libelf: Fix possible unbounded stack usage in elf_getarsym.

The number of entries in the index can be large, don't use alloca to
read in temporary data, use malloc (and free after out).

Signed-off-by: Mark Wielaard <mjw@redhat.com>

2 files changed, 17 insertions, 2 deletions

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index ed2ddd88..17ab7406 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-16  Mark Wielaard  <mjw@redhat.com>
+
+	* elf_getarsym.c (elf_getarsym): Allocate temporary file_date with
+	malloc, not alloca. Call free after out.
+
 2015-05-14  Mark Wielaard  <mjw@redhat.com>
 
 	* elf_update.c (write_file): Use posix_fallocate instead of
diff --git a/libelf/elf_getarsym.c b/libelf/elf_getarsym.c
index 40633aa8..4f2080a8 100644
--- a/libelf/elf_getarsym.c
+++ b/libelf/elf_getarsym.c
@@ -1,5 +1,5 @@
 /* Return symbol table of archive.
-   Copyright (C) 1998-2000, 2002, 2005, 2009, 2012, 2014 Red Hat, Inc.
+   Copyright (C) 1998-2000, 2002, 2005, 2009, 2012, 2014, 2015 Red Hat, Inc.
    This file is part of elfutils.
    Written by Ulrich Drepper <drepper@redhat.com>, 1998.
 
@@ -106,6 +106,9 @@ elf_getarsym (elf, ptr)
       /* In case we find no index remember this for the next call.  */
       elf->state.ar.ar_sym = (Elf_Arsym *) -1l;
 
+      /* We might have to allocate some temporary data for reading.  */
+      void *temp_data = NULL;
+
       struct ar_hdr *index_hdr;
       if (elf->map_address == NULL)
 	{
@@ -210,7 +213,13 @@ elf_getarsym (elf, ptr)
 
 	  if (elf->map_address == NULL)
 	    {
-	      file_data = alloca (sz);
+	      temp_data = malloc (sz);
+	      if (unlikely (temp_data == NULL))
+		{
+		  __libelf_seterrno (ELF_E_NOMEM);
+		  goto out;
+		}
+	      file_data = temp_data;
 
 	      ar_sym_len += index_size - n * w;
 	      Elf_Arsym *newp = (Elf_Arsym *) realloc (elf->state.ar.ar_sym,
@@ -299,6 +308,7 @@ elf_getarsym (elf, ptr)
       result = elf->state.ar.ar_sym;
 
     out:
+      free (temp_data);
       rwlock_unlock (elf->lock);
     }