Validate offsets before passing into file_seek().

author Ben Pfaff <blp@cs.stanford.edu>

Wed, 8 Dec 2004 00:17:58 +0000 (00:17 +0000)

committer Ben Pfaff <blp@cs.stanford.edu>

Wed, 8 Dec 2004 00:17:58 +0000 (00:17 +0000)
author Ben Pfaff <blp@cs.stanford.edu>
Wed, 8 Dec 2004 00:17:58 +0000 (00:17 +0000)
committer Ben Pfaff <blp@cs.stanford.edu>
Wed, 8 Dec 2004 00:17:58 +0000 (00:17 +0000)
diff --git a/src/userprog/process.c b/src/userprog/process.c

index 78b3122b1b6e1dcb1db9ce12d804e46383785a71..b8d4a14462c63faecf6ac69944db4180b83d2914 100644 (file)
--- a/src/userprog/process.c
+++ b/src/userprog/process.c
@@ -240,7 +240,10 @@ load (const char *filename, void (**eip) (void), void **esp)
      {
        struct Elf32_Phdr phdr;
  
+      if (file_ofs < 0 || file_ofs > file_length (file))
+        LOAD_ERROR (("bad file offset %ld", (long) file_ofs));
        file_seek (file, file_ofs);
+
        if (file_read (file, &phdr, sizeof phdr) != sizeof phdr)
          LOAD_ERROR (("error reading program header"));
        file_ofs += sizeof phdr;
@@ -316,6 +319,13 @@ load_segment (struct file *file, const struct Elf32_Phdr *phdr)
        return false; 
      }
  
+  /* p_offset must point within file. */
+  if (phdr->p_offset < 0 || phdr->p_offset > file_length (file)) 
+    {
+      printf ("bad p_offset %"PE32Ox, phdr->p_offset);
+      return false;
+    }
+
    /* [ELF1] 2-3 says that p_memsz must be at least as big as
       p_filesz. */
    if (phdr->p_memsz < phdr->p_filesz)
author	Ben Pfaff <blp@cs.stanford.edu>
	Wed, 8 Dec 2004 00:17:58 +0000 (00:17 +0000)
committer	Ben Pfaff <blp@cs.stanford.edu>
	Wed, 8 Dec 2004 00:17:58 +0000 (00:17 +0000)