BSS sections are *expected* to claim a larger size than is actually
present in the file. Unlike program headers which have two different
size fields for the memory and file sizes, sections headers only have
one size field, so we're using the right field; we just need to ignore
it for our overflow checking purposes.
---
toys/posix/file.c | 1 +
1 file changed, 1 insertion(+)
From b9677209e2b77dbd35de408bdc052f8f2e75dda9 Mon Sep 17 00:00:00 2001
From: Elliott Hughes <[email protected]>
Date: Tue, 15 Mar 2022 19:26:18 -0700
Subject: [PATCH] file: don't be confused by BSS sections.
BSS sections are *expected* to claim a larger size than is actually
present in the file. Unlike program headers which have two different
size fields for the memory and file sizes, sections headers only have
one size field, so we're using the right field; we just need to ignore
it for our overflow checking purposes.
---
toys/posix/file.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/toys/posix/file.c b/toys/posix/file.c
index 45e614dd..9330da13 100644
--- a/toys/posix/file.c
+++ b/toys/posix/file.c
@@ -133,6 +133,7 @@ static void do_elf_file(int fd)
sh_type = elf_int(shdr+4, 4);
sh_offset = elf_int(shdr+8+(8<<bits), 4<<bits);
sh_size = elf_int(shdr+8+(12<<bits), 4);
+ if (sh_type == 8 /*SHT_NOBITS*/) sh_size = 0;
if (sh_offset>TT.len || sh_size>TT.len-sh_offset) goto bad;
if (sh_type == 2 /*SHT_SYMTAB*/) {
--
2.35.1.723.g4982287a31-goog
_______________________________________________
Toybox mailing list
[email protected]
http://lists.landley.net/listinfo.cgi/toybox-landley.net
