From 436275edd015ab6a6f8e164ee2292f74f03d2413 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Mon, 17 Nov 2014 00:33:36 +0100
Subject: libelf: Fix handling of (extended) phnum.

If there is no e_phoff e_phnum cannot be trusted. Extended phnum can only
be gotten if we have an actual section table and a shdr for section zero,
Extended phnum can be too large to fit in the file (or a size_t).

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libelf/elf32_getphdr.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'libelf/elf32_getphdr.c')

diff --git a/libelf/elf32_getphdr.c b/libelf/elf32_getphdr.c
index e74e63fd..1b82a480 100644
--- a/libelf/elf32_getphdr.c
+++ b/libelf/elf32_getphdr.c
@@ -76,15 +76,17 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
       size_t phnum;
       if (__elf_getphdrnum_rdlock (elf, &phnum) != 0)
 	goto out;
-      if (phnum == 0)
+      if (phnum == 0 || ehdr->e_phoff == 0)
 	{
 	  __libelf_seterrno (ELF_E_NO_PHDR);
 	  goto out;
 	}
 
+      /* Check this doesn't overflow.  */
       size_t size = phnum * sizeof (ElfW2(LIBELFBITS,Phdr));
 
-      if (ehdr->e_phoff > elf->maximum_size
+      if (phnum > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Phdr))
+	  || ehdr->e_phoff > elf->maximum_size
 	  || elf->maximum_size - ehdr->e_phoff < size)
 	{
 	  __libelf_seterrno (ELF_E_INVALID_DATA);
-- 
cgit v1.2.3