ELF header parsing library doesn't check for valid offset
The crate has several unsafe sections that don't perform proper pointer validation. An example can be found in the following function: fn section_header_raw(&self) -> &[ET::SectionHeader] { let sh_off = self.elf_header().section_header_offset() as usize; let sh_num = self.elf_header().section_header_entry_num() as usize; unsafe { let sh_ptr = self.content().as_ptr().add(sh_off); from_raw_parts(sh_ptr as *const ET::SectionHeader, sh_num) } } While this will work perfectly fine if the ELF header is valid, malicious or malformed input can contain a …