Before checking symbol index zero we should make sure the data size is big enough.
https://sourceware.org/bugzilla/show_bug.cgi?id=21310 Signed-off-by: Mark Wielaard <m...@klomp.org> --- src/ChangeLog | 4 ++++ src/elflint.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/ChangeLog b/src/ChangeLog index 0601198..3555942 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,7 @@ +2017-03-27 Mark Wielaard <m...@klomp.org> + + * elflint.c (check_symtab_shndx): Check data->d_size. + 2017-02-16 Ulf Hermann <ulf.herm...@qt.io> * addr2line.c: Include printversion.h diff --git a/src/elflint.c b/src/elflint.c index 66a13ca..76fb1a0 100644 --- a/src/elflint.c +++ b/src/elflint.c @@ -1959,7 +1959,8 @@ section [%2d] '%s': extended section index in section [%2zu] '%s' refers to same return; } - if (*((Elf32_Word *) data->d_buf) != 0) + if (data->d_size < sizeof (Elf32_Word) + || *((Elf32_Word *) data->d_buf) != 0) ERROR (gettext ("symbol 0 should have zero extended section index\n")); for (size_t cnt = 1; cnt < data->d_size / sizeof (Elf32_Word); ++cnt) -- 2.9.3
