On Mon, 2016-03-21 at 16:03 +0100, Mark Wielaard wrote: > + if (nentries > SIZE_MAX / sizeof (GElf_SymX)) > + error (0, 0,
Oops. We don't just want to print a warning here. We want to report an EXIT_FAILURE on error. Fixed patch attached.
From 911f11a0054264ffbfae8f8e400aea52b8d1d620 Mon Sep 17 00:00:00 2001 From: Mark Wielaard <[email protected]> Date: Mon, 21 Mar 2016 16:01:02 +0100 Subject: [PATCH] nm: Check for malloc size argument overflow in show_symbols. Reported-by: Florian Weimer <[email protected]> Signed-off-by: Mark Wielaard <[email protected]> --- src/ChangeLog | 4 ++++ src/nm.c | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/src/ChangeLog b/src/ChangeLog index fb9c776..f74b5dc 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,7 @@ +2016-03-21 Mark Wielaard <[email protected]> + + * nm.c (show_symbols): Check for malloc size argument overflow. + 2016-02-13 Mark Wielaard <[email protected]> * readelf.c (print_scngrp): Call error when gelf_getshdr fails. diff --git a/src/nm.c b/src/nm.c index 2911afa..010469d 100644 --- a/src/nm.c +++ b/src/nm.c @@ -1311,6 +1311,11 @@ show_symbols (int fd, Ebl *ebl, GElf_Ehdr *ehdr, XXX We can use a dirty trick here. Since GElf_Sym == Elf64_Sym we can use the data memory instead of copying again if what we read is a 64 bit file. */ + if (nentries > SIZE_MAX / sizeof (GElf_SymX)) + error (EXIT_FAILURE, 0, + gettext ("%s: entries (%zd) in section %zd `%s' is too large"), + fullname, nentries, elf_ndxscn (scn), + elf_strptr (ebl->elf, shstrndx, shdr->sh_name)); GElf_SymX *sym_mem; if (nentries * sizeof (GElf_SymX) < MAX_STACK_ALLOC) sym_mem = (GElf_SymX *) alloca (nentries * sizeof (GElf_SymX)); -- 1.8.3.1
