1 files changed, 37 insertions, 7 deletions

diff --git a/libelf/elf_getshdrstrndx.c b/libelf/elf_getshdrstrndx.c
index 57ad8005..1dbed4c8 100644
--- a/libelf/elf_getshdrstrndx.c
+++ b/libelf/elf_getshdrstrndx.c
@@ -1,5 +1,5 @@
 /* Return section index of section header string table.
-   Copyright (C) 2002, 2005, 2009 Red Hat, Inc.
+   Copyright (C) 2002, 2005, 2009, 2014 Red Hat, Inc.
    This file is part of elfutils.
    Written by Ulrich Drepper <[email protected]>, 2002.
 
@@ -104,10 +104,25 @@ elf_getshdrstrndx (elf, dst)
 	      if (elf->map_address != NULL
 		  && elf->state.elf32.ehdr->e_ident[EI_DATA] == MY_ELFDATA
 		  && (ALLOW_UNALIGNED
-		      || (((size_t) ((char *) elf->map_address + offset))
+		      || (((size_t) ((char *) elf->map_address
+			   + elf->start_offset + offset))
 			  & (__alignof__ (Elf32_Shdr) - 1)) == 0))
-		/* We can directly access the memory.  */
-		num = ((Elf32_Shdr *) (elf->map_address + offset))->sh_link;
+		{
+		  /* First see whether the information in the ELF header is
+		     valid and it does not ask for too much.  */
+		  if (unlikely (elf->maximum_size - offset
+				< sizeof (Elf32_Shdr)))
+		    {
+		      /* Something is wrong.  */
+		      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
+		      result = -1;
+		      goto out;
+		    }
+
+		  /* We can directly access the memory.  */
+		  num = ((Elf32_Shdr *) (elf->map_address + elf->start_offset
+					 + offset))->sh_link;
+		}
 	      else
 		{
 		  /* We avoid reading in all the section headers.  Just read
@@ -142,10 +157,25 @@ elf_getshdrstrndx (elf, dst)
 	      if (elf->map_address != NULL
 		  && elf->state.elf64.ehdr->e_ident[EI_DATA] == MY_ELFDATA
 		  && (ALLOW_UNALIGNED
-		      || (((size_t) ((char *) elf->map_address + offset))
+		      || (((size_t) ((char *) elf->map_address
+			   + elf->start_offset + offset))
 			  & (__alignof__ (Elf64_Shdr) - 1)) == 0))
-		/* We can directly access the memory.  */
-		num = ((Elf64_Shdr *) (elf->map_address + offset))->sh_link;
+		{
+		  /* First see whether the information in the ELF header is
+		     valid and it does not ask for too much.  */
+		  if (unlikely (elf->maximum_size - offset
+				< sizeof (Elf64_Shdr)))
+		    {
+		      /* Something is wrong.  */
+		      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
+		      result = -1;
+		      goto out;
+		    }
+
+		  /* We can directly access the memory.  */
+		  num = ((Elf64_Shdr *) (elf->map_address + elf->start_offset
+					 + offset))->sh_link;
+		}
 	      else
 		{
 		  /* We avoid reading in all the section headers.  Just read