svn commit: r283260 - stable/10/usr.sbin/crunch/crunchide

Thu, 21 May 2015 12:17:03 -0700 

Author: emaste
Date: Thu May 21 19:16:28 2015
New Revision: 283260
URL: https://svnweb.freebsd.org/changeset/base/283260

Log:
  MFC r282144: crunchide: add basic string table sanity checks
  
  Reported by:  Coverity Scan
  CID:          978805, 980919
  Sponsored by: The FreeBSD Foundation

Modified:
  stable/10/usr.sbin/crunch/crunchide/exec_elf32.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/usr.sbin/crunch/crunchide/exec_elf32.c
==============================================================================
--- stable/10/usr.sbin/crunch/crunchide/exec_elf32.c    Thu May 21 19:05:47 
2015        (r283259)
+++ stable/10/usr.sbin/crunch/crunchide/exec_elf32.c    Thu May 21 19:16:28 
2015        (r283260)
@@ -342,11 +342,14 @@ ELFNAMEEND(hide)(int fd, const char *fn)
         */
 
        /* load section string table for debug use */
-       if ((shstrtabp = xmalloc(xewtoh(shstrtabshdr->sh_size), fn,
-           "section string table")) == NULL)
+       if ((size = xewtoh(shstrtabshdr->sh_size)) == 0)
+               goto bad;
+       if ((shstrtabp = xmalloc(size, fn, "section string table")) == NULL)
                goto bad;
        if ((size_t)xreadatoff(fd, shstrtabp, xewtoh(shstrtabshdr->sh_offset),
-           xewtoh(shstrtabshdr->sh_size), fn) != xewtoh(shstrtabshdr->sh_size))
+           size, fn) != size)
+               goto bad;
+       if (shstrtabp[size - 1] != '\0')
                goto bad;
 
        /* we need symtab, strtab, and everything behind strtab */
@@ -367,7 +370,8 @@ ELFNAMEEND(hide)(int fd, const char *fn)
                        strtabidx = i;
                if (layoutp[i].shdr == symtabshdr || i >= strtabidx) {
                        off = xewtoh(layoutp[i].shdr->sh_offset);
-                       size = xewtoh(layoutp[i].shdr->sh_size);
+                       if ((size = xewtoh(layoutp[i].shdr->sh_size)) == 0)
+                               goto bad;
                        layoutp[i].bufp = xmalloc(size, fn,
                            shstrtabp + xewtoh(layoutp[i].shdr->sh_name));
                        if (layoutp[i].bufp == NULL)
@@ -377,10 +381,13 @@ ELFNAMEEND(hide)(int fd, const char *fn)
                                goto bad;
 
                        /* set symbol table and string table */
-                       if (layoutp[i].shdr == symtabshdr)
+                       if (layoutp[i].shdr == symtabshdr) {
                                symtabp = layoutp[i].bufp;
-                       else if (layoutp[i].shdr == strtabshdr)
+                       } else if (layoutp[i].shdr == strtabshdr) {
                                strtabp = layoutp[i].bufp;
+                               if (strtabp[size - 1] != '\0')
+                                       goto bad;
+                       }
                }
        }
 
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to