X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=libelf%2Felf32_getshdr.c;h=741704736f7ae01cf33c4d4e87ffa22da98376b9;hb=a286dd013ef8d46edf013efc0908822a59d8ac81;hp=bd9340dd70710ab6fd69ca17a7eba9da9051383e;hpb=18a667176dd196f7bc3a9cdf1cbd87d4c7b31c7f;p=platform%2Fupstream%2Felfutils.git

diff --git a/libelf/elf32_getshdr.c b/libelf/elf32_getshdr.c
index bd9340d..7417047 100644
--- a/libelf/elf32_getshdr.c
+++ b/libelf/elf32_getshdr.c
@@ -1,5 +1,5 @@
 /* Return section header.
-   Copyright (C) 1998-2002, 2005, 2007, 2009, 2012 Red Hat, Inc.
+   Copyright (C) 1998-2002, 2005, 2007, 2009, 2012, 2014 Red Hat, Inc.
    This file is part of elfutils.
    Written by Ulrich Drepper <drepper@redhat.com>, 1998.
 
@@ -60,7 +60,8 @@ load_shdr_wrlock (Elf_Scn *scn)
     goto out;
 
   size_t shnum;
-  if (__elf_getshdrnum_rdlock (elf, &shnum) != 0)
+  if (__elf_getshdrnum_rdlock (elf, &shnum) != 0
+      || shnum > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Shdr)))
     goto out;
   size_t size = shnum * sizeof (ElfW2(LIBELFBITS,Shdr));
 
@@ -77,6 +78,16 @@ load_shdr_wrlock (Elf_Scn *scn)
 
   if (elf->map_address != NULL)
     {
+      /* First see whether the information in the ELF header is
+	 valid and it does not ask for too much.  */
+      if (unlikely (ehdr->e_shoff >= elf->maximum_size)
+	  || unlikely (elf->maximum_size - ehdr->e_shoff < size))
+	{
+	  /* Something is wrong.  */
+	  __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
+	  goto free_and_out;
+	}
+
       ElfW2(LIBELFBITS,Shdr) *notcvt;
 
       /* All the data is already mapped.  If we could use it