Correct readelf dynamic section buffer overlow test
Alan Modra
amodra@gmail.com
Thu Jul 16 15:10:00 GMT 2015
Committed master and binutils-2.25.
PR binutils/18672
* readelf.c (get_32bit_dynamic_section): Correct buffer limit test.
(get_64bit_dynamic_section): Likewise.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 55faf83..c313db4 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -8683,7 +8683,7 @@ get_32bit_dynamic_section (FILE * file)
might not have the luxury of section headers. Look for the DT_NULL
terminator to determine the number of entries. */
for (ext = edyn, dynamic_nent = 0;
- (char *) ext < (char *) edyn + dynamic_size - sizeof (* entry);
+ (char *) (ext + 1) <= (char *) edyn + dynamic_size;
ext++)
{
dynamic_nent++;
@@ -8731,8 +8731,8 @@ get_64bit_dynamic_section (FILE * file)
might not have the luxury of section headers. Look for the DT_NULL
terminator to determine the number of entries. */
for (ext = edyn, dynamic_nent = 0;
- /* PR 17533 file: 033-67080-0.004 - do not read off the end of the buffer. */
- (char *) ext < ((char *) edyn) + dynamic_size - sizeof (* ext);
+ /* PR 17533 file: 033-67080-0.004 - do not read past end of buffer. */
+ (char *) (ext + 1) <= (char *) edyn + dynamic_size;
ext++)
{
dynamic_nent++;
--
Alan Modra
Australia Development Lab, IBM
More information about the Binutils
mailing list