nlist: Check whether sh_link is within bounds

The sh_link members should be >= e_shnum, otherwise we might do out of
bounds read accesses on the shdr array.

Reported-by: Daniel Hodson <daniel@elttam.com.au>
Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au>
Signed-off-by: Guillem Jover <guillem@hadrons.org>
This commit is contained in:
Guillem Jover 2019-06-15 14:33:32 +02:00
parent e9529d9b4a
commit 24d1f4dd34

View File

@ -172,6 +172,9 @@ __fdnlist(int fd, struct nlist *list)
*/ */
for (i = 0; i < ehdr.e_shnum; i++) { for (i = 0; i < ehdr.e_shnum; i++) {
if (shdr[i].sh_type == SHT_SYMTAB) { if (shdr[i].sh_type == SHT_SYMTAB) {
if (shdr[i].sh_link >= ehdr.e_shnum)
goto done;
symoff = shdr[i].sh_offset; symoff = shdr[i].sh_offset;
symsize = shdr[i].sh_size; symsize = shdr[i].sh_size;
symstroff = shdr[shdr[i].sh_link].sh_offset; symstroff = shdr[shdr[i].sh_link].sh_offset;