Fix #8731 - Crash in ELF parser with negative 32bit number

radareorg · Oct 25, 2017 · c6d0076 · c6d0076
1 parent e9ac437
commit c6d0076
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/libr/bin/format/elf/elf.c b/libr/bin/format/elf/elf.c
@@ -900,7 +900,11 @@ static Sdb *store_versioninfo_gnu_verneed(ELFOBJ *bin, Elf_(Shdr) *shdr, int sz)
 			free (s);
 		}
 		sdb_num_set (sdb_version, "cnt", entry->vn_cnt, 0);
-		vstart += entry->vn_aux;
+		st32 vnaux = entry->vn_aux;
+		if (vnaux < 1) {
+			goto beach;
+		}
+		vstart += vnaux;
 		for (j = 0, isum = i + entry->vn_aux; j < entry->vn_cnt && vstart + sizeof (Elf_(Vernaux)) <= end; ++j) {
 			int k;
 			Elf_(Vernaux) * aux = NULL;