This is the mail archive of the binutils-cvs@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[binutils-gdb/binutils-2_25-branch] Correct readelf dynamic section buffer overlow test

From: Alan Modra <amodra at sourceware dot org>
To: bfd-cvs at sourceware dot org
Date: 16 Jul 2015 15:09:22 -0000
Subject: [binutils-gdb/binutils-2_25-branch] Correct readelf dynamic section buffer overlow test

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bba0ea53ab18d34511045416cdfa20c8151a49bd

commit bba0ea53ab18d34511045416cdfa20c8151a49bd
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Jul 17 00:13:22 2015 +0930

    Correct readelf dynamic section buffer overlow test
    
    	PR binutils/18672
    	* readelf.c (get_32bit_dynamic_section): Correct buffer limit test.
    	(get_64bit_dynamic_section): Likewise.

Diff:
---
 binutils/ChangeLog | 6 ++++++
 binutils/readelf.c | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 5ae64e5..3565e94 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2015-07-16  Alan Modra  <amodra@gmail.com>
+
+	PR binutils/18672
+	* readelf.c (get_32bit_dynamic_section): Correct buffer limit test.
+	(get_64bit_dynamic_section): Likewise.
+
 2015-03-25  Nick Clifton  <nickc@redhat.com>
 
 	* coffgrok.c: Remove redundant prototypes.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 2f8257a..59d3381 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -8365,7 +8365,7 @@ get_32bit_dynamic_section (FILE * file)
      might not have the luxury of section headers.  Look for the DT_NULL
      terminator to determine the number of entries.  */
   for (ext = edyn, dynamic_nent = 0;
-       (char *) ext < (char *) edyn + dynamic_size - sizeof (* entry);
+       (char *) (ext + 1) <= (char *) edyn + dynamic_size;
        ext++)
     {
       dynamic_nent++;
@@ -8413,8 +8413,8 @@ get_64bit_dynamic_section (FILE * file)
      might not have the luxury of section headers.  Look for the DT_NULL
      terminator to determine the number of entries.  */
   for (ext = edyn, dynamic_nent = 0;
-       /* PR 17533 file: 033-67080-0.004 - do not read off the end of the buffer.  */
-       (char *) ext < ((char *) edyn) + dynamic_size - sizeof (* ext);
+       /* PR 17533 file: 033-67080-0.004 - do not read past end of buffer.  */
+       (char *) (ext + 1) <= (char *) edyn + dynamic_size;
        ext++)
     {
       dynamic_nent++;

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]