Public bug reported: It seems to me that the test for an invalid section size wants be moved up from the map case to cover both the read and the map case.
To guard against a bogus section size for both cases. Rather than relying on a malloc failure to catch a completely bogus section size. Thus allowing a more accurate error indication. >From elfutils_0.165.orig.tar.bz2 elfutils-0.165/libelf/elf_getdata.c --- elf_getdata.c.orig 2017-05-23 10:56:05.547607473 -0700 +++ elf_getdata.c 2017-05-23 11:08:27.459670572 -0700 @@ -292,21 +292,20 @@ __libelf_seterrno (ELF_E_INVALID_DATA); return 1; } + /* First see whether the information in the section header is + valid and it does not ask for too much. Check for unsigned + overflow. */ + if (unlikely (offset > elf->maximum_size + || elf->maximum_size - offset < size)) + { + /* Something is wrong. */ + __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER); + return 1; + } /* We can use the mapped or loaded data if available. */ if (elf->map_address != NULL) { - /* First see whether the information in the section header is - valid and it does not ask for too much. Check for unsigned - overflow. */ - if (unlikely (offset > elf->maximum_size - || elf->maximum_size - offset < size)) - { - /* Something is wrong. */ - __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER); - return 1; - } - scn->rawdata_base = scn->rawdata.d.d_buf = (char *) elf->map_address + elf->start_offset + offset; } ** Affects: elfutils (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1692997 Title: libelf test for section size in wrong place To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1692997/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs