Heap-buffer-overflow in build_dynsym_data at internal.c:304

[bladchan]

Describe the bug
A bad elf file which can lead elf_open_object() to a heap-buffer-overflow(read) issue.
Poc here:
poc1.zip

To Reproduce

1. Build the whole project with ASAN
2. Run examples/elfparse

$ ./elfparse ./overflow

Expected behavior
The code snippet where the issue happened should avoid the out-bounds read operation.

Environment (please complete the following information):

• System and Version : Ubuntu 18.04 + gcc 7.5.0
• Target file: examples/elfparse
• libelfmaster commit version: 03b7170

Additional context
ASAN says:

=================================================================
==37927==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f93d6cbc9b0 at pc 0x56104361d25c bp 0x7ffeecb3fb30 sp 0x7ffeecb3fb20
READ of size 4 at 0x7f93d6cbc9b0 thread T0
    #0 0x56104361d25b in build_dynsym_data /home/ubuntu/some_c_test/libelfmaster/src/internal.c:304
    #1 0x5610436130af in elf_open_object /home/ubuntu/some_c_test/libelfmaster/src/libelfmaster.c:3285
    #2 0x5610435efb04 in main /home/ubuntu/some_c_test/libelfmaster/examples/elfparse.c:38
    #3 0x7f93d5834c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #4 0x5610435f1c19 in _start (/home/ubuntu/some_c_test/libelfmaster/fuzz/elfparse+0x8c19)

0x7f93d6cbc9b0 is located 0 bytes to the right of 197040-byte region [0x7f93d6c8c800,0x7f93d6cbc9b0)
allocated by thread T0 here:
    #0 0x7f93d5ce2d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x7f93d592fbeb in hcreate_r (/lib/x86_64-linux-gnu/libc.so.6+0x11cbeb)
    #2 0x5610435efb04 in main /home/ubuntu/some_c_test/libelfmaster/examples/elfparse.c:38
    #3 0x7ffeecb41219  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/some_c_test/libelfmaster/src/internal.c:304 in build_dynsym_data
Shadow bytes around the buggy address:
  0x0ff2fad8f8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2fad8f8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2fad8f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2fad8f910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2fad8f920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff2fad8f930: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0ff2fad8f940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff2fad8f950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff2fad8f960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff2fad8f970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff2fad8f980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==37927==ABORTING