From 5ff67fca5b09cc6389c17047720e97e84b91fd48 Mon Sep 17 00:00:00 2001 From: Shane Huntley Date: Mon, 13 Jan 2025 20:12:24 +1100 Subject: [PATCH] Additional elf parsing check to avoid integer overflow. (#2131) --- libyara/modules/elf/elf.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/libyara/modules/elf/elf.c b/libyara/modules/elf/elf.c index ff5418647f..85e46e687e 100644 --- a/libyara/modules/elf/elf.c +++ b/libyara/modules/elf/elf.c @@ -791,20 +791,24 @@ static const char* str_table_entry( \ if (yr_##bo##32toh(segment->type) == ELF_PT_DYNAMIC) \ { \ - elf##bits##_dyn_t* dyn = \ - (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset)); \ - \ - for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++) \ + j = 0; \ + if (yr_##bo##bits##toh(segment->offset) < elf_size) \ { \ - yr_set_integer( \ - yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j); \ - yr_set_integer( \ - yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j); \ + elf##bits##_dyn_t* dyn = \ + (elf##bits##_dyn_t*) (elf_raw + yr_##bo##bits##toh(segment->offset)); \ \ - if (dyn->tag == ELF_DT_NULL) \ + for (j = 0; IS_VALID_PTR(elf, elf_size, dyn); dyn++, j++) \ { \ - j++; \ - break; \ + yr_set_integer( \ + yr_##bo##bits##toh(dyn->tag), elf_obj, "dynamic[%i].type", j); \ + yr_set_integer( \ + yr_##bo##bits##toh(dyn->val), elf_obj, "dynamic[%i].val", j); \ + \ + if (dyn->tag == ELF_DT_NULL) \ + { \ + j++; \ + break; \ + } \ } \ } \ yr_set_integer(j, elf_obj, "dynamic_section_entries"); \