From 2caac530f13bf69a988f65eb109f26a7311936c6 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 20 Feb 2020 17:58:55 -0500
Subject: [PATCH] Sanity check e_phentsize in ELF parser

---
 src/file.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/file.c b/src/file.c
index 3c9d084..e0d4f85 100644
--- a/src/file.c
+++ b/src/file.c
@@ -469,6 +469,12 @@ uint32_t gather_elf(int fd, off_t size)
 		// We want to do a basic size check to make sure
 		unsigned long sz =
 			(unsigned)hdr->e_phentsize * (unsigned)hdr->e_phnum;
+		/* Verify the entry size is right */
+		if ((unsigned)hdr->e_phentsize != sizeof(Elf32_Phdr)) {
+			info |= HAS_ERROR;
+			free(hdr);
+			goto rewind_out;
+		}
 		if (sz > ((unsigned long)size - sizeof(Elf32_Ehdr))) {
 			info |= HAS_ERROR;
 			free(hdr);
@@ -600,6 +606,12 @@ uint32_t gather_elf(int fd, off_t size)
 		// We want to do a basic size check to make sure
 		unsigned long sz =
 			(unsigned)hdr->e_phentsize * (unsigned)hdr->e_phnum;
+		/* Verify the entry size is right */
+		if ((unsigned)hdr->e_phentsize != sizeof(Elf64_Phdr)) {
+			info |= HAS_ERROR;
+			free(hdr);
+			goto rewind_out;
+		}
 		if (sz > ((unsigned long)size - sizeof(Elf64_Ehdr))) {
 			info |= HAS_ERROR;
 			free(hdr);