c3-lang/libbsd

Browse

Commit 24d1f4dd34cd86759673f736c16e671a6303f8a8

Guillem Jover 2019-06-15T14:33:32

nlist: Check whether sh_link is within bounds The sh_link members should be >= e_shnum, otherwise we might do out of bounds read accesses on the shdr array. Reported-by: Daniel Hodson <daniel@elttam.com.au> Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au> Signed-off-by: Guillem Jover <guillem@hadrons.org> 

1
2
3
4
5
6
7
8
9
10
11
12
13
14

diff --git a/src/nlist.c b/src/nlist.c
index 2aa2eee..e2a7949 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -172,6 +172,9 @@ __fdnlist(int fd, struct nlist *list)
 	 */
 	for (i = 0; i < ehdr.e_shnum; i++) {
 		if (shdr[i].sh_type == SHT_SYMTAB) {
+			if (shdr[i].sh_link >= ehdr.e_shnum)
+				goto done;
+
 			symoff = shdr[i].sh_offset;
 			symsize = shdr[i].sh_size;
 			symstroff = shdr[shdr[i].sh_link].sh_offset;
kmx.io     mail     discord kmxgit v0.4.0