diff options
author | Mingi Cho <mgcho.minic@gmail.com> | 2017-11-02 17:01:08 +0000 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2017-11-02 17:01:08 +0000 |
commit | 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 (patch) | |
tree | e93dfa25aa08ff1322bb84542d18fe678a61a5da | |
parent | f26ae15b471aaddee81d9d6c03af1cb0f2081735 (diff) | |
download | gdb-6ab2c4ed51f9c4243691755e1b1d2149c6a426f4.zip gdb-6ab2c4ed51f9c4243691755e1b1d2149c6a426f4.tar.gz gdb-6ab2c4ed51f9c4243691755e1b1d2149c6a426f4.tar.bz2 |
Work around integer overflows when readelf is checking for corrupt ELF notes when run on a 32-bit host.
PR 22384
* readelf.c (print_gnu_property_note): Improve overflow checks so
that they will work on a 32-bit host.
-rw-r--r-- | binutils/ChangeLog | 6 | ||||
-rw-r--r-- | binutils/readelf.c | 33 |
2 files changed, 23 insertions, 16 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 231fc84..19f9261 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2017-11-02 Mingi Cho <mgcho.minic@gmail.com> + + PR 22384 + * readelf.c (print_gnu_property_note): Improve overflow checks so + that they will work on a 32-bit host. + 2017-11-01 James Bowman <james.bowman@ftdichip.com> * readelf.c (is_16bit_abs_reloc): Add entry for FT32. diff --git a/binutils/readelf.c b/binutils/readelf.c index 9af5d42..cfd37eb 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -16519,15 +16519,24 @@ print_gnu_property_note (Elf_Internal_Note * pnote) return; } - while (1) + while (ptr < ptr_end) { unsigned int j; - unsigned int type = byte_get (ptr, 4); - unsigned int datasz = byte_get (ptr + 4, 4); + unsigned int type; + unsigned int datasz; + + if ((size_t) (ptr_end - ptr) < 8) + { + printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz); + break; + } + + type = byte_get (ptr, 4); + datasz = byte_get (ptr + 4, 4); ptr += 8; - if ((ptr + datasz) > ptr_end) + if (datasz > (size_t) (ptr_end - ptr)) { printf (_("<corrupt type (%#x) datasz: %#x>\n"), type, datasz); @@ -16608,19 +16617,11 @@ next: ptr += ((datasz + (size - 1)) & ~ (size - 1)); if (ptr == ptr_end) break; - else - { - if (do_wide) - printf (", "); - else - printf ("\n\t"); - } - if (ptr > (ptr_end - 8)) - { - printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz); - break; - } + if (do_wide) + printf (", "); + else + printf ("\n\t"); } printf ("\n"); |