diff options
author | Jens Wiklander <jens.wiklander@linaro.org> | 2020-03-04 11:39:18 +0100 |
---|---|---|
committer | Jérôme Forissier <jerome@forissier.org> | 2020-03-06 10:42:04 +0100 |
commit | cfd9b9f7e8ff6baa705a66dc9c56fd2941079cd6 (patch) | |
tree | 211825063725acef847de4555ba9c953b85a6179 /ldelf | |
parent | 5c0860db3f473f43b18f0ec6c84ff020b6bb85b4 (diff) |
ldelf: check against section headers size overflow
Adds a check in copy_section_headers() to guard against overflow in
the e_shnum * e_shentsize multiplication.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reported-by: Martijn Bogaard <martijn@riscure.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Diffstat (limited to 'ldelf')
-rw-r--r-- | ldelf/ta_elf.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/ldelf/ta_elf.c b/ldelf/ta_elf.c index 93208809..d42bf07d 100644 --- a/ldelf/ta_elf.c +++ b/ldelf/ta_elf.c @@ -815,9 +815,12 @@ static void add_dependencies(struct ta_elf *elf) static void copy_section_headers(struct ta_elf *elf) { TEE_Result res = TEE_SUCCESS; - size_t sz = elf->e_shnum * elf->e_shentsize; + size_t sz = 0; size_t offs = 0; + if (MUL_OVERFLOW(elf->e_shnum, elf->e_shentsize, &sz)) + err(TEE_ERROR_BAD_FORMAT, "Shdr size overflow"); + elf->shdr = malloc(sz); if (!elf->shdr) err(TEE_ERROR_OUT_OF_MEMORY, "malloc"); |