Commit e9529d9b authored by Guillem Jover's avatar Guillem Jover

nlist: Check that e_shnum and e_shentsize are within bounds

The e_shnum must not be 0, otherwise we will do a zero sized allocation
and further processing of the executable will lead to out of bounds
read/write accesses. The e_shentsize must be equal to sizeof(Elf_Shdr),
otherwise we will perform out of bounds read accesses on the shdr array.
Reported-by: default avatarDaniel Hodson <>
Based-on-patch-by: default avatarDaniel Hodson <>
Signed-off-by: Guillem Jover's avatarGuillem Jover <>
parent 3aaedb12
......@@ -141,6 +141,12 @@ __fdnlist(int fd, struct nlist *list)
fstat(fd, &st) < 0)
return (-1);
if (ehdr.e_shnum == 0 ||
ehdr.e_shentsize != sizeof(Elf_Shdr)) {
errno = ERANGE;
return (-1);
/* calculate section header table size */
shdr_size = ehdr.e_shentsize * ehdr.e_shnum;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment