debug/elf: use saferio.SliceCap for segment slice

This avoids using a lot of memory for an invalid segment count.

No test case because the problem can only happen for invalid ata.
Let the fuzzer find cases like this.

For #47653
Fixes #78611

Change-Id: I649f5446496bfa46668e7a3e5c84c82131e1d136
Reviewed-on: https://go-review.googlesource.com/c/go/+/765061
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Ian Lance Taylor <iant@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>

1 files changed, 10 insertions, 3 deletions

diff --git a/src/debug/elf/file.go b/src/debug/elf/file.go
index faba6fa4e9..e243b8a5f5 100644
--- a/src/debug/elf/file.go
+++ b/src/debug/elf/file.go
@@ -467,7 +467,14 @@ func NewFile(r io.ReaderAt) (*File, error) {
 	}
 
 	// Read program headers
-	f.Progs = make([]*Prog, phnum)
+	c := saferio.SliceCap[*Prog](uint64(phnum))
+	if c < 0 {
+		return nil, &FormatError{0, "too many segments", phnum}
+	}
+	if phnum > 0 && ((1<<64)-1)/uint64(phnum) < uint64(phentsize) {
+		return nil, &FormatError{0, "segment header overflow", phnum}
+	}
+	f.Progs = make([]*Prog, 0, c)
 	phdata, err := saferio.ReadDataAt(sr, uint64(phnum)*uint64(phentsize), phoff)
 	if err != nil {
 		return nil, err
@@ -509,7 +516,7 @@ func NewFile(r io.ReaderAt) (*File, error) {
 		}
 		p.sr = io.NewSectionReader(r, int64(p.Off), int64(p.Filesz))
 		p.ReaderAt = p.sr
-		f.Progs[i] = p
+		f.Progs = append(f.Progs, p)
 	}
 
 	if shnum > 0 && shentsize < wantShentsize {
@@ -517,7 +524,7 @@ func NewFile(r io.ReaderAt) (*File, error) {
 	}
 
 	// Read section headers
-	c := saferio.SliceCap[Section](uint64(shnum))
+	c = saferio.SliceCap[Section](uint64(shnum))
 	if c < 0 {
 		return nil, &FormatError{0, "too many sections", shnum}
 	}