git: b541e44b7c30 - stable/12 - ldd: guard against stack overflow reading corrupted files.

From: Simon J. Gerraty <sjg_at_FreeBSD.org>
Date: Wed, 19 Oct 2022 21:10:11 UTC
The branch stable/12 has been updated by sjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=b541e44b7c30d56b445dd91c8e03cc11488faf48

commit b541e44b7c30d56b445dd91c8e03cc11488faf48
Author:     Simon J. Gerraty <sjg@FreeBSD.org>
AuthorDate: 2022-10-19 21:08:43 +0000
Commit:     Simon J. Gerraty <sjg@FreeBSD.org>
CommitDate: 2022-10-19 21:08:43 +0000

    ldd: guard against stack overflow reading corrupted files.
    
    Reviewed by:    imp, emaste
    Reported by:    UK National Cyber Security Centre (NCSC)
    Sponsored by:   Juniper Networks, Inc.
    Differential Revision:  https://reviews.freebsd.org/D37010
---
 usr.bin/ldd/ldd.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/usr.bin/ldd/ldd.c b/usr.bin/ldd/ldd.c
index d237850be765..7db8875ed2e3 100644
--- a/usr.bin/ldd/ldd.c
+++ b/usr.bin/ldd/ldd.c
@@ -335,6 +335,10 @@ is_executable(const char *fname, int fd, int *is_shlib, int *type)
 			warnx("%s: header too short", fname);
 			return (0);
 		}
+		if (hdr.elf32.e_phentsize != sizeof(phdr32)) {
+			warnx("%s: corrupt header", fname);
+			return (0);
+		}
 		for (i = 0; i < hdr.elf32.e_phnum; i++) {
 			if (read(fd, &phdr32, hdr.elf32.e_phentsize) !=
 			    sizeof(phdr32)) {
@@ -403,6 +407,10 @@ is_executable(const char *fname, int fd, int *is_shlib, int *type)
 			warnx("%s: header too short", fname);
 			return (0);
 		}
+		if (hdr.elf.e_phentsize != sizeof(phdr)) {
+			warnx("%s: corrupt header", fname);
+			return (0);
+		}
 		for (i = 0; i < hdr.elf.e_phnum; i++) {
 			if (read(fd, &phdr, hdr.elf.e_phentsize)
 			   != sizeof(phdr)) {