This patch fixes a Bug 90924.
simple_object_elf functions don't load section table 0 of ELF file, which is
not a useful.
However If e_shstrndx in ELF header points to a section table 0 (i.e.
e_shstrndx == 0), a calculation of offset to string section table causes
integer overflow at every line "(eor->shstrndx - 1)".
A result becomes negative value (unsigned int)-1 and causes memory corruption.
Signed-off-by: Ren Kimura <rkx1209...@gmail.com>
---
libiberty/simple-object-elf.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
index 22c9ae7ed2d..9c561632bc5 100644
--- a/libiberty/simple-object-elf.c
+++ b/libiberty/simple-object-elf.c
@@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char
header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
XDELETE (eor);
return NULL;
}
-
+
+ if (eor->shstrndx == 0)
+ {
+ *errmsg = "invalid ELF shstrndx == 0";
+ *err = 0;
+ XDELETE (eor);
+ return NULL;
+ }
+
return (void *) eor;
}
--
2.19.1
