2 files changed, 9 insertions, 4 deletions

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index fd2fc53e..772eb52d 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-04  Mark Wielaard  <[email protected]>
+
+	* elf_begin.c (get_shnum): Check alignment of Shdr, not Ehdr before
+	direct access.
+
 2015-06-02  Mark Wielaard  <[email protected]>
 
 	* elf_begin.c (file_read_elf): Split checks for ehdr and shdr
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index e2e3b6b4..f002ebf0 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -151,8 +151,8 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
 
 	  if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA
 	      && (ALLOW_UNALIGNED
-		  || (((size_t) ((char *) map_address + offset))
-		      & (__alignof__ (Elf32_Ehdr) - 1)) == 0))
+		  || (((size_t) ((char *) map_address + ehdr.e32->e_shoff))
+		      & (__alignof__ (Elf32_Shdr) - 1)) == 0))
 	    /* We can directly access the memory.  */
 	    result = ((Elf32_Shdr *) ((char *) map_address + ehdr.e32->e_shoff
 				      + offset))->sh_size;
@@ -201,8 +201,8 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
 	  Elf64_Xword size;
 	  if (likely (map_address != NULL) && e_ident[EI_DATA] == MY_ELFDATA
 	      && (ALLOW_UNALIGNED
-		  || (((size_t) ((char *) map_address + offset))
-		      & (__alignof__ (Elf64_Ehdr) - 1)) == 0))
+		  || (((size_t) ((char *) map_address + ehdr.e64->e_shoff))
+		      & (__alignof__ (Elf64_Shdr) - 1)) == 0))
 	    /* We can directly access the memory.  */
 	    size = ((Elf64_Shdr *) ((char *) map_address + ehdr.e64->e_shoff
 				    + offset))->sh_size;