Print this page 
5535 libelf should check for e_phoff overflow


 297 {
 298         NOTE(ASSUMING_PROTECTED(*elf))
 299         register size_t         fsz, msz;
 300         Elf_Data                dst, src;
 301         Ehdr *                  eh = elf->ed_ehdr;   /* must be present */
 302         unsigned                work;
 303 
 304         if (eh->e_phnum == 0)
 305                 return (0);
 306 
 307         fsz = elf_fsize(ELF_T_PHDR, 1, elf->ed_version);
 308         if (eh->e_phentsize != fsz) {
 309                 _elf_seterr(EFMT_PHDRSZ, 0);
 310                 return (-1);
 311         }
 312 
 313         fsz *= eh->e_phnum;
 314         ELFACCESSDATA(work, _elf_work)
 315         msz = _elf_msize(ELF_T_PHDR, work) * eh->e_phnum;
 316         if ((eh->e_phoff == 0) ||
 317             ((fsz + eh->e_phoff) > elf->ed_fsz)) {

 318                 _elf_seterr(EFMT_PHTAB, 0);
 319                 return (-1);
 320         }
 321 
 322         if (inplace && fsz >= msz && eh->e_phoff % sizeof (ElfField) == 0) {
 323                 elf->ed_phdr = (Elf_Void *)(elf->ed_ident + eh->e_phoff);
 324                 elf->ed_status = ES_COOKED;
 325         } else {
 326                 if ((elf->ed_phdr = malloc(msz)) == 0) {
 327                         _elf_seterr(EMEM_PHDR, errno);
 328                         return (-1);
 329                 }
 330                 elf->ed_myflags |= EDF_PHALLOC;
 331         }
 332         src.d_buf = (Elf_Void *)(elf->ed_ident + eh->e_phoff);
 333         src.d_type = ELF_T_PHDR;
 334         src.d_size = fsz;
 335         src.d_version = elf->ed_version;
 336         dst.d_buf = elf->ed_phdr;
 337         dst.d_size = msz;




 297 {
 298         NOTE(ASSUMING_PROTECTED(*elf))
 299         register size_t         fsz, msz;
 300         Elf_Data                dst, src;
 301         Ehdr *                  eh = elf->ed_ehdr;   /* must be present */
 302         unsigned                work;
 303 
 304         if (eh->e_phnum == 0)
 305                 return (0);
 306 
 307         fsz = elf_fsize(ELF_T_PHDR, 1, elf->ed_version);
 308         if (eh->e_phentsize != fsz) {
 309                 _elf_seterr(EFMT_PHDRSZ, 0);
 310                 return (-1);
 311         }
 312 
 313         fsz *= eh->e_phnum;
 314         ELFACCESSDATA(work, _elf_work)
 315         msz = _elf_msize(ELF_T_PHDR, work) * eh->e_phnum;
 316         if ((eh->e_phoff == 0) ||
 317             (elf->ed_fsz <= eh->e_phoff) ||
 318             (elf->ed_fsz - eh->e_phoff < fsz)) {
 319                 _elf_seterr(EFMT_PHTAB, 0);
 320                 return (-1);
 321         }
 322 
 323         if (inplace && fsz >= msz && eh->e_phoff % sizeof (ElfField) == 0) {
 324                 elf->ed_phdr = (Elf_Void *)(elf->ed_ident + eh->e_phoff);
 325                 elf->ed_status = ES_COOKED;
 326         } else {
 327                 if ((elf->ed_phdr = malloc(msz)) == 0) {
 328                         _elf_seterr(EMEM_PHDR, errno);
 329                         return (-1);
 330                 }
 331                 elf->ed_myflags |= EDF_PHALLOC;
 332         }
 333         src.d_buf = (Elf_Void *)(elf->ed_ident + eh->e_phoff);
 334         src.d_type = ELF_T_PHDR;
 335         src.d_size = fsz;
 336         src.d_version = elf->ed_version;
 337         dst.d_buf = elf->ed_phdr;
 338         dst.d_size = msz;