From 227bb2b2ea01be5c73785d6cd7fd96443e7c0bb0 Mon Sep 17 00:00:00 2001
From: emaste <emaste@FreeBSD.org>
Date: Fri, 23 Jan 2015 04:07:07 +0000
Subject: [PATCH] libelf: Improve ELF header validation

Avoid integer overflow and reading past EOF.

MFC of r276427, r276443, r277249 from contrib/elftoolchain.
---
 lib/libelf/elf_scn.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/libelf/elf_scn.c b/lib/libelf/elf_scn.c
index 2eefca1512e3..5b2b3c7765c2 100644
--- a/lib/libelf/elf_scn.c
+++ b/lib/libelf/elf_scn.c
@@ -31,6 +31,7 @@ __FBSDID("$FreeBSD$");
 #include <errno.h>
 #include <gelf.h>
 #include <libelf.h>
+#include <stdint.h>
 #include <stdlib.h>
 
 #include "_libelf.h"
@@ -55,8 +56,10 @@ _libelf_load_scn(Elf *e, void *ehdr)
 	assert((e->e_flags & LIBELF_F_SHDRS_LOADED) == 0);
 
 #define	CHECK_EHDR(E,EH)	do {				\
-		if (fsz != (EH)->e_shentsize ||			\
-		    shoff + fsz * shnum > e->e_rawsize) {	\
+		if (shoff > e->e_rawsize ||			\
+		    fsz != (EH)->e_shentsize ||			\
+		    shnum > SIZE_MAX / fsz ||			\
+		    fsz * shnum > e->e_rawsize - shoff) {	\
 			LIBELF_SET_ERROR(HEADER, 0);		\
 			return (0);				\
 		}						\