[romain.r@free.fr: bug in readelf]

["H. J. Lu" <hjl at lucon dot org>]

----- Forwarded message from romain <romain.r@free.fr> -----

Delivered-To: hjl@localhost.lucon.org
Date: Fri, 4 Jul 2003 02:57:51 +0200
From: romain <romain.r@free.fr>
To: hjl@lucon.org
Subject: bug in readelf
X-Mailer: Sylpheed version 0.8.9 (GTK+ 1.2.10; i386-redhat-linux-gnu)
X-Apparently-From: XROMx@aol.com
X-Spam-Status: No, hits=2.2 required=4.0
	tests=RCVD_IN_OSIRUSOFT_COM,SPAM_PHRASE_00_01,X_OSIRU_DUL,
	      X_OSIRU_DUL_FH
	version=2.44
X-Spam-Level: **

Hello,
I found a little bug in readelf.

If i put a big or negative value to the sh_size of the section .shtrtab, readelf segfault when it try to read 
the section headers.


$ cp /bin/ls ./


With hexedit i put 0xFFFFFFFF to the sh_size of the section .shtrtab.

$ hexedit ./ls


$ readelf -S ./ls
There are 26 section headers, starting at offset 0x10444:
readelf: Error: Out of memory allocating -1 bytes for string table
Erreur de segmentation
$



The malloc in get_data return the error and the error message:

0x804bedb <get_data+187>:       call   0x8048aac <malloc>
0x804bee0 <get_data+192>:       test   eax,eax
0x804bee2 <get_data+194>:       mov    ebx,eax
0x804bee4 <get_data+196>:       jne    0x804be73 <get_data+83>
0x804bee6 <get_data+198>:       mov    DWORD PTR [esp+8],0x5
0x804beee <get_data+206>:       mov    DWORD PTR [esp+4],0x806f900
0x804bef6 <get_data+214>:       mov    DWORD PTR [esp],0x0
0x804befd <get_data+221>:       call   0x8048a4c <dcgettext>
0x804bf02 <get_data+226>:       mov    edx,DWORD PTR [ebp+24]
0x804bf05 <get_data+229>:       mov    DWORD PTR [esp+4],esi
0x804bf09 <get_data+233>:       mov    DWORD PTR [esp+8],edx
0x804bf0d <get_data+237>:       mov    DWORD PTR [esp],eax
0x804bf10 <get_data+240>:       call   0x804bd40 <error>




But the segfault apen later:

0x8052961 <process_section_headers+2337>:       repz cmps ds:[esi],es:[edi]




I'am sorry for my realy poor english :(


good bye.



Romain...

----- End forwarded message -----