From 5ec1fc894901d8e76a290c5ac5cb5d2caaa0b490 Mon Sep 17 00:00:00 2001 From: Serge Lamikhov-Center Date: Wed, 25 Feb 2015 00:57:51 +0200 Subject: [PATCH] Prevent a crash when working with MN10300 ELF file --- elfio/elfio_dump.hpp | 9 +++++---- elfio/elfio_note.hpp | 7 ++++++- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/elfio/elfio_dump.hpp b/elfio/elfio_dump.hpp index 2e1e254..ec81ab4 100644 --- a/elfio/elfio_dump.hpp +++ b/elfio/elfio_dump.hpp @@ -686,10 +686,11 @@ class dump void* desc; Elf_Word descsz; - notes.get_note( j, type, name, desc, descsz ); - // 'name' usually contains \0 at the end. Try to fix it - name = name.c_str(); - note( out, j, type, name ); + if ( notes.get_note(j, type, name, desc, descsz) ) { + // 'name' usually contains \0 at the end. Try to fix it + name = name.c_str(); + note( out, j, type, name ); + } } out << std::endl; diff --git a/elfio/elfio_note.hpp b/elfio/elfio_note.hpp index 083bf2e..c349b38 100644 --- a/elfio/elfio_note.hpp +++ b/elfio/elfio_note.hpp @@ -60,8 +60,13 @@ class note_section_accessor const endianess_convertor& convertor = elf_file.get_convertor(); type = convertor( *(Elf_Word*)( pData + 2*sizeof( Elf_Word ) ) ); Elf_Word namesz = convertor( *(Elf_Word*)( pData ) ); - name.assign( pData + 3*sizeof( Elf_Word ), namesz ); descSize = convertor( *(Elf_Word*)( pData + sizeof( namesz ) ) ); + Elf_Word max_name_size = note_section->get_size() - note_start_positions[index]; + if ( namesz > max_name_size || + namesz + descSize > max_name_size ) { + return false; + } + name.assign( pData + 3 * sizeof( Elf_Word ), namesz ); if ( 0 == descSize ) { desc = 0; }