libelf: Add n_namesz offset overflow check to gelf_get_note.

During fuzzing of the new xlate_notes testcase I noticed that
gelf_get_note didn't check whether the n_namesz of a note was
too big. This could lead to offset wrapping around. Causing an
infinite loop going over all ELF notes. Fix by adding an overflow
check before updating offset.

Signed-off-by: Mark Wielaard <mark@klomp.org>

2 files changed, 8 insertions, 2 deletions

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 5eadaf76..924ff591 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,8 @@
+2019-05-01  Mark Wielaard  <mark@klomp.org>
+
+	* gelf_getnote.c (gelf_getnote): Check n_namesz doesn't overflow
+	offset.
+
 2019-04-30  Mark Wielaard  <mark@klomp.org>
 
 	* note_xlate.h (elf_cvt_note): Indicate we only translated the note
diff --git a/libelf/gelf_getnote.c b/libelf/gelf_getnote.c
index 6d33b355..0f7b9d68 100644
--- a/libelf/gelf_getnote.c
+++ b/libelf/gelf_getnote.c
@@ -80,11 +80,12 @@ gelf_getnote (Elf_Data *data, size_t offset, GElf_Nhdr *result,
 	     the offset, after adding the namesz, and include padding
 	     in descsz to get to the end.  */
 	  *name_offset = offset;
-	  offset += n->n_namesz;
-	  if (offset > data->d_size)
+	  if (n->n_namesz > data->d_size
+	      || offset > data->d_size - n->n_namesz)
 	    offset = 0;
 	  else
 	    {
+	      offset += n->n_namesz;
 	      /* Include padding.  Check below for overflow.  */
 	      GElf_Word descsz = (data->d_type == ELF_T_NHDR8
 				  ? NOTE_ALIGN8 (n->n_descsz)