From: Ian Lance Taylor <iant@golang.org>
Date: Tue, 26 Nov 2024 23:26:25 +0000 (-0800)
Subject: debug/elf: check for multiplication overflow for shnum * shentsize
X-Git-Tag: go1.24rc1~68
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=4f78aa9e8bc909395bb891b12586ea0a7c9dfff1;p=gostls13.git

debug/elf: check for multiplication overflow for shnum * shentsize

No test case because the problem can only happen for invalid data.
Let the fuzzer find cases like this.

For #47653
Fixes #70584

Change-Id: I8a69a27dcb5b258b88f8e01ebaf0ec20cfcd489b
Reviewed-on: https://go-review.googlesource.com/c/go/+/632035
Reviewed-by: Veronica Silina <veronicasilina@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
Auto-Submit: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
---

diff --git a/src/debug/elf/file.go b/src/debug/elf/file.go
index 05062f1433..aa523c3fae 100644
--- a/src/debug/elf/file.go
+++ b/src/debug/elf/file.go
@@ -497,6 +497,9 @@ func NewFile(r io.ReaderAt) (*File, error) {
 	if c < 0 {
 		return nil, &FormatError{0, "too many sections", shnum}
 	}
+	if shnum > 0 && ((1<<64)-1)/uint64(shnum) < uint64(shentsize) {
+		return nil, &FormatError{0, "section header overflow", shnum}
+	}
 	f.Sections = make([]*Section, 0, c)
 	names := make([]uint32, 0, c)
 	shdata, err := saferio.ReadDataAt(sr, uint64(shnum)*uint64(shentsize), shoff)