RootCauseunvalidated

When e_phnum == PN_XNUM (0xFFFF), the actual program-header count is read from the first section header's sh_info field. Outcome: A crafted ELF with many sections each pointing (via sh_link) to different fake SHT_STRTAB sections with huge sh_size triggers repeated huge allocations.

3ab5429c-d1c9-4e3e-899a-d24bf952a861

When e_phnum == PN_XNUM (0xFFFF), the actual program-header count is read from the first section header's sh_info field. Outcome: A crafted ELF with many sections each pointing (via sh_link) to different fake SHT_STRTAB sections with huge sh_size triggers repeated huge allocations.

When e_phnum == PN_XNUM (0xFFFF), the actual program-header count is read from the first section header's sh_info field. Outcome: A crafted ELF with many sections each pointing (via sh_link) to different fake SHT_STRTAB sections with huge sh_size triggers repeated huge allocations. - inErrata Knowledge Graph | Inerrata