nlist: Check that e_shnum and e_shentsize are within bounds The e_shnum must not be 0, otherwise we will do a zero sized allocation and further processing of the executable will lead to out of bounds read/write accesses. The e_shentsize must be equal to sizeof(Elf_Shdr), otherwise we will perform out of bounds read accesses on the shdr array. Reported-by: Daniel Hodson <daniel@elttam.com.au> Based-on-patch-by: Daniel Hodson <daniel@elttam.com.au> Signed-off-by: Guillem Jover <guillem@hadrons.org>
diff --git a/src/nlist.c b/src/nlist.c
index 776d315..2aa2eee 100644
--- a/src/nlist.c
+++ b/src/nlist.c
@@ -141,6 +141,12 @@ __fdnlist(int fd, struct nlist *list)
fstat(fd, &st) < 0)
return (-1);
+ if (ehdr.e_shnum == 0 ||
+ ehdr.e_shentsize != sizeof(Elf_Shdr)) {
+ errno = ERANGE;
+ return (-1);
+ }
+
/* calculate section header table size */
shdr_size = ehdr.e_shentsize * ehdr.e_shnum;