From 53c3012ccc25ecfc4fa1f52e341e19b30d1e57db Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Fri, 17 Jul 2015 00:13:22 +0930 Subject: [PATCH] Correct readelf dynamic section buffer overlow test PR binutils/18672 * readelf.c (get_32bit_dynamic_section): Correct buffer limit test. (get_64bit_dynamic_section): Likewise. --- binutils/ChangeLog | 6 ++++++ binutils/readelf.c | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 4431ab8fce1..a68a8ea7f52 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2015-07-16 Alan Modra + + PR binutils/18672 + * readelf.c (get_32bit_dynamic_section): Correct buffer limit test. + (get_64bit_dynamic_section): Likewise. + 2015-07-14 H.J. Lu * objcopy.c (copy_file): Set BFD_COMPRESS_GABI if not diff --git a/binutils/readelf.c b/binutils/readelf.c index 55faf838113..c313db4bc21 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -8683,7 +8683,7 @@ get_32bit_dynamic_section (FILE * file) might not have the luxury of section headers. Look for the DT_NULL terminator to determine the number of entries. */ for (ext = edyn, dynamic_nent = 0; - (char *) ext < (char *) edyn + dynamic_size - sizeof (* entry); + (char *) (ext + 1) <= (char *) edyn + dynamic_size; ext++) { dynamic_nent++; @@ -8731,8 +8731,8 @@ get_64bit_dynamic_section (FILE * file) might not have the luxury of section headers. Look for the DT_NULL terminator to determine the number of entries. */ for (ext = edyn, dynamic_nent = 0; - /* PR 17533 file: 033-67080-0.004 - do not read off the end of the buffer. */ - (char *) ext < ((char *) edyn) + dynamic_size - sizeof (* ext); + /* PR 17533 file: 033-67080-0.004 - do not read past end of buffer. */ + (char *) (ext + 1) <= (char *) edyn + dynamic_size; ext++) { dynamic_nent++; -- 2.30.2