644
--- a/src/unstrip.c
+++ b/src/unstrip.c
@@ -854,7 +854,9 @@ collect_symbols (Elf *outelf, bool rel, Elf_Scn *symscn, Elf_Scn *strscn,
       if (sym->st_shndx != SHN_XINDEX)
 	shndx = sym->st_shndx;
 
-      if (sym->st_name >= strdata->d_size)
+      if (sym->st_name >= strdata->d_size
+	  || memrchr (strdata->d_buf + sym->st_name, '\0',
+		      strdata->d_size - sym->st_name) == NULL)
 	error (EXIT_FAILURE, 0,
 	       _("invalid string offset in symbol [%zu]"), i);