Re: [PATCH] nm: Check for malloc size argument overflow in show_symbols.

[Mark Wielaard <mjw at redhat dot com>]

On Mon, 2016-03-21 at 16:03 +0100, Mark Wielaard wrote:
> +  if (nentries > SIZE_MAX / sizeof (GElf_SymX))
> +    error (0, 0,

Oops. We don't just want to print a warning here. We want to report an
EXIT_FAILURE on error. Fixed patch attached.

From 911f11a0054264ffbfae8f8e400aea52b8d1d620 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Mon, 21 Mar 2016 16:01:02 +0100
Subject: [PATCH] nm: Check for malloc size argument overflow in show_symbols.

Reported-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 src/ChangeLog | 4 ++++
 src/nm.c      | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/src/ChangeLog b/src/ChangeLog
index fb9c776..f74b5dc 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2016-03-21  Mark Wielaard  <mjw@redhat.com>
+
+	* nm.c (show_symbols): Check for malloc size argument overflow.
+
 2016-02-13  Mark Wielaard  <mjw@redhat.com>
 
 	* readelf.c (print_scngrp): Call error when gelf_getshdr fails.
diff --git a/src/nm.c b/src/nm.c
index 2911afa..010469d 100644
--- a/src/nm.c
+++ b/src/nm.c
@@ -1311,6 +1311,11 @@ show_symbols (int fd, Ebl *ebl, GElf_Ehdr *ehdr,
      XXX We can use a dirty trick here.  Since GElf_Sym == Elf64_Sym we
      can use the data memory instead of copying again if what we read
      is a 64 bit file.  */
+  if (nentries > SIZE_MAX / sizeof (GElf_SymX))
+    error (EXIT_FAILURE, 0,
+          gettext ("%s: entries (%zd) in section %zd `%s' is too large"),
+          fullname, nentries, elf_ndxscn (scn),
+          elf_strptr (ebl->elf, shstrndx, shdr->sh_name));
   GElf_SymX *sym_mem;
   if (nentries * sizeof (GElf_SymX) < MAX_STACK_ALLOC)
     sym_mem = (GElf_SymX *) alloca (nentries * sizeof (GElf_SymX));
-- 
1.8.3.1