unstrip: Check symbol strings are terminated.

A corrupt ELF file could contain a .strtab section that wasn't
properly zero terminated. If so we could add a non-terminated string
to the dwelf_strtab functions, which could then crash because they
would read past the .strtab section data.

https://sourceware.org/bugzilla/show_bug.cgi?id=25069

Signed-off-by: Mark Wielaard <mark@klomp.org>

2 files changed, 8 insertions, 1 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index fe7ddbfd..3144c935 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2019-10-26  Mark Wielaard  <mark@klomp.org>
+
+	* unstrip.c (collect_symbols): Check symbol strings are
+	terminated.
+
 2019-10-18  Mark Wielaard  <mark@klomp.org>
 
 	* unstrip.c (adjust_relocs): Set versym data d_size to the actual
diff --git a/src/unstrip.c b/src/unstrip.c
index f4314d5d..9b8c09a1 100644
--- a/src/unstrip.c
+++ b/src/unstrip.c
@@ -854,7 +854,9 @@ collect_symbols (Elf *outelf, bool rel, Elf_Scn *symscn, Elf_Scn *strscn,
       if (sym->st_shndx != SHN_XINDEX)
 	shndx = sym->st_shndx;
 
-      if (sym->st_name >= strdata->d_size)
+      if (sym->st_name >= strdata->d_size
+	  || memrchr (strdata->d_buf + sym->st_name, '\0',
+		      strdata->d_size - sym->st_name) == NULL)
 	error (EXIT_FAILURE, 0,
 	       _("invalid string offset in symbol [%zu]"), i);