Fix big allocation issue found by googlefuzz in ELF ##bin

2024-10-08 11:23:27 +00:00 · 2018-10-30 05:53:27 +01:00 · 2018-10-30 05:53:27 +01:00 · 9f8158b803
commit 9f8158b803
parent a96d85e0a8
2 changed files with 8 additions and 8 deletions
--- a/libr/bin/format/elf/elf.c
+++ b/libr/bin/format/elf/elf.c
@ -1846,7 +1846,7 @@ ut64 Elf_(r_bin_elf_get_main_offset)(ELFOBJ *bin) {
 	return UT64_MAX;
 }

-int Elf_(r_bin_elf_get_stripped)(ELFOBJ *bin) {
+bool Elf_(r_bin_elf_get_stripped)(ELFOBJ *bin) {
 	int i;
 	if (!bin->shdr) {
 		return false;
@ -1866,20 +1866,20 @@ char *Elf_(r_bin_elf_intrp)(ELFOBJ *bin) {
 	}
 	for (i = 0; i < bin->ehdr.e_phnum; i++) {
 		if (bin->phdr[i].p_type == PT_INTERP) {
-			char *str = NULL;
 			ut64 addr = bin->phdr[i].p_offset;
-			int sz = bin->phdr[i].p_memsz;
+			int sz = bin->phdr[i].p_filesz;
 			sdb_num_set (bin->kv, "elf_header.intrp_addr", addr, 0);
 			sdb_num_set (bin->kv, "elf_header.intrp_size", sz, 0);
-			if (sz < 1) {
+			if (sz < 1 || sz > r_buf_size (bin->b)) {
 				return NULL;
 			}
-			str = malloc (sz + 1);
+			char *str = malloc (sz + 1);
 			if (!str) {
 				return NULL;
 			}
 			if (r_buf_read_at (bin->b, addr, (ut8*)str, sz) < 1) {
 				bprintf ("Warning: read (main)\n");
+				free (str);
 				return 0;
 			}
 			str[sz] = 0;
@ -1890,7 +1890,7 @@ char *Elf_(r_bin_elf_intrp)(ELFOBJ *bin) {
 	return NULL;
 }

-int Elf_(r_bin_elf_get_static)(ELFOBJ *bin) {
+bool Elf_(r_bin_elf_get_static)(ELFOBJ *bin) {
 	int i;
 	if (!bin->phdr) {
 		return false;
--- a/libr/bin/format/elf/elf.h
+++ b/libr/bin/format/elf/elf.h
@ -132,8 +132,8 @@ ut64 Elf_(r_bin_elf_get_main_offset)(struct Elf_(r_bin_elf_obj_t) *bin);
 ut64 Elf_(r_bin_elf_get_init_offset)(struct Elf_(r_bin_elf_obj_t) *bin);
 ut64 Elf_(r_bin_elf_get_fini_offset)(struct Elf_(r_bin_elf_obj_t) *bin);
 char *Elf_(r_bin_elf_intrp)(struct Elf_(r_bin_elf_obj_t) *bin);
-int Elf_(r_bin_elf_get_stripped)(struct Elf_(r_bin_elf_obj_t) *bin);
-int Elf_(r_bin_elf_get_static)(struct Elf_(r_bin_elf_obj_t) *bin);
+bool Elf_(r_bin_elf_get_stripped)(struct Elf_(r_bin_elf_obj_t) *bin);
+bool Elf_(r_bin_elf_get_static)(struct Elf_(r_bin_elf_obj_t) *bin);
 char* Elf_(r_bin_elf_get_data_encoding)(struct Elf_(r_bin_elf_obj_t) *bin);
 char* Elf_(r_bin_elf_get_arch)(struct Elf_(r_bin_elf_obj_t) *bin);
 char* Elf_(r_bin_elf_get_machine_name)(struct Elf_(r_bin_elf_obj_t) *bin);