From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001 From: Mingi Cho Date: Thu, 2 Nov 2017 17:01:08 +0000 Subject: [PATCH] Work around integer overflows when readelf is checking for corrupt ELF notes when run on a 32-bit host. PR 22384 * readelf.c (print_gnu_property_note): Improve overflow checks so that they will work on a 32-bit host. --- binutils/ChangeLog | 6 ++++++ binutils/readelf.c | 33 +++++++++++++++++---------------- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 231fc844b6b..19f926155dd 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,9 @@ +2017-11-02 Mingi Cho + + PR 22384 + * readelf.c (print_gnu_property_note): Improve overflow checks so + that they will work on a 32-bit host. + 2017-11-01 James Bowman * readelf.c (is_16bit_abs_reloc): Add entry for FT32. diff --git a/binutils/readelf.c b/binutils/readelf.c index 9af5d42e8b5..cfd37eb3b6e 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -16519,15 +16519,24 @@ print_gnu_property_note (Elf_Internal_Note * pnote) return; } - while (1) + while (ptr < ptr_end) { unsigned int j; - unsigned int type = byte_get (ptr, 4); - unsigned int datasz = byte_get (ptr + 4, 4); + unsigned int type; + unsigned int datasz; + + if ((size_t) (ptr_end - ptr) < 8) + { + printf (_("\n"), pnote->descsz); + break; + } + + type = byte_get (ptr, 4); + datasz = byte_get (ptr + 4, 4); ptr += 8; - if ((ptr + datasz) > ptr_end) + if (datasz > (size_t) (ptr_end - ptr)) { printf (_("\n"), type, datasz); @@ -16608,19 +16617,11 @@ next: ptr += ((datasz + (size - 1)) & ~ (size - 1)); if (ptr == ptr_end) break; - else - { - if (do_wide) - printf (", "); - else - printf ("\n\t"); - } - if (ptr > (ptr_end - 8)) - { - printf (_("\n"), pnote->descsz); - break; - } + if (do_wide) + printf (", "); + else + printf ("\n\t"); } printf ("\n"); -- 2.30.2