From 18662cadfcba39607bd5f379e19cdadce5194480 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@hadrons.org>
Date: Sat, 15 Jun 2019 14:33:32 +0200
Subject: [PATCH] nlist: Fix unbounded malloc() calls

There are a couple of malloc() calls with unbounded size arguments,
coming from the parsed file. We need to make sure the size is not
larger than the file being parsed, otherwise we might end up with
out of memory conditions.

Reported-by: Daniel Hodson <daniel@elttam.com.au>
Signed-off-by: Guillem Jover <guillem@hadrons.org>
---
 src/nlist.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/nlist.c b/src/nlist.c
index d01fa55..8aa46a2 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -151,7 +151,7 @@ __fdnlist(int fd, struct nlist *list)
 	shdr_size = ehdr.e_shentsize * ehdr.e_shnum;
 
 	/* Make sure it's not too big to mmap */
-	if (shdr_size > SIZE_T_MAX) {
+	if (shdr_size > SIZE_T_MAX || shdr_size > st.st_size) {
 		errno = EFBIG;
 		return (-1);
 	}
@@ -184,7 +184,7 @@ __fdnlist(int fd, struct nlist *list)
 	}
 
 	/* Check for files too large to mmap. */
-	if (symstrsize > SIZE_T_MAX) {
+	if (symstrsize > SIZE_T_MAX || symstrsize > st.st_size) {
 		errno = EFBIG;
 		goto done;
 	}