nlist: Fix out-of-bounds read on strtab When doing a string comparison for a symbol name from the string table, we should make sure we do a bounded comparison, otherwise a non-NUL terminated string might make the code read out-of-bounds. Warned-by: coverity
diff --git a/src/nlist.c b/src/nlist.c
index 8aa46a2..228c220 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -236,16 +236,18 @@ __fdnlist(int fd, struct nlist *list)
symsize -= cc;
for (s = sbuf; cc > 0 && nent > 0; ++s, cc -= sizeof(*s)) {
char *name;
+ Elf_Word size;
struct nlist *p;
name = strtab + s->st_name;
if (name[0] == '\0')
continue;
+ size = symstrsize - s->st_name;
for (p = list; !ISLAST(p); p++) {
if ((p->n_un.n_name[0] == '_' &&
- strcmp(name, p->n_un.n_name+1) == 0)
- || strcmp(name, p->n_un.n_name) == 0) {
+ strncmp(name, p->n_un.n_name+1, size) == 0) ||
+ strncmp(name, p->n_un.n_name, size) == 0) {
elf_sym_to_nlist(p, s, shdr,
ehdr.e_shnum);
if (--nent <= 0)