nlist: Fix unbounded malloc() calls There are a couple of malloc() calls with unbounded size arguments, coming from the parsed file. We need to make sure the size is not larger than the file being parsed, otherwise we might end up with out of memory conditions. Reported-by: Daniel Hodson <daniel@elttam.com.au> Signed-off-by: Guillem Jover <guillem@hadrons.org>
diff --git a/src/nlist.c b/src/nlist.c
index d01fa55..8aa46a2 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -151,7 +151,7 @@ __fdnlist(int fd, struct nlist *list)
shdr_size = ehdr.e_shentsize * ehdr.e_shnum;
/* Make sure it's not too big to mmap */
- if (shdr_size > SIZE_T_MAX) {
+ if (shdr_size > SIZE_T_MAX || shdr_size > st.st_size) {
errno = EFBIG;
return (-1);
}
@@ -184,7 +184,7 @@ __fdnlist(int fd, struct nlist *list)
}
/* Check for files too large to mmap. */
- if (symstrsize > SIZE_T_MAX) {
+ if (symstrsize > SIZE_T_MAX || symstrsize > st.st_size) {
errno = EFBIG;
goto done;
}