In get_shnum the check was whether the Elf(32|64)_Ehdr was correctly aligned, but to access the Shdr directly we need to check whether the address that points to the Elf(32|64)_Shdr structure is correctly aligned.
Signed-off-by: Mark Wielaard <[email protected]> --- libelf/ChangeLog | 5 +++++ libelf/elf_begin.c | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/libelf/ChangeLog b/libelf/ChangeLog index c57c6a2..a54a80b 100644 --- a/libelf/ChangeLog +++ b/libelf/ChangeLog @@ -1,3 +1,8 @@ +2015-06-04 Mark Wielaard <[email protected]> + + * elf_begin.c (get_shnum): Check alignment of Shdr, not Ehdr before + direct access. + 2015-06-02 Mark Wielaard <[email protected]> * elf_getdata.c (convert_data): Make sure source data is properly diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c index e2e3b6b..f002ebf 100644 --- a/libelf/elf_begin.c +++ b/libelf/elf_begin.c @@ -151,8 +151,8 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset, if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA && (ALLOW_UNALIGNED - || (((size_t) ((char *) map_address + offset)) - & (__alignof__ (Elf32_Ehdr) - 1)) == 0)) + || (((size_t) ((char *) map_address + ehdr.e32->e_shoff)) + & (__alignof__ (Elf32_Shdr) - 1)) == 0)) /* We can directly access the memory. */ result = ((Elf32_Shdr *) ((char *) map_address + ehdr.e32->e_shoff + offset))->sh_size; @@ -201,8 +201,8 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset, Elf64_Xword size; if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA && (ALLOW_UNALIGNED - || (((size_t) ((char *) map_address + offset)) - & (__alignof__ (Elf64_Ehdr) - 1)) == 0)) + || (((size_t) ((char *) map_address + ehdr.e64->e_shoff)) + & (__alignof__ (Elf64_Shdr) - 1)) == 0)) /* We can directly access the memory. */ size = ((Elf64_Shdr *) ((char *) map_address + ehdr.e64->e_shoff + offset))->sh_size; -- 2.1.0
