there is a bug in elfio::load_sections

[y27988]

section* sec = create_section(); sec->load(....); section::header is not credible. when use symbol_section_accessor_template::get_symbols_num(), may be get a very big number. because section::get_size() get data from section::header. section::get_size() will return a big number, even though it is biger than stream_size. So it can put me in an endless loop when I deal with symtab section. At this point, the program looks like it's dead until it's done processing tens of billions of fake symbol data.

My stupid approach is to add judgment on the return value of get_size() in symbol_section_accessor_template::get_symbols_num().

Elf_Xword get_symbols_num() const
{
    Elf_Xword nRet = 0;
    if ( 0 != symbol_section->get_entry_size() && 
        symbol_section->get_size() < symbol_section->get_stream_size() ) {
        nRet =
            symbol_section->get_size() / symbol_section->get_entry_size();
    }

    return nRet;
}

[serge1]

Thank you for your enquary. I'll provide my answer tomorrow

[serge1]

I think your approach is acceptable and safer. Please submit PR. But, how comes that in your case section's size becomes larger than file size?

[y27988]

This is a test case that simulates a variety of inputs to test my program. I didn't build it, I found it while doing security research on elfio. https://github.com/serge1/ELFIO/issues/23 https://github.com/serge1/ELFIO/files/1655587/null_endianess_convertor.zip

For some reason, it's not convenient for me to submit my code. Please modify the problem yourself and submit it.

[serge1]

Commit ed2523f should address the issue. Please reopen in case more clarification is required.