Hi,
This patch ensure that e_shentsize (sections header's size in bytes) is
big enough to fill at least one Elf_Shdr.
Please note, I am not completely sure to have understand this part:
calloc() is called with a dynamic element size (e_shentsize: readed for
file), but the variable is declared as Elf_Shdr[] (array of Elf_Shdr:
which is a fixed element size).
While here, inverts calloc() arguments to be calloc(nmemb, size),
according to fread() call after.
This problem was found with afl, when e_shentsize was 1.
--
Sébastien Marie
Index: b/usr.bin/nm/elf.c
===================================================================
--- a/usr.bin/nm/elf.c 2015-06-19 06:26:13.704127213 +0200
+++ b/usr.bin/nm/elf.c 2015-06-19 06:48:58.806582243 +0200
@@ -159,7 +159,12 @@
return (NULL);
}
- if ((shdr = calloc(head->e_shentsize, head->e_shnum)) == NULL) {
+ if (head->e_shentsize < sizeof(Elf_Shdr)) {
+ warnx("%s: inconsistent section header size", name);
+ return (NULL);
+ }
+
+ if ((shdr = calloc(head->e_shnum, head->e_shentsize)) == NULL) {
warn("%s: malloc shdr", name);
return (NULL);
}
