This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb] Work around integer overflows when readelf is checking for corrupt ELF notes when run on a 32-bit ho
- From: Nick Clifton <nickc at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 2 Nov 2017 17:02:16 -0000
- Subject: [binutils-gdb] Work around integer overflows when readelf is checking for corrupt ELF notes when run on a 32-bit ho
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6ab2c4ed51f9c4243691755e1b1d2149c6a426f4
commit 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4
Author: Mingi Cho <mgcho.minic@gmail.com>
Date: Thu Nov 2 17:01:08 2017 +0000
Work around integer overflows when readelf is checking for corrupt ELF notes when run on a 32-bit host.
PR 22384
* readelf.c (print_gnu_property_note): Improve overflow checks so
that they will work on a 32-bit host.
Diff:
---
binutils/ChangeLog | 6 ++++++
binutils/readelf.c | 33 +++++++++++++++++----------------
2 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 231fc84..19f9261 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2017-11-02 Mingi Cho <mgcho.minic@gmail.com>
+
+ PR 22384
+ * readelf.c (print_gnu_property_note): Improve overflow checks so
+ that they will work on a 32-bit host.
+
2017-11-01 James Bowman <james.bowman@ftdichip.com>
* readelf.c (is_16bit_abs_reloc): Add entry for FT32.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 9af5d42..cfd37eb 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -16519,15 +16519,24 @@ print_gnu_property_note (Elf_Internal_Note * pnote)
return;
}
- while (1)
+ while (ptr < ptr_end)
{
unsigned int j;
- unsigned int type = byte_get (ptr, 4);
- unsigned int datasz = byte_get (ptr + 4, 4);
+ unsigned int type;
+ unsigned int datasz;
+
+ if ((size_t) (ptr_end - ptr) < 8)
+ {
+ printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
+ break;
+ }
+
+ type = byte_get (ptr, 4);
+ datasz = byte_get (ptr + 4, 4);
ptr += 8;
- if ((ptr + datasz) > ptr_end)
+ if (datasz > (size_t) (ptr_end - ptr))
{
printf (_("<corrupt type (%#x) datasz: %#x>\n"),
type, datasz);
@@ -16608,19 +16617,11 @@ next:
ptr += ((datasz + (size - 1)) & ~ (size - 1));
if (ptr == ptr_end)
break;
- else
- {
- if (do_wide)
- printf (", ");
- else
- printf ("\n\t");
- }
- if (ptr > (ptr_end - 8))
- {
- printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
- break;
- }
+ if (do_wide)
+ printf (", ");
+ else
+ printf ("\n\t");
}
printf ("\n");