svn commit: r283260 - stable/10/usr.sbin/crunch/crunchide
Ed Maste
emaste at FreeBSD.org
Thu May 21 19:16:28 UTC 2015
Author: emaste
Date: Thu May 21 19:16:28 2015
New Revision: 283260
URL: https://svnweb.freebsd.org/changeset/base/283260
Log:
MFC r282144: crunchide: add basic string table sanity checks
Reported by: Coverity Scan
CID: 978805, 980919
Sponsored by: The FreeBSD Foundation
Modified:
stable/10/usr.sbin/crunch/crunchide/exec_elf32.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/usr.sbin/crunch/crunchide/exec_elf32.c
==============================================================================
--- stable/10/usr.sbin/crunch/crunchide/exec_elf32.c Thu May 21 19:05:47 2015 (r283259)
+++ stable/10/usr.sbin/crunch/crunchide/exec_elf32.c Thu May 21 19:16:28 2015 (r283260)
@@ -342,11 +342,14 @@ ELFNAMEEND(hide)(int fd, const char *fn)
*/
/* load section string table for debug use */
- if ((shstrtabp = xmalloc(xewtoh(shstrtabshdr->sh_size), fn,
- "section string table")) == NULL)
+ if ((size = xewtoh(shstrtabshdr->sh_size)) == 0)
+ goto bad;
+ if ((shstrtabp = xmalloc(size, fn, "section string table")) == NULL)
goto bad;
if ((size_t)xreadatoff(fd, shstrtabp, xewtoh(shstrtabshdr->sh_offset),
- xewtoh(shstrtabshdr->sh_size), fn) != xewtoh(shstrtabshdr->sh_size))
+ size, fn) != size)
+ goto bad;
+ if (shstrtabp[size - 1] != '\0')
goto bad;
/* we need symtab, strtab, and everything behind strtab */
@@ -367,7 +370,8 @@ ELFNAMEEND(hide)(int fd, const char *fn)
strtabidx = i;
if (layoutp[i].shdr == symtabshdr || i >= strtabidx) {
off = xewtoh(layoutp[i].shdr->sh_offset);
- size = xewtoh(layoutp[i].shdr->sh_size);
+ if ((size = xewtoh(layoutp[i].shdr->sh_size)) == 0)
+ goto bad;
layoutp[i].bufp = xmalloc(size, fn,
shstrtabp + xewtoh(layoutp[i].shdr->sh_name));
if (layoutp[i].bufp == NULL)
@@ -377,10 +381,13 @@ ELFNAMEEND(hide)(int fd, const char *fn)
goto bad;
/* set symbol table and string table */
- if (layoutp[i].shdr == symtabshdr)
+ if (layoutp[i].shdr == symtabshdr) {
symtabp = layoutp[i].bufp;
- else if (layoutp[i].shdr == strtabshdr)
+ } else if (layoutp[i].shdr == strtabshdr) {
strtabp = layoutp[i].bufp;
+ if (strtabp[size - 1] != '\0')
+ goto bad;
+ }
}
}
More information about the svn-src-stable
mailing list