Print this page
5507 libelf may overflow data buffer when translating data to memory representation
@@ -25,22 +25,21 @@
*/
/* Copyright (c) 1988 AT&T */
/* All Rights Reserved */
-#pragma ident "%Z%%M% %I% %E% SMI"
-
/*
* This stuff used to live in cook.c, but was moved out to
* facilitate dual (Elf32 and Elf64) compilation. See block
* comment in cook.c for more info.
*/
#include <string.h>
#include <ar.h>
#include <stdlib.h>
#include <errno.h>
+#include <sys/sysmacros.h>
#include "decl.h"
#include "member.h"
#include "msg.h"
/*
@@ -175,11 +174,11 @@
d->db_data.d_type = _elf_mtype(elf, sh->sh_type, work);
d->db_data.d_buf = 0;
d->db_data.d_off = 0;
fsz = elf_fsize(d->db_data.d_type, 1, elf->ed_version);
msz = _elf_msize(d->db_data.d_type, elf->ed_version);
- d->db_data.d_size = (sh->sh_size / fsz) * msz;
+ d->db_data.d_size = MAX(sh->sh_size, (sh->sh_size / fsz) * msz);
d->db_shsz = sh->sh_size;
d->db_raw = 0;
d->db_buf = 0;
d->db_uflags = 0;
d->db_myflags = 0;