absl: fix potential int overflow in ELF reading

Both e_shentsize and e_shstrndx are uint16, so the product
  elf_header.e_shentsize * elf_header.e_shstrndx
can overflow the promoted type int (MAX_UINT16 * MAX_UINT16 > MAX_INT),
which is undefined behavior. Not sure if it can affect any real cases
or not, though.

Cast e_shentsize to loff_t instead of e_shoff.
This makes both multiplication and addition to use loff_t type.

PiperOrigin-RevId: 511254775
Change-Id: I39c493bfb539cca6742aae807c50718d31e7c001

1 files changed, 10 insertions, 0 deletions

diff --git a/absl/debugging/symbolize_elf.inc b/absl/debugging/symbolize_elf.inc
index ffb4eecf..0fee89f2 100644
--- a/absl/debugging/symbolize_elf.inc
+++ b/absl/debugging/symbolize_elf.inc
@@ -532,6 +532,11 @@ bool ForEachSection(int fd,
     return false;
   }
 
+  // Technically it can be larger, but in practice this never happens.
+  if (elf_header.e_shentsize != sizeof(ElfW(Shdr))) {
+    return false;
+  }
+
   ElfW(Shdr) shstrtab;
   off_t shstrtab_offset = static_cast<off_t>(elf_header.e_shoff) +
                           elf_header.e_shentsize * elf_header.e_shstrndx;
@@ -584,6 +589,11 @@ bool GetSectionHeaderByName(int fd, const char *name, size_t name_len,
     return false;
   }
 
+  // Technically it can be larger, but in practice this never happens.
+  if (elf_header.e_shentsize != sizeof(ElfW(Shdr))) {
+    return false;
+  }
+
   ElfW(Shdr) shstrtab;
   off_t shstrtab_offset = static_cast<off_t>(elf_header.e_shoff) +
                           elf_header.e_shentsize * elf_header.e_shstrndx;