From 8e73cb8c2437f776da5b34c93cc8a38495fb4cdc Mon Sep 17 00:00:00 2001 From: semarie Date: Tue, 23 Jun 2015 15:13:29 +0000 Subject: [PATCH] This patch ensure that e_shentsize (sections header's size in bytes) is big enough to fill at least one Elf_Shdr. While here, inverts calloc() arguments to be calloc(nmemb, size), according to fread() call after. This problem was found with afl, with e_shentsize=1. ok miod@ --- usr.bin/nm/elf.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/usr.bin/nm/elf.c b/usr.bin/nm/elf.c index ef82ab1bc09..bf134ad7513 100644 --- a/usr.bin/nm/elf.c +++ b/usr.bin/nm/elf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: elf.c,v 1.30 2015/06/23 15:02:58 semarie Exp $ */ +/* $OpenBSD: elf.c,v 1.31 2015/06/23 15:13:29 semarie Exp $ */ /* * Copyright (c) 2003 Michael Shalayeff @@ -159,7 +159,12 @@ elf_load_shdrs(const char *name, FILE *fp, off_t foff, Elf_Ehdr *head) return (NULL); } - if ((shdr = calloc(head->e_shentsize, head->e_shnum)) == NULL) { + if (head->e_shentsize < sizeof(Elf_Shdr)) { + warnx("%s: inconsistent section header size", name); + return (NULL); + } + + if ((shdr = calloc(head->e_shnum, head->e_shentsize)) == NULL) { warn("%s: malloc shdr", name); return (NULL); } -- 2.20.1