From a6e46f4d2a0956ad0a1a92dddf68ddeaab243bc5 Mon Sep 17 00:00:00 2001
From: pancake <pancake@nopcode.org>
Date: Fri, 3 Jun 2011 11:16:08 +0200
Subject: [PATCH] * Fix some out of range index accesses in elf parsing   -
 Thanks Ripe for reporting

---
 libr/bin/format/elf/elf.c | 16 ++++++++++++++--
 libr/socket/socket.c      |  6 +++---
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/libr/bin/format/elf/elf.c b/libr/bin/format/elf/elf.c
index c1df074d24..81b6d8c62c 100644
--- a/libr/bin/format/elf/elf.c
+++ b/libr/bin/format/elf/elf.c
@@ -1,5 +1,5 @@
-/* radare - LGPL - Copyright 2008-2011 nibble<.ds@gmail.com> */
-
+/* radare - LGPL - Copyright 2008-2011 nibble<.ds@gmail.com>, pancake<nopcode.org> */
+// TODO: review the rest of strtab index out of range
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -553,6 +553,10 @@ struct r_bin_elf_reloc_t* Elf_(r_bin_elf_get_relocs)(struct Elf_(r_bin_elf_obj_t
 			}
 		}
 	for (i = 0; i < bin->ehdr.e_shnum; i++) {
+		if (bin->shdr[i].sh_name > strtab_section->sh_size) {
+			perror ("Invalid shdr index in strtab\n");
+			continue;
+		}
 		if (!strcmp (&bin->strtab[bin->shdr[i].sh_name], ".rel.plt"))
 			tsize = sizeof (Elf_(Rel));
 		else if (!strcmp (&bin->strtab[bin->shdr[i].sh_name], ".rela.plt"))
@@ -584,6 +588,10 @@ struct r_bin_elf_reloc_t* Elf_(r_bin_elf_get_relocs)(struct Elf_(r_bin_elf_obj_t
 		for (j =  0; j < nrel; j++) {
 			idx = ELF_R_SYM (rel[j].r_info);
 			if (idx < nsym) {
+				if (sym[idx].st_name > strtab_section->sh_size) {
+					perror ("Invalid shdr index in symbol\n");
+					continue;
+				}
 				len = __strnlen (&strtab[sym[idx].st_name], ELF_STRING_LENGTH-1);
 				memcpy (ret[j].name, &strtab[sym[idx].st_name], len);
 			} else strncpy (ret[j].name, "unknown", ELF_STRING_LENGTH);
@@ -751,6 +759,10 @@ struct r_bin_elf_symbol_t* Elf_(r_bin_elf_get_symbols)(struct Elf_(r_bin_elf_obj
 				}
 				ret[ret_ctr].offset = (toffset >= bin->baddr ? toffset -= bin->baddr : toffset);
 				ret[ret_ctr].size = tsize;
+				if (sym[k].st_name > strtab_section->sh_size) {
+					perror ("index out of strtab range\n");
+					return NULL;
+				}
 				len = __strnlen (&strtab[sym[k].st_name], ELF_STRING_LENGTH-1);
 				memcpy (ret[ret_ctr].name, &strtab[sym[k].st_name], len);
 				ret[ret_ctr].ordinal = k;
diff --git a/libr/socket/socket.c b/libr/socket/socket.c
index f05aa3b3dc..da52130651 100644
--- a/libr/socket/socket.c
+++ b/libr/socket/socket.c
@@ -110,7 +110,7 @@ R_API int r_socket_connect (RSocket *s, const char *host, const char *port, int
 #endif
 
 	if (proto != R_SOCKET_PROTO_UNIX) {
-		memset(&hints, 0, sizeof(struct addrinfo));
+		memset (&hints, 0, sizeof (struct addrinfo));
 		hints.ai_family = AF_UNSPEC;		/* Allow IPv4 or IPv6 */
 		hints.ai_protocol = proto;
 		gai = getaddrinfo (host, port, &hints, &res);
@@ -192,9 +192,9 @@ R_API int r_socket_listen (RSocket *s, const char *port, const char *certfile) {
 	linger.l_onoff = 1;
 	linger.l_linger = 1;
 	setsockopt (s->fd, SOL_SOCKET, SO_LINGER, (const char *)&linger, sizeof (linger));
-	memset (&sa, 0, sizeof(sa));
+	memset (&sa, 0, sizeof (sa));
 	sa.sin_family = AF_INET;
-	sa.sin_addr.s_addr = htonl(INADDR_ANY);
+	sa.sin_addr.s_addr = htonl (INADDR_ANY);
 	sa.sin_port = htons (atoi (port));
 
 	if (bind (s->fd, (struct sockaddr *)&sa, sizeof(sa)) < 0) {