[PATCH] libelf: Make sure ar archive long_names len fits in mapped ELF file.

[PATCH] libelf: Make sure ar archive long_names len fits in mapped ELF file.

[Mark Wielaard]

[-- Attachment #1: Type: text/plain, Size: 1642 bytes --]

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libelf/ChangeLog   |  5 +++++
 libelf/elf_begin.c | 15 ++++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index fe210ab..270579b 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-16  Mark Wielaard  <mjw@redhat.com>
+
+	* elf_begin.c (read_long_names): Make sure long_names len fits
+	in mapped ELF file.
+
 2014-12-15  Mark Wielaard  <mjw@redhat.com>
 
 	* elf_getarsym.c (elf_getarsym): Check index_size doesn't overflow.
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index c24a364..30abe0b 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -708,11 +708,15 @@ read_long_names (Elf *elf)
       char *runp;
 
       if (elf->map_address != NULL)
-	/* Simply copy it over.  */
-	elf->state.ar.long_names = (char *) memcpy (newp,
-						    elf->map_address + offset
-						    + sizeof (struct ar_hdr),
-						    len);
+	{
+	  if (len > elf->maximum_size - offset - sizeof (struct ar_hdr))
+	    goto too_much;
+	  /* Simply copy it over.  */
+	  elf->state.ar.long_names = (char *) memcpy (newp,
+						      elf->map_address + offset
+						      + sizeof (struct ar_hdr),
+						      len);
+	}
       else
 	{
 	  if (unlikely ((size_t) pread_retry (elf->fildes, newp, len,
@@ -720,6 +724,7 @@ read_long_names (Elf *elf)
 					      + sizeof (struct ar_hdr))
 			!= len))
 	    {
+	    too_much:
 	      /* We were not able to read all data.  */
 	      free (newp);
 	      elf->state.ar.long_names = NULL;
-- 
1.8.3.1