blob: 5644e50cc115001ee819846b2741ebe5778a5d77 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
From c6d0076c924891ad9948a62d89d0bcdaf965f0cd Mon Sep 17 00:00:00 2001
From: pancake <pancake@nopcode.org>
Date: Wed, 25 Oct 2017 18:00:11 +0200
Subject: [PATCH] Fix #8731 - Crash in ELF parser with negative 32bit number
---
libr/bin/format/elf/elf.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libr/bin/format/elf/elf.c b/libr/bin/format/elf/elf.c
index 90f6acd30..e3c852fd3 100644
--- a/libr/bin/format/elf/elf.c
+++ b/libr/bin/format/elf/elf.c
@@ -900,7 +900,11 @@ static Sdb *store_versioninfo_gnu_verneed(ELFOBJ *bin, Elf_(Shdr) *shdr, int sz)
free (s);
}
sdb_num_set (sdb_version, "cnt", entry->vn_cnt, 0);
- vstart += entry->vn_aux;
+ st32 vnaux = entry->vn_aux;
+ if (vnaux < 1) {
+ goto beach;
+ }
+ vstart += vnaux;
for (j = 0, isum = i + entry->vn_aux; j < entry->vn_cnt && vstart + sizeof (Elf_(Vernaux)) <= end; ++j) {
int k;
Elf_(Vernaux) * aux = NULL;
--
2.14.3
|
