diff options
author | emaste <emaste@FreeBSD.org> | 2015-04-28 13:04:51 +0000 |
---|---|---|
committer | emaste <emaste@FreeBSD.org> | 2015-04-28 13:04:51 +0000 |
commit | 6df58ba6b5913d4c4e87c386d0a84fafad089fad (patch) | |
tree | 377d5c73a5231001d8f3b9f747e0e0b5138124c1 /usr.sbin/crunch | |
parent | 163c8007e560274c6f7857dd80032de6224f15f6 (diff) | |
download | FreeBSD-src-6df58ba6b5913d4c4e87c386d0a84fafad089fad.zip FreeBSD-src-6df58ba6b5913d4c4e87c386d0a84fafad089fad.tar.gz |
crunchide: add basic string table sanity checks
Reported by: Coverity Scan
CID: 978805, 980919
Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'usr.sbin/crunch')
-rw-r--r-- | usr.sbin/crunch/crunchide/exec_elf32.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/usr.sbin/crunch/crunchide/exec_elf32.c b/usr.sbin/crunch/crunchide/exec_elf32.c index ca802d8..61375ea 100644 --- a/usr.sbin/crunch/crunchide/exec_elf32.c +++ b/usr.sbin/crunch/crunchide/exec_elf32.c @@ -321,11 +321,14 @@ ELFNAMEEND(hide)(int fd, const char *fn) */ /* load section string table for debug use */ - if ((shstrtabp = xmalloc(xewtoh(shstrtabshdr->sh_size), fn, - "section string table")) == NULL) + if ((size = xewtoh(shstrtabshdr->sh_size)) == 0) + goto bad; + if ((shstrtabp = xmalloc(size, fn, "section string table")) == NULL) goto bad; if ((size_t)xreadatoff(fd, shstrtabp, xewtoh(shstrtabshdr->sh_offset), - xewtoh(shstrtabshdr->sh_size), fn) != xewtoh(shstrtabshdr->sh_size)) + size, fn) != size) + goto bad; + if (shstrtabp[size - 1] != '\0') goto bad; /* we need symtab, strtab, and everything behind strtab */ @@ -346,7 +349,8 @@ ELFNAMEEND(hide)(int fd, const char *fn) strtabidx = i; if (layoutp[i].shdr == symtabshdr || i >= strtabidx) { off = xewtoh(layoutp[i].shdr->sh_offset); - size = xewtoh(layoutp[i].shdr->sh_size); + if ((size = xewtoh(layoutp[i].shdr->sh_size)) == 0) + goto bad; layoutp[i].bufp = xmalloc(size, fn, shstrtabp + xewtoh(layoutp[i].shdr->sh_name)); if (layoutp[i].bufp == NULL) @@ -356,10 +360,13 @@ ELFNAMEEND(hide)(int fd, const char *fn) goto bad; /* set symbol table and string table */ - if (layoutp[i].shdr == symtabshdr) + if (layoutp[i].shdr == symtabshdr) { symtabp = layoutp[i].bufp; - else if (layoutp[i].shdr == strtabshdr) + } else if (layoutp[i].shdr == strtabshdr) { strtabp = layoutp[i].bufp; + if (strtabp[size - 1] != '\0') + goto bad; + } } } |