Project

General

Profile

Bug #7141

Updated by Dillon Amburgey about 4 years ago

In stringtbl in usr/src/cmd/sgs/elfdump/common/elfdump.c, the symbol table entry size (and link) are checked:

<pre>

@

/*
* Validate the symbol table section.
*/
if ((shdr->sh_link == 0) || (shdr->sh_link >= shnum)) {
(void) fprintf(stderr, MSG_INTL(MSG_ERR_BADSHLINK),
file, cache[ndx].c_name, EC_WORD(shdr->sh_link));
return (0);
}
if ((shdr->sh_entsize == 0) || (shdr->sh_size == 0)) {
(void) fprintf(stderr, MSG_INTL(MSG_ERR_BADSZ),
file, cache[ndx].c_name);
return (0);
}
</pre>

@

However the string table goes under such checking:

<pre>

@

/*
* Establish the string table index.
*/
ndx = shdr->sh_link;
shdr = cache[ndx].c_shdr;


/*
* Return symbol table information.
*/
if (symnum)
*symnum = (shdr->sh_size / shdr->sh_entsize);
</pre>

@

If shdr->sh_entsize is 0, a divide by zero will occur.

See the attached ELF for an example.

Back