When calulating the possible section header table end us the actual size
of the section headers (sizeof (Elf32_Shdr) or sizeof (Elf64_Shdr)),
not the ELF header e_shentsize value, which can be corrupted. This
prevents a posssible overflow, but we check the shdrs_end is sane
later anyway.
https://sourceware.org/bugzilla/show_bug.cgi?id=28659
Signed-off-by: Mark Wielaard <mark@klomp.org>
2021-12-08 Mark Wielaard <mark@klomp.org>
+ * dwfl_segment_report_module.c (dwfl_segment_report_module): Don't
+ trust e_shentsize.
+
+2021-12-08 Mark Wielaard <mark@klomp.org>
+
* link_map.c (dwfl_link_map_report): Make sure phent != 0.
2021-12-08 Mark Wielaard <mark@klomp.org>
zero sh_size field. We ignore this here because getting shdrs
is just a nice bonus (see below in the type == PT_LOAD case
where we trim the last segment). */
- shdrs_end = ehdr.e32.e_shoff + ehdr.e32.e_shnum * ehdr.e32.e_shentsize;
+ shdrs_end = ehdr.e32.e_shoff + ehdr.e32.e_shnum * sizeof (Elf32_Shdr);
break;
case ELFCLASS64:
if (phentsize != sizeof (Elf64_Phdr))
goto out;
/* See the NOTE above for shdrs_end and ehdr.e32.e_shnum. */
- shdrs_end = ehdr.e64.e_shoff + ehdr.e64.e_shnum * ehdr.e64.e_shentsize;
+ shdrs_end = ehdr.e64.e_shoff + ehdr.e64.e_shnum * sizeof (Elf64_Shdr);
break;
default: