From bceee87f6131f37464aac9c0f46ce348410ae997 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sun, 27 Dec 2020 22:01:56 +0000 Subject: [PATCH] LibELF: Reject ELF with program header p_filesz larger than p_memsz --- Libraries/LibELF/Validation.cpp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Libraries/LibELF/Validation.cpp b/Libraries/LibELF/Validation.cpp index 12d7b29d0a1..b7e1584cd34 100644 --- a/Libraries/LibELF/Validation.cpp +++ b/Libraries/LibELF/Validation.cpp @@ -193,6 +193,13 @@ bool validate_program_headers(const Elf32_Ehdr& elf_header, size_t file_size, co for (size_t header_index = 0; header_index < num_program_headers; ++header_index) { auto& program_header = program_header_begin[header_index]; + + if (program_header.p_filesz > program_header.p_memsz) { + if (verbose) + dbgln("Program header ({}) has p_filesz ({}) larger than p_memsz ({})", header_index, program_header.p_filesz, program_header.p_memsz); + return false; + } + switch (program_header.p_type) { case PT_INTERP: // We checked above that file_size was >= buffer size. We only care about buffer size anyway, we're trying to read this!