From 4628b0ea03a0d029cccbcda1cbfc450b4c5ad1bf Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Wed, 1 May 2019 15:52:24 +0200
Subject: libelf: Add n_namesz offset overflow check to gelf_get_note.

During fuzzing of the new xlate_notes testcase I noticed that
gelf_get_note didn't check whether the n_namesz of a note was
too big. This could lead to offset wrapping around. Causing an
infinite loop going over all ELF notes. Fix by adding an overflow
check before updating offset.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 libelf/gelf_getnote.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'libelf/gelf_getnote.c')

diff --git a/libelf/gelf_getnote.c b/libelf/gelf_getnote.c
index 6d33b355..0f7b9d68 100644
--- a/libelf/gelf_getnote.c
+++ b/libelf/gelf_getnote.c
@@ -80,11 +80,12 @@ gelf_getnote (Elf_Data *data, size_t offset, GElf_Nhdr *result,
 	     the offset, after adding the namesz, and include padding
 	     in descsz to get to the end.  */
 	  *name_offset = offset;
-	  offset += n->n_namesz;
-	  if (offset > data->d_size)
+	  if (n->n_namesz > data->d_size
+	      || offset > data->d_size - n->n_namesz)
 	    offset = 0;
 	  else
 	    {
+	      offset += n->n_namesz;
 	      /* Include padding.  Check below for overflow.  */
 	      GElf_Word descsz = (data->d_type == ELF_T_NHDR8
 				  ? NOTE_ALIGN8 (n->n_descsz)
-- 
cgit v1.2.3