From 061050452b76d85dae66ae410e5f2186ce0b6eca Mon Sep 17 00:00:00 2001 From: semarie Date: Tue, 23 Jun 2015 15:02:58 +0000 Subject: [PATCH] corrects a read after bound that occurs in strcmp (line just after the added bound check). Found with afl. ok miod@ --- usr.bin/nm/elf.c | 12 ++++++++---- usr.bin/nm/elfuncs.h | 6 +++--- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/usr.bin/nm/elf.c b/usr.bin/nm/elf.c index 17906a44d47..ef82ab1bc09 100644 --- a/usr.bin/nm/elf.c +++ b/usr.bin/nm/elf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: elf.c,v 1.29 2015/06/23 13:43:08 semarie Exp $ */ +/* $OpenBSD: elf.c,v 1.30 2015/06/23 15:02:58 semarie Exp $ */ /* * Copyright (c) 2003 Michael Shalayeff @@ -451,7 +451,7 @@ elf_size(Elf_Ehdr *head, Elf_Shdr *shdr, int elf_symloadx(const char *name, FILE *fp, off_t foff, Elf_Ehdr *eh, - Elf_Shdr *shdr, char *shstr, struct nlist **pnames, + Elf_Shdr *shdr, char *shstr, long shstrsize, struct nlist **pnames, struct nlist ***psnames, size_t *pstabsize, int *pnrawnames, const char *strtab, const char *symtab) { @@ -461,6 +461,10 @@ elf_symloadx(const char *name, FILE *fp, off_t foff, Elf_Ehdr *eh, int i; for (i = 0; i < eh->e_shnum; i++) { + if (shdr[i].sh_name >= shstrsize) { + warnx("%s: corrupt file", name); + return (1); + } if (!strcmp(shstr + shdr[i].sh_name, strtab)) { *pstabsize = shdr[i].sh_size; if (*pstabsize > SIZE_MAX) { @@ -561,11 +565,11 @@ elf_symload(const char *name, FILE *fp, off_t foff, Elf_Ehdr *eh, stab = NULL; *pnames = NULL; *psnames = NULL; *pnrawnames = 0; if (!dynamic_only) { - elf_symloadx(name, fp, foff, eh, shdr, shstr, pnames, + elf_symloadx(name, fp, foff, eh, shdr, shstr, shstrsize, pnames, psnames, pstabsize, pnrawnames, ELF_STRTAB, ELF_SYMTAB); } if (stab == NULL) { - elf_symloadx(name, fp, foff, eh, shdr, shstr, pnames, + elf_symloadx(name, fp, foff, eh, shdr, shstr, shstrsize, pnames, psnames, pstabsize, pnrawnames, ELF_DYNSTR, ELF_DYNSYM); } diff --git a/usr.bin/nm/elfuncs.h b/usr.bin/nm/elfuncs.h index 01776e7827d..7121c75c75a 100644 --- a/usr.bin/nm/elfuncs.h +++ b/usr.bin/nm/elfuncs.h @@ -1,4 +1,4 @@ -/* $OpenBSD: elfuncs.h,v 1.3 2006/09/30 14:34:13 kettenis Exp $ */ +/* $OpenBSD: elfuncs.h,v 1.4 2015/06/23 15:02:58 semarie Exp $ */ /* * Copyright (c) 2004 Michael Shalayeff @@ -36,7 +36,7 @@ int elf32_fix_phdrs(Elf32_Ehdr *eh, Elf32_Phdr *phdr); int elf32_fix_sym(Elf32_Ehdr *eh, Elf32_Sym *sym); int elf32_size(Elf32_Ehdr *, Elf32_Shdr *, u_long *, u_long *, u_long *); int elf32_symloadx(const char *, FILE *, off_t, Elf32_Ehdr *, Elf32_Shdr *, - char *, struct nlist **, struct nlist ***, size_t *, int *, + char *, long, struct nlist **, struct nlist ***, size_t *, int *, const char *, const char *); int elf32_symload(const char *, FILE *, off_t, Elf32_Ehdr *, Elf32_Shdr *, struct nlist **, struct nlist ***, size_t *, int *); @@ -49,7 +49,7 @@ int elf64_fix_phdrs(Elf64_Ehdr *eh, Elf64_Phdr *phdr); int elf64_fix_sym(Elf64_Ehdr *eh, Elf64_Sym *sym); int elf64_size(Elf64_Ehdr *, Elf64_Shdr *, u_long *, u_long *, u_long *); int elf64_symloadx(const char *, FILE *, off_t, Elf64_Ehdr *, Elf64_Shdr *, - char *, struct nlist **, struct nlist ***, size_t *, int *, + char *, long, struct nlist **, struct nlist ***, size_t *, int *, const char *, const char *); int elf64_symload(const char *, FILE *, off_t, Elf64_Ehdr *, Elf64_Shdr *, struct nlist **, struct nlist ***, size_t *, int *); -- 2.20.1