debug/elf: makeslice: len out of range

[dvyukov]

The following program crashes with the panic on the provided input:

package main

import (
    "bytes"
    "debug/elf"
    "io/ioutil"
    "os"
)

func main() {
    data, _ := ioutil.ReadFile(os.Args[1])
    f, err := elf.NewFile(bytes.NewReader(data))
    if err != nil {
        if f != nil {
            panic("file is not nil on error")
        }
        return
    }
    defer f.Close()
    f.DynamicSymbols()
    f.ImportedLibraries()
    f.ImportedSymbols()
    f.Section(".data")
    f.SectionByType(elf.SHT_GNU_VERSYM)
    f.Symbols()
    dw, err := f.DWARF()
    if err != nil {
        if dw != nil {
            panic("dwarf is not nil on error")
        }
        return
    }
    dr := dw.Reader()
    for {
        e, _ := dr.Next()
        if e == nil {
            break
        }
    }
}

panic: runtime error: makeslice: len out of range

goroutine 1 [running]:
debug/elf.(*Section).Data(0xc208020ea0, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/debug/elf/file.go:78 +0x6e
debug/elf.NewFile(0x7ff342f88260, 0xc208014480, 0x645940, 0x0, 0x0)
    src/debug/elf/file.go:380 +0x111b
main.main()
    elftest.go:12 +0x11d

The input is:
https://drive.google.com/file/d/0B20Uwp8Hs1oCZUhqS3RiWFRja1U/view?usp=sharing

on commit 596bb76

[dvyukov]

/cc @ianlancetaylor @davecheney

Data could check the claimed section size as:

func (s *Section) Data() ([]byte, error) {
+   if s.sr.Size() == 0 {
+       return nil, nil
+   }
+   var tmp [1]byte
+   if err := s.sr.ReadAt(tmp[:], s.sr.Size()-1); err != nil {
+       return nil, err
+   }
    dat := make([]byte, s.sr.Size())
    n, err := s.sr.ReadAt(dat, 0)
    if n == len(dat) {
        err = nil
    }
    return dat[0:n], err
}

[rsc]

It's too late in the Go 1.5 release process for fuzzer bugs. The chance of hitting any of these is so low that the benefit of the fix is outweighed by the chance of the fix introducing a more serious bug.

[ALTree]

Fixed on the latest version (tried both go1.7 and go1.8).