diff options
| author | Alan Modra <amodra@gmail.com> | 2015-07-17 00:13:22 +0930 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2015-07-17 00:30:16 +0930 |
| commit | bba0ea53ab18d34511045416cdfa20c8151a49bd (patch) | |
| tree | a660709c3dc78b49c57dd05f392032ffa7cd12a1 /binutils | |
| parent | 6daf15c3050e228c9aff5dcabf0cc8e9e40272bb (diff) | |
| download | gdb-bba0ea53ab18d34511045416cdfa20c8151a49bd.zip gdb-bba0ea53ab18d34511045416cdfa20c8151a49bd.tar.gz gdb-bba0ea53ab18d34511045416cdfa20c8151a49bd.tar.bz2 | |
Correct readelf dynamic section buffer overlow test
PR binutils/18672
* readelf.c (get_32bit_dynamic_section): Correct buffer limit test.
(get_64bit_dynamic_section): Likewise.
Diffstat (limited to 'binutils')
| -rw-r--r-- | binutils/ChangeLog | 6 | ||||
| -rw-r--r-- | binutils/readelf.c | 6 |
2 files changed, 9 insertions, 3 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 5ae64e5..3565e94 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2015-07-16 Alan Modra <amodra@gmail.com> + + PR binutils/18672 + * readelf.c (get_32bit_dynamic_section): Correct buffer limit test. + (get_64bit_dynamic_section): Likewise. + 2015-03-25 Nick Clifton <nickc@redhat.com> * coffgrok.c: Remove redundant prototypes. diff --git a/binutils/readelf.c b/binutils/readelf.c index 2f8257a..59d3381 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -8365,7 +8365,7 @@ get_32bit_dynamic_section (FILE * file) might not have the luxury of section headers. Look for the DT_NULL terminator to determine the number of entries. */ for (ext = edyn, dynamic_nent = 0; - (char *) ext < (char *) edyn + dynamic_size - sizeof (* entry); + (char *) (ext + 1) <= (char *) edyn + dynamic_size; ext++) { dynamic_nent++; @@ -8413,8 +8413,8 @@ get_64bit_dynamic_section (FILE * file) might not have the luxury of section headers. Look for the DT_NULL terminator to determine the number of entries. */ for (ext = edyn, dynamic_nent = 0; - /* PR 17533 file: 033-67080-0.004 - do not read off the end of the buffer. */ - (char *) ext < ((char *) edyn) + dynamic_size - sizeof (* ext); + /* PR 17533 file: 033-67080-0.004 - do not read past end of buffer. */ + (char *) (ext + 1) <= (char *) edyn + dynamic_size; ext++) { dynamic_nent++; |