off by one in bfd/syms.c or bfd/elfcode.h?
H . J . Lu
hjl@lucon.org
Tue Mar 26 08:20:00 GMT 2002
On Tue, Mar 26, 2002 at 08:09:28AM -0800, Gregory Steuck wrote:
> >>>>> "Ian" == Ian Lance Taylor <ian@airs.com> writes:
>
> Ian> I would say that the bug is not in either of the functions you
> Ian> mention, but rather in _bfd_elf_get_symtab_upper_bound. It
> Ian> does not correctly handle the case of symtab_hdr->sh_size == 0,
> Ian> as it does not leave room for the trailing null entry.
>
> Would this be a correct patch then? (against release 2.10, I think)
>
> Index: bfd/elf.c
> ===================================================================
> RCS file: /cvs/src/gnu/usr.bin/binutils/bfd/elf.c,v
> retrieving revision 1.10
> diff -u -r1.10 elf.c
> --- bfd/elf.c 2001/06/09 22:29:25 1.10
> +++ bfd/elf.c 2002/03/26 15:56:17
> @@ -4302,7 +4302,8 @@
>
> Note that we base it on the count plus 1, since we will null terminate
> the vector allocated based on this size. However, the ELF symbol table
> - always has a dummy entry as symbol #0, so it ends up even. */
> + always has a dummy entry as symbol #0, so it ends up even. The only
> + exception to this rule being empty symbol table. */
>
> long
> _bfd_elf_get_symtab_upper_bound (abfd)
> @@ -4313,7 +4314,10 @@
> Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;
>
> symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
> - symtab_size = (symcount - 1 + 1) * (sizeof (asymbol *));
> + if (symcount > 0)
> + symtab_size = (symcount - 1 + 1) * (sizeof (asymbol *));
Why (symcount - 1 + 1)?
> + else
> + symtab_size = sizeof (asymbol *);
>
> return symtab_size;
> }
> @@ -4333,7 +4337,10 @@
> }
>
> symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
> - symtab_size = (symcount - 1 + 1) * (sizeof (asymbol *));
> + if (symcount > 0)
> + symtab_size = (symcount - 1 + 1) * (sizeof (asymbol *));
Why (symcount - 1 + 1)?
> + else
> + symtab_size = sizeof (asymbol *);
>
> return symtab_size;
> }
H.J.
More information about the Binutils
mailing list