Signed-off-by: Mark Wielaard <[email protected]> --- libelf/ChangeLog | 5 +++++ libelf/elf_begin.c | 15 ++++++++++----- 2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/libelf/ChangeLog b/libelf/ChangeLog index fe210ab..270579b 100644 --- a/libelf/ChangeLog +++ b/libelf/ChangeLog @@ -1,3 +1,8 @@ +2014-12-16 Mark Wielaard <[email protected]> + + * elf_begin.c (read_long_names): Make sure long_names len fits + in mapped ELF file. + 2014-12-15 Mark Wielaard <[email protected]> * elf_getarsym.c (elf_getarsym): Check index_size doesn't overflow. diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c index c24a364..30abe0b 100644 --- a/libelf/elf_begin.c +++ b/libelf/elf_begin.c @@ -708,11 +708,15 @@ read_long_names (Elf *elf) char *runp; if (elf->map_address != NULL) - /* Simply copy it over. */ - elf->state.ar.long_names = (char *) memcpy (newp, - elf->map_address + offset - + sizeof (struct ar_hdr), - len); + { + if (len > elf->maximum_size - offset - sizeof (struct ar_hdr)) + goto too_much; + /* Simply copy it over. */ + elf->state.ar.long_names = (char *) memcpy (newp, + elf->map_address + offset + + sizeof (struct ar_hdr), + len); + } else { if (unlikely ((size_t) pread_retry (elf->fildes, newp, len, @@ -720,6 +724,7 @@ read_long_names (Elf *elf) + sizeof (struct ar_hdr)) != len)) { + too_much: /* We were not able to read all data. */ free (newp); elf->state.ar.long_names = NULL; -- 1.8.3.1
