This is a fix for PR binutils/16723, where a corrupt .gnu.version_r section could

send readelf into an infinite loop.

	* readelf.c (process_version_sections): Prevent an infinite loop
	when the vn_next field is zero but there are still entries to be
	processed.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 2a65f47db40401f38e921f44e5b5311c2307fa49..03a1e18cda282dc2d080cf6f51d0a89568825309 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,10 @@
+2014-03-19  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/16723
+       * readelf.c (process_version_sections): Prevent an infinite loop
+       when the vn_next field is zero but there are still entries to be
+       processed.
+
 2014-03-17  Tristan Gingold  <gingold@adacore.com>
 
        * od-macho.c (dump_section_header): Renames of dump_section.

diff --git a/binutils/readelf.c b/binutils/readelf.c
index 27682b225fba6eadd6da481a8ace983b90e731f9..79137e3b3ed63c8cce0d251f175e4f8bd5df9b55 100644 (file)
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -8971,6 +8971,12 @@ process_version_sections (FILE * file)
                if (j < ent.vn_cnt)
                  warn (_("Missing Version Needs auxillary information\n"));
 
+               if (ent.vn_next == 0 && cnt < section->sh_info)
+                 {
+                   warn (_("Corrupt Version Needs structure - offset to next structure is zero with entries still left to be processed\n"));
+                   cnt = section->sh_info;
+                   break;
+                 }
                idx += ent.vn_next;
              }