Hi,
This patch corrects a read after bound that occurs in strcmp (line just
after the added bound check).
Found with afl.
--
Sébastien Marie
Index: elf.c
===================================================================
RCS file: /cvs/src/usr.bin/nm/elf.c,v
retrieving revision 1.28
diff -u -p -r1.28 elf.c
--- elf.c 17 May 2015 20:19:08 -0000 1.28
+++ elf.c 17 Jun 2015 15:18:03 -0000
@@ -441,7 +451,7 @@ elf_size(Elf_Ehdr *head, Elf_Shdr *shdr,
int
elf_symloadx(const char *name, FILE *fp, off_t foff, Elf_Ehdr *eh,
- Elf_Shdr *shdr, char *shstr, struct nlist **pnames,
+ Elf_Shdr *shdr, char *shstr, long shstrsize, struct nlist **pnames,
struct nlist ***psnames, size_t *pstabsize, int *pnrawnames,
const char *strtab, const char *symtab)
{
@@ -451,6 +461,10 @@ elf_symloadx(const char *name, FILE *fp,
int i;
for (i = 0; i < eh->e_shnum; i++) {
+ if (shdr[i].sh_name >= shstrsize) {
+ warnx("%s: corrupt file", name);
+ return (1);
+ }
if (!strcmp(shstr + shdr[i].sh_name, strtab)) {
*pstabsize = shdr[i].sh_size;
if (*pstabsize > SIZE_MAX) {
@@ -551,11 +565,11 @@ elf_symload(const char *name, FILE *fp,
stab = NULL;
*pnames = NULL; *psnames = NULL; *pnrawnames = 0;
if (!dynamic_only) {
- elf_symloadx(name, fp, foff, eh, shdr, shstr, pnames,
+ elf_symloadx(name, fp, foff, eh, shdr, shstr, shstrsize, pnames,
psnames, pstabsize, pnrawnames, ELF_STRTAB, ELF_SYMTAB);
}
if (stab == NULL) {
- elf_symloadx(name, fp, foff, eh, shdr, shstr, pnames,
+ elf_symloadx(name, fp, foff, eh, shdr, shstr, shstrsize, pnames,
psnames, pstabsize, pnrawnames, ELF_DYNSTR, ELF_DYNSYM);
}
Index: elfuncs.h
===================================================================
RCS file: /cvs/src/usr.bin/nm/elfuncs.h,v
retrieving revision 1.3
diff -u -p -r1.3 elfuncs.h
--- elfuncs.h 30 Sep 2006 14:34:13 -0000 1.3
+++ elfuncs.h 17 Jun 2015 15:18:03 -0000
@@ -36,7 +36,7 @@ int elf32_fix_phdrs(Elf32_Ehdr *eh, Elf3
int elf32_fix_sym(Elf32_Ehdr *eh, Elf32_Sym *sym);
int elf32_size(Elf32_Ehdr *, Elf32_Shdr *, u_long *, u_long *, u_long *);
int elf32_symloadx(const char *, FILE *, off_t, Elf32_Ehdr *, Elf32_Shdr *,
- char *, struct nlist **, struct nlist ***, size_t *, int *,
+ char *, long, struct nlist **, struct nlist ***, size_t *, int *,
const char *, const char *);
int elf32_symload(const char *, FILE *, off_t, Elf32_Ehdr *, Elf32_Shdr *,
struct nlist **, struct nlist ***, size_t *, int *);
@@ -49,7 +49,7 @@ int elf64_fix_phdrs(Elf64_Ehdr *eh, Elf6
int elf64_fix_sym(Elf64_Ehdr *eh, Elf64_Sym *sym);
int elf64_size(Elf64_Ehdr *, Elf64_Shdr *, u_long *, u_long *, u_long *);
int elf64_symloadx(const char *, FILE *, off_t, Elf64_Ehdr *, Elf64_Shdr *,
- char *, struct nlist **, struct nlist ***, size_t *, int *,
+ char *, long, struct nlist **, struct nlist ***, size_t *, int *,
const char *, const char *);
int elf64_symload(const char *, FILE *, off_t, Elf64_Ehdr *, Elf64_Shdr *,
struct nlist **, struct nlist ***, size_t *, int *);
