1 files changed, 14 insertions, 8 deletions

diff --git a/elfutils/libelf/elf_begin.c b/elfutils/libelf/elf_begin.c
index 896d86b6..0b9583b2 100644
--- a/elfutils/libelf/elf_begin.c
+++ b/elfutils/libelf/elf_begin.c
@@ -338,10 +338,13 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
 	      elf->state.elf32.scns.data[cnt].elf = elf;
 	      elf->state.elf32.scns.data[cnt].shdr.e32 =
 		&elf->state.elf32.shdr[cnt];
-	      elf->state.elf32.scns.data[cnt].rawdata_base =
-		elf->state.elf32.scns.data[cnt].data_base =
-		((char *) map_address + offset
-		 + elf->state.elf32.shdr[cnt].sh_offset);
+	      if (likely (elf->state.elf32.shdr[cnt].sh_offset < maxsize)
+		  && likely (maxsize - elf->state.elf32.shdr[cnt].sh_offset
+			     <= elf->state.elf32.shdr[cnt].sh_size))
+		elf->state.elf32.scns.data[cnt].rawdata_base =
+		  elf->state.elf32.scns.data[cnt].data_base =
+		  ((char *) map_address + offset
+		   + elf->state.elf32.shdr[cnt].sh_offset);
 	      elf->state.elf32.scns.data[cnt].list = &elf->state.elf32.scns;
 
 	      /* If this is a section with an extended index add a
@@ -423,10 +426,13 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
 	      elf->state.elf64.scns.data[cnt].elf = elf;
 	      elf->state.elf64.scns.data[cnt].shdr.e64 =
 		&elf->state.elf64.shdr[cnt];
-	      elf->state.elf64.scns.data[cnt].rawdata_base =
-		elf->state.elf64.scns.data[cnt].data_base =
-		((char *) map_address + offset
-		 + elf->state.elf64.shdr[cnt].sh_offset);
+	      if (likely (elf->state.elf64.shdr[cnt].sh_offset < maxsize)
+		  && likely (maxsize - elf->state.elf64.shdr[cnt].sh_offset
+			     <= elf->state.elf64.shdr[cnt].sh_size))
+		elf->state.elf64.scns.data[cnt].rawdata_base =
+		  elf->state.elf64.scns.data[cnt].data_base =
+		  ((char *) map_address + offset
+		   + elf->state.elf64.shdr[cnt].sh_offset);
 	      elf->state.elf64.scns.data[cnt].list = &elf->state.elf64.scns;
 
 	      /* If this is a section with an extended index add a