debug/elf: validate phentsize and shentsize

ianlancetaylor · gopherbot · commit 0ae042f97794 · 2022-10-12T23:06:08.000Z
No test case because the problem can only happen for invalid data. Let the fuzzer find cases like this. Fixes #56129 Change-Id: I6c81933781384c5e2c8ba0fd99cec50455b9664a Reviewed-on: https://go-review.googlesource.com/c/go/+/441976 Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Ian Lance Taylor <iant@google.com> Reviewed-by: Than McIntosh <thanm@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Joedian Reid <joedian@golang.org> Auto-Submit: Ian Lance Taylor <iant@google.com> Run-TryBot: Ian Lance Taylor <iant@golang.org>
diff --git a/src/debug/elf/file.go b/src/debug/elf/file.go
@@ -344,6 +344,19 @@ func NewFile(r io.ReaderAt) (*File, error) {
 		return nil, &FormatError{0, "invalid ELF shstrndx", shstrndx}
 	}
 
+	var wantPhentsize, wantShentsize int
+	switch f.Class {
+	case ELFCLASS32:
+		wantPhentsize = 8 * 4
+		wantShentsize = 10 * 4
+	case ELFCLASS64:
+		wantPhentsize = 2*4 + 6*8
+		wantShentsize = 4*4 + 6*8
+	}
+	if phnum > 0 && phentsize < wantPhentsize {
+		return nil, &FormatError{0, "invalid ELF phentsize", phentsize}
+	}
+
 	// Read program headers
 	f.Progs = make([]*Prog, phnum)
 	for i := 0; i < phnum; i++ {
@@ -439,6 +452,10 @@ func NewFile(r io.ReaderAt) (*File, error) {
 		}
 	}
 
+	if shnum > 0 && shentsize < wantShentsize {
+		return nil, &FormatError{0, "invalid ELF shentsize", shentsize}
+	}
+
 	// Read section headers
 	f.Sections = make([]*Section, shnum)
 	names := make([]uint32, shnum)
