Subject: Fix note bounds reading, Francisco Alonso / Red Hat
ID: CVE-2014-3710
Author: Christos Zoulas <christos@zoulas.com>
Date: Fri Oct 17 15:49:00 2014 +0000
Origin:
    commit 39c7ac1106be844a5296d3eb5971946cc09ffda0
Last-Update: 2014-11-09

--- a/src/readelf.c
+++ b/src/readelf.c
@@ -477,6 +477,13 @@
 	uint32_t namesz, descsz;
 	unsigned char *nbuf = CAST(unsigned char *, vbuf);
 
+	if (xnh_sizeof + offset > size) {
+		/*
+		 * We're out of note headers.
+		 */
+		return xnh_sizeof + offset;
+	}
+
 	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
 	offset += xnh_sizeof;