libelf: Correct overflow check in note_xlate.

We want to make sure the note_len doesn't overflow and becomes shorter
than the note header. But the namesz and descsz checks got the note header
size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).

https://sourceware.org/bugzilla/show_bug.cgi?id=24084

Signed-off-by: Mark Wielaard <mark@klomp.org>

2 files changed, 7 insertions, 2 deletions

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 5923c85c..5783f0c3 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2019-01-16  Mark Wielaard  <mark@klomp.org>
+
+	* note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
+	overflow note_len into note header.
+
 2018-11-17  Mark Wielaard  <mark@klomp.org>
 
 	* elf32_updatefile.c (updatemmap): Make sure to call convert
diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
index 9bdc3e2c..bc9950ff 100644
--- a/libelf/note_xlate.h
+++ b/libelf/note_xlate.h
@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode,
       /* desc needs to be aligned.  */
       note_len += n->n_namesz;
       note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
-      if (note_len > len || note_len < 8)
+      if (note_len > len || note_len < sizeof *n)
 	break;
 
       /* data as a whole needs to be aligned.  */
       note_len += n->n_descsz;
       note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
-      if (note_len > len || note_len < 8)
+      if (note_len > len || note_len < sizeof *n)
 	break;
 
       /* Copy or skip the note data.  */