Skip to content

Commit

Permalink
fixed handling of out-of-bounds elf header indices
Browse files Browse the repository at this point in the history
  • Loading branch information
@sebastianbiallas
sebastianbiallas committed Feb 1, 2015
1 parent c80fd14 commit 5da009d
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 8 deletions.
8 changes: 6 additions & 2 deletions analyser/elf_analy.cc
View file
Expand Up @@ -224,7 +224,9 @@ void ElfAnalyser::initInsertSymbols(int shidx)
char elf_buffer[1024];
if (elf_shared->ident.e_ident[ELF_EI_CLASS] == ELFCLASS32) {
FileOfs h = elf_shared->sheaders.sheaders32[shidx].sh_offset;
FileOfs sto = elf_shared->sheaders.sheaders32[elf_shared->sheaders.sheaders32[shidx].sh_link].sh_offset;
uint idx = elf_shared->sheaders.sheaders32[shidx].sh_link;
if (idx >= elf_shared->sheaders.count) return;
FileOfs sto = elf_shared->sheaders.sheaders32[idx].sh_offset;
uint symnum = elf_shared->sheaders.sheaders32[shidx].sh_size / sizeof (ELF_SYMBOL32);

int *entropy = random_permutation(symnum);
Expand Down Expand Up @@ -328,7 +330,9 @@ void ElfAnalyser::initInsertSymbols(int shidx)
} else {
// FIXME: 64 bit
FileOfs h = elf_shared->sheaders.sheaders64[shidx].sh_offset;
FileOfs sto = elf_shared->sheaders.sheaders64[elf_shared->sheaders.sheaders64[shidx].sh_link].sh_offset;
uint idx = elf_shared->sheaders.sheaders64[shidx].sh_link;
if (idx >= elf_shared->sheaders.count) return;
FileOfs sto = elf_shared->sheaders.sheaders64[idx].sh_offset;
uint symnum = elf_shared->sheaders.sheaders64[shidx].sh_size / sizeof (ELF_SYMBOL64);

int *entropy = random_permutation(symnum);
Expand Down
14 changes: 8 additions & 6 deletions htelfsym.cc
View file
Expand Up @@ -73,19 +73,21 @@ static ht_view *htelfsymboltable_init(Bounds *b, File *file, ht_format_group *gr
FileOfs h = elf32 ? elf_shared->sheaders.sheaders32[symtab_shidx].sh_offset : elf_shared->sheaders.sheaders64[symtab_shidx].sh_offset;

/* associated string table offset (from sh_link) */
FileOfs sto = elf32 ?
elf_shared->sheaders.sheaders32[elf_shared->sheaders.sheaders32[symtab_shidx].sh_link].sh_offset :
elf_shared->sheaders.sheaders64[elf_shared->sheaders.sheaders64[symtab_shidx].sh_link].sh_offset;

FileOfs sto;
String symtab_name("?");
if (elf32)
{
if (elf32) {
uint idx = elf_shared->sheaders.sheaders32[symtab_shidx].sh_link;
if (idx >= elf_shared->sheaders.count) return NULL;
sto = elf_shared->sheaders.sheaders32[idx].sh_offset;
if (isValidELFSectionIdx(elf_shared, elf_shared->header32.e_shstrndx)) {
file->seek(elf_shared->sheaders.sheaders32[elf_shared->header32.e_shstrndx].sh_offset
+ elf_shared->sheaders.sheaders32[symtab_shidx].sh_name);
file->readStringz(symtab_name);
}
} else {
uint idx = elf_shared->sheaders.sheaders64[symtab_shidx].sh_link;
if (idx >= elf_shared->sheaders.count) return NULL;
sto = elf_shared->sheaders.sheaders64[idx].sh_offset;
if (isValidELFSectionIdx(elf_shared, elf_shared->header64.e_shstrndx)) {
file->seek(elf_shared->sheaders.sheaders64[elf_shared->header64.e_shstrndx].sh_offset
+ elf_shared->sheaders.sheaders64[symtab_shidx].sh_name);
Expand Down

0 comments on commit 5da009d

Please sign in to comment.