nlist: Check whether sh_link is within bounds The sh_link members should be >= e_shnum, otherwise we might do out of bounds read accesses on the shdr array. Reported-by: Daniel Hodson <daniel@elttam.com.au> Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au> Signed-off-by: Guillem Jover <guillem@hadrons.org>
diff --git a/src/nlist.c b/src/nlist.c
index 2aa2eee..e2a7949 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -172,6 +172,9 @@ __fdnlist(int fd, struct nlist *list)
*/
for (i = 0; i < ehdr.e_shnum; i++) {
if (shdr[i].sh_type == SHT_SYMTAB) {
+ if (shdr[i].sh_link >= ehdr.e_shnum)
+ goto done;
+
symoff = shdr[i].sh_offset;
symsize = shdr[i].sh_size;
symstroff = shdr[shdr[i].sh_link].sh_offset;