d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

libelf: Do not read past end of buffer

Browse Source 
Previously a corrupt ELF file could read beyond the end of e_rawfile.

Upstream elftoolchain ticket 462.  Found via the security/afl fuzzer.

Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Ed Maste 2014-12-29 20:23:42 +00:00
parent 2013b96e58
commit 3a6f20c19a
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
contrib/elftoolchain/libelf/elf_scn.c
View File

@ -50,6 +50,7 @@ _libelf_load_section_headers(Elf *e, void *ehdr)
Elf64_Ehdr *eh64;
int ec, swapbytes;
unsigned char *src;
unsigned char *rawend;
size_t fsz, i, shnum;
int (*xlator)(unsigned char *_d, size_t _dsz, unsigned char *_s,
size_t _c, int _swap);
@ -86,6 +87,7 @@ _libelf_load_section_headers(Elf *e, void *ehdr)
swapbytes = e->e_byteorder != LIBELF_PRIVATE(byteorder);
src = e->e_rawfile + shoff;
rawend = e->e_rawfile + e->e_rawsize;
/*
* If the file is using extended numbering then section #0
@ -102,6 +104,8 @@ _libelf_load_section_headers(Elf *e, void *ehdr)
}
for (; i < shnum; i++, src += fsz) {
if (src + sizeof(scn->s_shdr) > rawend)
return (0);
if ((scn = _libelf_allocate_scn(e, i)) == NULL)
return (0);