#462 strings(1) crash in _libelf_cvt_SHDR64_tom

[Ed Maste]

found with the afl fuzzer

(lldb) bt
* thread #1: tid = 100186, 0x000000000042095b strings_libelf_cvt_SHDR64_tom(dst=<unavailable>, dsz=<unavailable>, src=<unavailable>, count=<unavailable>, byteswap=0) + 723 at libelf_convert.c:1672, stop reason = invalid address (fault address: 0x80069300c) * frame #0: 0x000000000042095b strings_libelf_cvt_SHDR64_tom(dst=<unavailable>, dsz=<unavailable>, src=<unavailable>, count=<unavailable>, byteswap=0) + 723 at libelf_convert.c:1672
frame #1: 0x000000000040b307 strings_libelf_load_section_headers(e=0x0000000800c060c0, ehdr=<unavailable>) + 1791 at elf_scn.c:108 frame #2: 0x000000000040c38b stringself_nextscn [inlined] elf_getscn(e=0x0000000800c060c0, index=<unavailable>) + 370 at elf_scn.c:146
frame #3: 0x000000000040c219 stringself_nextscn(e=0x0000000800c060c0, s=<unavailable>) + 305 at elf_scn.c:231 frame #4: 0x0000000000403a85 stringshandle_elf(name=0x00007fffffffe836, fd=<unavailable>) + 1229 at strings.c:280
frame #5: 0x00000000004010cd stringsmain(argc=<unavailable>, argv=<unavailable>) + 3205 at strings.c:197 frame #6: 0x000000000040030f strings_start(ap=<unavailable>, cleanup=<unavailable>) + 367 at crt1.c:78

[Joseph Koshy]

Take this ticket.

[Ed Maste]

A fix in FreeBSD here:
https://svnweb.freebsd.org/base?view=revision&revision=276374

[Ed Maste]

Original fix reverted, proper fix here:
https://github.com/emaste/elftoolchain/commit/7375be2b75b1299ffdf16b3da8cc4ce008ce0a9b

And in FreeBSD here:
https://svnweb.freebsd.org/changeset/base/276427

[Ed Maste]

err, make that https://github.com/emaste/elftoolchain/commit/42746ec43c6cdcc69a064c8505912202de33fc99

[Ed Maste]

Committed as [r3147]