Bug: https://github.com/landley/toybox/issues/99 Test: submitter-supplied example now gives `modem.b25: ELF shared object, 32-bit LSB hexagon` --- toys/posix/file.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
From 303e7a47a742ae4b1f0d732cec50691a27de9325 Mon Sep 17 00:00:00 2001 From: Elliott Hughes <[email protected]> Date: Thu, 26 Jul 2018 16:56:13 -0700 Subject: [PATCH] file: cope with invalid ELF notes.
Bug: https://github.com/landley/toybox/issues/99 Test: submitter-supplied example now gives `modem.b25: ELF shared object, 32-bit LSB hexagon` --- toys/posix/file.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/toys/posix/file.c b/toys/posix/file.c index 49c7b22..fb5eb31 100644 --- a/toys/posix/file.c +++ b/toys/posix/file.c @@ -160,13 +160,14 @@ static void do_elf_file(int fd) } else if (sh_type == 7 /*SHT_NOTE*/) { char *note = map+sh_offset; - if (sh_offset+sh_size>TT.len) goto bad; - // An ELF note is a sequence of entries, each consisting of an // ndhr followed by n_namesz+n_descsz bytes of data (each of those // rounded up to the next 4 bytes, without this being reflected in // the header byte counts themselves). while (sh_size >= 3*4) { // Don't try to read a truncated entry. + // Sanity check (https://github.com/landley/toybox/issues/99). + if (sh_offset+sh_size>TT.len) goto bad; + int n_namesz = elf_int(note, 4); int n_descsz = elf_int(note+4, 4); int n_type = elf_int(note+8, 4); -- 2.18.0.345.g5c9ce644c3-goog
_______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
