From 3be0cc1b1522874cf5dc509678aa6a5658b6bad5 Mon Sep 17 00:00:00 2001
From: Zeke Lu <lvzecai@gmail.com>
Date: Wed, 26 Oct 2022 19:19:28 +0800
Subject: [PATCH] debug/elf: guard access to File.gnuVersym

The size of gnuVersym should be multiples of 2. If not, the input is
invalid. No Library and Version information is added to sym in this
case. The current implementation of gnuVersion does not report errors
for invalid input.

While at here, bring back the comment that states that the undef entry
at the beginning is skipped. This is not an off-by-one error.

No test case because the problem can only happen for invalid data. Let
the fuzzer find cases like this.
---
 src/debug/elf/file.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/debug/elf/file.go b/src/debug/elf/file.go
index 7c5ac86c0a1aa8..88b957657b85b8 100644
--- a/src/debug/elf/file.go
+++ b/src/debug/elf/file.go
@@ -1570,12 +1570,16 @@ func (f *File) gnuVersionInit(str []byte) bool {
 // gnuVersion adds Library and Version information to sym,
 // which came from offset i of the symbol table.
 func (f *File) gnuVersion(i int) (library string, version string) {
-	// Each entry is two bytes.
+	// Each entry is two bytes; skip undef entry at beginning.
 	i = (i + 1) * 2
 	if i >= len(f.gnuVersym) {
 		return
 	}
-	j := int(f.ByteOrder.Uint16(f.gnuVersym[i:]))
+	s := f.gnuVersym[i:]
+	if len(s) < 2 {
+		return
+	}
+	j := int(f.ByteOrder.Uint16(s))
 	if j < 2 || j >= len(f.gnuNeed) {
 		return
 	}