diff options
| author | Jonathan Gray <jsg@cvs.openbsd.org> | 2017-09-30 10:16:00 +0000 |
|---|---|---|
| committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2017-09-30 10:16:00 +0000 |
| commit | ad211843e35a9cae834559c3dd791ea6f785f2ae (patch) | |
| tree | 8025c5d101da50ebf052be9b1053bb1f1825eda4 /usr.bin/ctfconv | |
| parent | 2daf4a046720f941209dcc9e05fa07c46572864b (diff) | |
Add some more boundary checks and prevent an attempt to divide by zero
to resolve some additional crashes found by afl.
ok mpi@ deraadt@
Diffstat (limited to 'usr.bin/ctfconv')
| -rw-r--r-- | usr.bin/ctfconv/elf.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/usr.bin/ctfconv/elf.c b/usr.bin/ctfconv/elf.c index 24230b26f3a..39136d85095 100644 --- a/usr.bin/ctfconv/elf.c +++ b/usr.bin/ctfconv/elf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: elf.c,v 1.5 2017/09/29 16:05:53 jsg Exp $ */ +/* $OpenBSD: elf.c,v 1.6 2017/09/30 10:15:59 jsg Exp $ */ /* * Copyright (c) 2016 Martin Pieuchot <mpi@openbsd.org> @@ -125,6 +125,9 @@ elf_getsymtab(const char *p, size_t filesize, const char *shstab, if ((sh->sh_offset + sh->sh_size) > filesize) continue; + if (sh->sh_entsize == 0) + continue; + if (strncmp(shstab + sh->sh_name, ELF_SYMTAB, snlen) == 0) { if (symtab != NULL) *symtab = (Elf_Sym *)(p + sh->sh_offset); @@ -154,6 +157,9 @@ elf_getsection(char *p, size_t filesize, const char *sname, const char *shstab, /* Find the given section. */ for (i = 0; i < eh->e_shnum; i++) { + if ((eh->e_shoff + i * eh->e_shentsize) > filesize) + continue; + sh = (Elf_Shdr *)(p + eh->e_shoff + i * eh->e_shentsize); if ((sh->sh_link >= eh->e_shnum) || (sh->sh_name >= shstabsz)) @@ -242,6 +248,9 @@ elf_reloc_apply(const char *p, size_t filesize, const char *shstab, /* Apply possible relocation. */ for (i = 0; i < eh->e_shnum; i++) { + if ((eh->e_shoff + i * eh->e_shentsize) > filesize) + continue; + sh = (Elf_Shdr *)(p + eh->e_shoff + i * eh->e_shentsize); if (sh->sh_size == 0) @@ -250,6 +259,9 @@ elf_reloc_apply(const char *p, size_t filesize, const char *shstab, if ((sh->sh_info != sidx) || (sh->sh_link != symtabidx)) continue; + if ((sh->sh_offset + sh->sh_size) > filesize) + continue; + switch (sh->sh_type) { case SHT_RELA: rela = (Elf_RelA *)(p + sh->sh_offset); @@ -259,6 +271,8 @@ elf_reloc_apply(const char *p, size_t filesize, const char *shstab, roff = rela[j].r_offset; if (rsym >= nsymb) continue; + if (roff >= filesize) + continue; sym = &symtab[rsym]; value = sym->st_value + rela[j].r_addend; @@ -277,6 +291,8 @@ elf_reloc_apply(const char *p, size_t filesize, const char *shstab, roff = rel[j].r_offset; if (rsym >= nsymb) continue; + if (roff >= filesize) + continue; sym = &symtab[rsym]; value = sym->st_value; |