From 917d23fb2d6b6907f6dbfb2fa3e3da80523ea030 Mon Sep 17 00:00:00 2001
From: Christos Zoulas <christos@zoulas.com>
Date: Tue, 16 Jun 2015 14:18:07 +0000
Subject: [PATCH] PR/460: Detect and avoid large (invalid) malloc in elf
 parser.

---
 src/readelf.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/readelf.c b/src/readelf.c
index 55009e80..bc6e7f6b 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -27,7 +27,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: readelf.c,v 1.119 2015/04/09 20:01:41 christos Exp $")
+FILE_RCSID("@(#)$File: readelf.c,v 1.120 2015/06/16 14:18:07 christos Exp $")
 #endif
 
 #ifdef BUILTIN_ELF
@@ -1048,9 +1048,18 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 			break;
 		}
 
+
 		/* Things we can determine when we seek */
 		switch (xsh_type) {
 		case SHT_NOTE:
+			if (xsh_size + xsh_offset > (uintmax_t)fsize)  {
+				if (file_printf(ms,
+				    ", note offset/size 0x%jx+0x%jx exceeds"
+				    " file size 0x%jx", (uintmax_t)xsh_offset,
+				    (uintmax_t)xsh_size, (uintmax_t)fsize) == -1)
+					return -1;
+				return 0; 
+			}
 			if ((nbuf = malloc(xsh_size)) == NULL) {
 				file_error(ms, errno, "Cannot allocate memory"
 				    " for note");
-- 
2.40.0