]> git.pld-linux.org Git - packages/elfutils.git/blame - elfutils-robustify.patch
projects / packages / elfutils.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- updated to 0.119, updated alpha patch
[packages/elfutils.git] / elfutils-robustify.patch
CommitLineData
0dcd74c7
JR		 1src/
22005-06-09 Roland McGrath <roland@redhat.com>
3
4 * readelf.c (handle_dynamic, handle_symtab): Check for bogus sh_link.
5 (handle_verneed, handle_verdef, handle_versym, handle_hash): Likewise.
6 (handle_scngrp): Check for bogus sh_info.
7
8 * strip.c (handle_elf): Check for bogus values in sh_link, sh_info,
9 st_shndx, e_shstrndx, and SHT_GROUP or SHT_SYMTAB_SHNDX data.
10 Don't use assert on input values, instead bail with "illformed" error.
11
122005-05-17 Jakub Jelinek <jakub@redhat.com>
13
14libelf/
15 * elf32_getphdr.c (elfw2(LIBELFBITS,getphdr)): Check if program header
16 table fits into object's bounds.
17 * elf_getshstrndx.c (elf_getshstrndx): Add elf->start_offset to
18 elf->map_address. Check if first section header fits into object's
19 bounds.
20 * elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)): Fix comment pasto.
21 Check if section header table fits into object's bounds.
49fd4b14
JB		 22 * elf_begin.c (get_shnum): Ensure section headers fits into
23 object's bounds.
0dcd74c7
JR		 24 (file_read_elf): Make sure scncnt is small enough to allocate both
25 ElfXX_Shdr and Elf_Scn array. Make sure section and program header
26 tables fit into object's bounds. Avoid memory leak on failure.
27
28src/
29 * elflint.c (check_hash): Don't check entries beyond end of section.
30 (check_note): Don't crash if gelf_rawchunk fails.
31 (section_name): Return <invalid> if gelf_getshdr returns NULL.
32
332005-05-14 Jakub Jelinek <jakub@redhat.com>
34
35libelf/
36 * libelfP.h (INVALID_NDX): Define.
37 * gelf_getdyn.c (gelf_getdyn): Use it. Remove ndx < 0 test if any.
38 * gelf_getlib.c (gelf_getlib): Likewise.
39 * gelf_getmove.c (gelf_getmove): Likewise.
40 * gelf_getrel.c (gelf_getrel): Likewise.
41 * gelf_getrela.c (gelf_getrela): Likewise.
42 * gelf_getsym.c (gelf_getsym): Likewise.
43 * gelf_getsyminfo.c (gelf_getsyminfo): Likewise.
44 * gelf_getsymshndx.c (gelf_getsymshndx): Likewise.
45 * gelf_getversym.c (gelf_getversym): Likewise.
46 * gelf_update_dyn.c (gelf_update_dyn): Likewise.
47 * gelf_update_lib.c (gelf_update_lib): Likewise.
48 * gelf_update_move.c (gelf_update_move): Likewise.
49 * gelf_update_rel.c (gelf_update_rel): Likewise.
50 * gelf_update_rela.c (gelf_update_rela): Likewise.
51 * gelf_update_sym.c (gelf_update_sym): Likewise.
52 * gelf_update_syminfo.c (gelf_update_syminfo): Likewise.
53 * gelf_update_symshndx.c (gelf_update_symshndx): Likewise.
54 * gelf_update_versym.c (gelf_update_versym): Likewise.
55 * elf_newscn.c (elf_newscn): Check for overflow.
56 * elf32_updatefile.c (__elfw2(LIBELFBITS,updatemmap)): Likewise.
57 (__elfw2(LIBELFBITS,updatefile)): Likewise.
58 * elf_begin.c (file_read_elf): Likewise.
59 * elf32_newphdr.c (elfw2(LIBELFBITS,newphdr)): Likewise.
60 * elf_getarsym.c (elf_getarsym): Likewise.
61 * elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)): Likewise.
62src/
63 * elflint.c (section_name): Return "<invalid>" instead of
64 crashing on invalid section name.
65 (check_symtab, is_rel_dyn, check_rela, check_rel, check_dynamic,
66 check_symtab_shndx, check_hash, check_versym): Robustify.
67
feba504d
JB		 68--- elfutils-0.116/libelf/elf32_getphdr.c
69+++ elfutils-0.116/libelf/elf32_getphdr.c
70@@ -82,6 +82,16 @@
49fd4b14
JB		 71
72 if (elf->map_address != NULL)
73 {
74+ /* First see whether the information in the ELF header is
75+ valid and it does not ask for too much. */
76+ if (unlikely (ehdr->e_phoff >= elf->maximum_size)
77+ || unlikely (ehdr->e_phoff + size > elf->maximum_size))
78+ {
79+ /* Something is wrong. */
80+ __libelf_seterrno (ELF_E_INVALID_PHDR);
81+ goto out;
82+ }
83+
84 /* All the data is already mapped. Use it. */
85 if (ehdr->e_ident[EI_DATA] == MY_ELFDATA
86 && (ALLOW_UNALIGNED
feba504d
JB		 87--- elfutils-0.116/libelf/elf32_getshdr.c
88+++ elfutils-0.116/libelf/elf32_getshdr.c
89@@ -68,11 +68,12 @@
49fd4b14
JB		 90 goto out;
91
92 size_t shnum;
93- if (INTUSE (elf_getshnum) (elf, &shnum) != 0)
94+ if (INTUSE (elf_getshnum) (elf, &shnum) != 0
95+ || shnum > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Shdr)))
96 goto out;
97 size_t size = shnum * sizeof (ElfW2(LIBELFBITS,Shdr));
98
99- /* Allocate memory for the program headers. We know the number
100+ /* Allocate memory for the section headers. We know the number
101 of entries from the ELF header. */
102 ElfW2(LIBELFBITS,Shdr) *shdr = elf->state.ELFW(elf,LIBELFBITS).shdr =
103 (ElfW2(LIBELFBITS,Shdr) *) malloc (size);
feba504d 104@@ -94,6 +95,16 @@
49fd4b14
JB		 105 && (ehdr->e_shoff
106 & (__alignof__ (ElfW2(LIBELFBITS,Shdr)) - 1)) != 0));
107
108+ /* First see whether the information in the ELF header is
109+ valid and it does not ask for too much. */
110+ if (unlikely (ehdr->e_shoff >= elf->maximum_size)
111+ || unlikely (ehdr->e_shoff + size > elf->maximum_size))
112+ {
113+ /* Something is wrong. */
114+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
115+ goto free_and_out;
116+ }
117+
118 /* Now copy the data and at the same time convert the byte
119 order. */
120 if (ALLOW_UNALIGNED
feba504d
JB		 121--- elfutils-0.116/libelf/elf32_newphdr.c
122+++ elfutils-0.116/libelf/elf32_newphdr.c
0dcd74c7 123@@ -1,5 +1,5 @@
49fd4b14
JB		 124 /* Create new ELF program header table.
125- Copyright (C) 1999, 2000, 2002 Red Hat, Inc.
126+ Copyright (C) 1999, 2000, 2002, 2005 Red Hat, Inc.
127 Written by Ulrich Drepper <drepper@redhat.com>, 1998.
0dcd74c7
JR		 128
129 This program is free software; you can redistribute it and/or modify
feba504d 130@@ -91,6 +91,12 @@
49fd4b14
JB		 131 else if (elf->state.ELFW(elf,LIBELFBITS).ehdr->e_phnum != count
132 || elf->state.ELFW(elf,LIBELFBITS).phdr == NULL)
0dcd74c7 133 {
49fd4b14
JB		 134+ if (unlikely (count > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Phdr))))
135+ {
136+ result = NULL;
137+ goto out;
138+ }
139+
140 /* Allocate a new program header with the appropriate number of
141 elements. */
142 result = (ElfW2(LIBELFBITS,Phdr) *)
feba504d
JB		 143--- elfutils-0.116/libelf/elf32_updatefile.c
144+++ elfutils-0.116/libelf/elf32_updatefile.c
145@@ -166,6 +166,9 @@
49fd4b14
JB		 146 /* Write all the sections. Well, only those which are modified. */
147 if (shnum > 0)
0dcd74c7 148 {
49fd4b14
JB		 149+ if (unlikely (shnum > SIZE_MAX / sizeof (Elf_Scn *)))
150+ return 1;
151+
152 ElfW2(LIBELFBITS,Shdr) *shdr_dest;
153 Elf_ScnList *list = &elf->state.ELFW(elf,LIBELFBITS).scns;
154 Elf_Scn **scns = (Elf_Scn **) alloca (shnum * sizeof (Elf_Scn *));
feba504d 155@@ -470,6 +473,10 @@
49fd4b14
JB		 156 /* Write all the sections. Well, only those which are modified. */
157 if (shnum > 0)
158 {
159+ if (unlikely (shnum > SIZE_MAX / (sizeof (Elf_Scn *)
160+ + sizeof (ElfW2(LIBELFBITS,Shdr)))))
161+ return 1;
162+
163 off_t shdr_offset = elf->start_offset + ehdr->e_shoff;
164 #if EV_NUM != 2
165 xfct_t shdr_fctp = __elf_xfctstom[__libelf_version - 1][EV_CURRENT - 1][ELFW(ELFCLASS, LIBELFBITS) - 1][ELF_T_SHDR];
feba504d
JB		 166--- elfutils-0.116/libelf/elf_begin.c
167+++ elfutils-0.116/libelf/elf_begin.c
168@@ -122,7 +122,8 @@
49fd4b14
JB		 169
170 if (unlikely (result == 0) && ehdr.e32->e_shoff != 0)
0dcd74c7 171 {
49fd4b14
JB		 172- if (offset + ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize)
173+ if (unlikely (ehdr.e32->e_shoff >= maxsize)
174+ || unlikely (ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize))
175 /* Cannot read the first section header. */
176 return (size_t) -1l;
177
feba504d 178@@ -165,7 +166,8 @@
49fd4b14
JB		 179
180 if (unlikely (result == 0) && ehdr.e64->e_shoff != 0)
181 {
182- if (offset + ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize)
183+ if (unlikely (ehdr.e64->e_shoff >= maxsize)
184+ || unlikely (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize))
185 /* Cannot read the first section header. */
186 return (size_t) -1l;
187
feba504d 188@@ -232,6 +234,15 @@
49fd4b14
JB		 189 /* Could not determine the number of sections. */
190 return NULL;
191
192+ /* Check for too many sections. */
193+ if (e_ident[EI_CLASS] == ELFCLASS32)
194+ {
195+ if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf32_Shdr)))
196+ return NULL;
197+ }
198+ else if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf64_Shdr)))
199+ return NULL;
200+
201 /* We can now allocate the memory. */
202 Elf *elf = allocate_elf (fildes, map_address, offset, maxsize, cmd, parent,
203 ELF_K_ELF, scncnt * sizeof (Elf_Scn));
feba504d 204@@ -265,13 +276,31 @@
49fd4b14
JB		 205 {
206 /* We can use the mmapped memory. */
207 elf->state.elf32.ehdr = ehdr;
208+
209+ if (unlikely (ehdr->e_shoff >= maxsize)
210+ || unlikely (ehdr->e_shoff
211+ + scncnt * sizeof (Elf32_Shdr) > maxsize))
212+ {
213+ free_and_out:
214+ free (elf);
215+ __libelf_seterrno (ELF_E_INVALID_FILE);
216+ return NULL;
217+ }
218 elf->state.elf32.shdr
219 = (Elf32_Shdr *) ((char *) ehdr + ehdr->e_shoff);
220+
221 if (ehdr->e_phnum > 0)
222- /* Assign a value only if there really is a program
223- header. Otherwise the value remains NULL. */
224- elf->state.elf32.phdr
225- = (Elf32_Phdr *) ((char *) ehdr + ehdr->e_phoff);
226+ {
227+ /* Assign a value only if there really is a program
228+ header. Otherwise the value remains NULL. */
229+ if (unlikely (ehdr->e_phoff >= maxsize)
230+ || unlikely (ehdr->e_phoff
231+ + ehdr->e_phnum
232+ * sizeof (Elf32_Phdr) > maxsize))
233+ goto free_and_out;
234+ elf->state.elf32.phdr
235+ = (Elf32_Phdr *) ((char *) ehdr + ehdr->e_phoff);
236+ }
237
238 for (size_t cnt = 0; cnt < scncnt; ++cnt)
239 {
feba504d 240@@ -340,13 +369,26 @@
49fd4b14
JB		 241 {
242 /* We can use the mmapped memory. */
243 elf->state.elf64.ehdr = ehdr;
244+
245+ if (unlikely (ehdr->e_shoff >= maxsize)
246+ || unlikely (ehdr->e_shoff
247+ + scncnt * sizeof (Elf32_Shdr) > maxsize))
248+ goto free_and_out;
249 elf->state.elf64.shdr
250 = (Elf64_Shdr *) ((char *) ehdr + ehdr->e_shoff);
251+
252 if (ehdr->e_phnum > 0)
253- /* Assign a value only if there really is a program
254- header. Otherwise the value remains NULL. */
255- elf->state.elf64.phdr
256- = (Elf64_Phdr *) ((char *) ehdr + ehdr->e_phoff);
257+ {
258+ /* Assign a value only if there really is a program
259+ header. Otherwise the value remains NULL. */
260+ if (unlikely (ehdr->e_phoff >= maxsize)
261+ || unlikely (ehdr->e_phoff
262+ + ehdr->e_phnum
263+ * sizeof (Elf32_Phdr) > maxsize))
264+ goto free_and_out;
265+ elf->state.elf64.phdr
266+ = (Elf64_Phdr *) ((char *) ehdr + ehdr->e_phoff);
267+ }
268
269 for (size_t cnt = 0; cnt < scncnt; ++cnt)
270 {
feba504d
JB		 271--- elfutils-0.116/libelf/elf_getarsym.c
272+++ elfutils-0.116/libelf/elf_getarsym.c
273@@ -146,6 +146,9 @@
49fd4b14
JB		 274 size_t index_size = atol (tmpbuf);
275
276 if (SARMAG + sizeof (struct ar_hdr) + index_size > elf->maximum_size
277+#if SIZE_MAX <= 4294967295U
278+ || n >= SIZE_MAX / sizeof (Elf_Arsym)
279+#endif
280 || n * sizeof (uint32_t) > index_size)
281 {
282 /* This index table cannot be right since it does not fit into
feba504d
JB		 283--- elfutils-0.116/libelf/elf_getshstrndx.c
284+++ elfutils-0.116/libelf/elf_getshstrndx.c
285@@ -92,10 +92,25 @@
49fd4b14
JB		 286 if (elf->map_address != NULL
287 && elf->state.elf32.ehdr->e_ident[EI_DATA] == MY_ELFDATA
288 && (ALLOW_UNALIGNED
289- || (((size_t) ((char *) elf->map_address + offset))
290+ || (((size_t) ((char *) elf->map_address
291+ + elf->start_offset + offset))
292 & (__alignof__ (Elf32_Shdr) - 1)) == 0))
293- /* We can directly access the memory. */
294- num = ((Elf32_Shdr *) (elf->map_address + offset))->sh_link;
295+ {
296+ /* First see whether the information in the ELF header is
297+ valid and it does not ask for too much. */
298+ if (unlikely (offset + sizeof (Elf32_Shdr)
299+ > elf->maximum_size))
300+ {
301+ /* Something is wrong. */
302+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
303+ result = -1;
304+ goto out;
305+ }
306+
307+ /* We can directly access the memory. */
308+ num = ((Elf32_Shdr *) (elf->map_address + elf->start_offset
309+ + offset))->sh_link;
310+ }
311 else
312 {
313 /* We avoid reading in all the section headers. Just read
feba504d 314@@ -130,10 +145,25 @@
49fd4b14
JB		 315 if (elf->map_address != NULL
316 && elf->state.elf64.ehdr->e_ident[EI_DATA] == MY_ELFDATA
317 && (ALLOW_UNALIGNED
318- || (((size_t) ((char *) elf->map_address + offset))
319+ || (((size_t) ((char *) elf->map_address
320+ + elf->start_offset + offset))
321 & (__alignof__ (Elf64_Shdr) - 1)) == 0))
322- /* We can directly access the memory. */
323- num = ((Elf64_Shdr *) (elf->map_address + offset))->sh_link;
324+ {
325+ /* First see whether the information in the ELF header is
326+ valid and it does not ask for too much. */
327+ if (unlikely (offset + sizeof (Elf64_Shdr)
328+ > elf->maximum_size))
329+ {
330+ /* Something is wrong. */
331+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
332+ result = -1;
333+ goto out;
334+ }
335+
336+ /* We can directly access the memory. */
337+ num = ((Elf64_Shdr *) (elf->map_address
338+ + elf->start_offset + offset))->sh_link;
339+ }
340 else
341 {
342 /* We avoid reading in all the section headers. Just read
feba504d
JB		 343--- elfutils-0.116/libelf/elf_newscn.c
344+++ elfutils-0.116/libelf/elf_newscn.c
49fd4b14
JB		 345@@ -1,5 +1,5 @@
346 /* Append new section.
347- Copyright (C) 1998, 1999, 2000, 2001, 2002 Red Hat, Inc.
348+ Copyright (C) 1998, 1999, 2000, 2001, 2002, 2005 Red Hat, Inc.
349 Written by Ulrich Drepper <drepper@redhat.com>, 1998.
350
351 This program is free software; you can redistribute it and/or modify
feba504d 352@@ -71,13 +71,21 @@
49fd4b14 353 else
0dcd74c7 354 {
49fd4b14
JB		 355 /* We must allocate a new element. */
356- Elf_ScnList *newp;
357+ Elf_ScnList *newp = NULL;
358
359 assert (elf->state.elf.scnincr > 0);
360
361- newp = (Elf_ScnList *) calloc (sizeof (Elf_ScnList)
362- + ((elf->state.elf.scnincr *= 2)
363- * sizeof (Elf_Scn)), 1);
364+ if (
365+#if SIZE_MAX <= 4294967295U
366+ likely (elf->state.elf.scnincr
367+ < SIZE_MAX / 2 / sizeof (Elf_Scn) - sizeof (Elf_ScnList))
368+#else
369+ 1
370+#endif
371+ )
372+ newp = (Elf_ScnList *) calloc (sizeof (Elf_ScnList)
373+ + ((elf->state.elf.scnincr *= 2)
374+ * sizeof (Elf_Scn)), 1);
375 if (newp == NULL)
0dcd74c7 376 {
49fd4b14 377 __libelf_seterrno (ELF_E_NOMEM);
feba504d
JB		 378--- elfutils-0.116/libelf/gelf_getdyn.c
379+++ elfutils-0.116/libelf/gelf_getdyn.c
0dcd74c7 380@@ -1,5 +1,5 @@
49fd4b14
JB		 381 /* Get information from dynamic table at the given index.
382- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
383+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
384 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
0dcd74c7
JR		 385
386 This program is free software; you can redistribute it and/or modify
feba504d 387@@ -60,7 +60,8 @@
0dcd74c7
JR		 388 table entries has to be adopted. The user better has provided
389 a buffer where we can store the information. While copying the
390 data we are converting the format. */
49fd4b14
JB		 391- if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
392+ if (INVALID_NDX (ndx, Elf32_Dyn)
393+ || unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
0dcd74c7
JR		 394 {
395 __libelf_seterrno (ELF_E_INVALID_INDEX);
396 goto out;
feba504d 397@@ -81,7 +82,8 @@
0dcd74c7
JR		 398
399 /* The data is already in the correct form. Just make sure the
400 index is OK. */
49fd4b14
JB		 401- if (unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))
402+ if (INVALID_NDX (ndx, GElf_Dyn)
403+ || unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))
0dcd74c7
JR		 404 {
405 __libelf_seterrno (ELF_E_INVALID_INDEX);
406 goto out;
feba504d
JB		 407--- elfutils-0.116/libelf/gelf_getlib.c
408+++ elfutils-0.116/libelf/gelf_getlib.c
0dcd74c7 409@@ -1,5 +1,5 @@
49fd4b14
JB		 410 /* Get library from table at the given index.
411- Copyright (C) 2004 Red Hat, Inc.
412+ Copyright (C) 2004, 2005 Red Hat, Inc.
413 Written by Ulrich Drepper <drepper@redhat.com>, 2004.
414
415 This program is free software; you can redistribute it and/or modify
feba504d 416@@ -53,7 +53,8 @@
49fd4b14
JB		 417 /* The data is already in the correct form. Just make sure the
418 index is OK. */
419 GElf_Lib *result = NULL;
420- if (unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))
421+ if (INVALID_NDX (ndx, GElf_Lib)
422+ || unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))
423 __libelf_seterrno (ELF_E_INVALID_INDEX);
424 else
425 {
feba504d
JB		 426--- elfutils-0.116/libelf/gelf_getmove.c
427+++ elfutils-0.116/libelf/gelf_getmove.c
49fd4b14
JB		 428@@ -1,5 +1,5 @@
429 /* Get move structure at the given index.
0dcd74c7
JR		 430- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
431+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
432 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
433
434 This program is free software; you can redistribute it and/or modify
feba504d 435@@ -50,7 +50,8 @@
0dcd74c7 436
49fd4b14
JB		 437 /* The data is already in the correct form. Just make sure the
438 index is OK. */
439- if (unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))
440+ if (INVALID_NDX (ndx, GElf_Move)
441+ || unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))
442 {
443 __libelf_seterrno (ELF_E_INVALID_INDEX);
444 goto out;
feba504d
JB		 445--- elfutils-0.116/libelf/gelf_getrela.c
446+++ elfutils-0.116/libelf/gelf_getrela.c
0dcd74c7
JR		 447@@ -1,5 +1,5 @@
448 /* Get RELA relocation information at given index.
449- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
450+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
451 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
452
453 This program is free software; you can redistribute it and/or modify
feba504d 454@@ -38,12 +38,6 @@
0dcd74c7
JR		 455 if (data_scn == NULL)
456 return NULL;
457
458- if (unlikely (ndx < 0))
459- {
460- __libelf_seterrno (ELF_E_INVALID_INDEX);
461- return NULL;
462- }
463-
464 if (unlikely (data_scn->d.d_type != ELF_T_RELA))
465 {
466 __libelf_seterrno (ELF_E_INVALID_HANDLE);
feba504d 467@@ -60,7 +54,8 @@
0dcd74c7
JR		 468 if (scn->elf->class == ELFCLASS32)
469 {
470 /* We have to convert the data. */
471- if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
472+ if (INVALID_NDX (ndx, Elf32_Rela)
473+ || unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
474 {
475 __libelf_seterrno (ELF_E_INVALID_INDEX);
476 result = NULL;
feba504d 477@@ -81,7 +76,8 @@
0dcd74c7
JR		 478 {
479 /* Simply copy the data after we made sure we are actually getting
480 correct data. */
481- if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
482+ if (INVALID_NDX (ndx, Elf64_Rela)
483+ || unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
484 {
485 __libelf_seterrno (ELF_E_INVALID_INDEX);
486 result = NULL;
feba504d
JB		 487--- elfutils-0.116/libelf/gelf_getrel.c
488+++ elfutils-0.116/libelf/gelf_getrel.c
0dcd74c7 489@@ -1,5 +1,5 @@
49fd4b14 490 /* Get REL relocation information at given index.
0dcd74c7
JR		 491- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
492+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
493 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
494
495 This program is free software; you can redistribute it and/or modify
feba504d 496@@ -38,12 +38,6 @@
49fd4b14
JB		 497 if (data_scn == NULL)
498 return NULL;
0dcd74c7
JR		 499
500- if (unlikely (ndx < 0))
501- {
502- __libelf_seterrno (ELF_E_INVALID_INDEX);
49fd4b14 503- return NULL;
0dcd74c7
JR		 504- }
505-
49fd4b14 506 if (unlikely (data_scn->d.d_type != ELF_T_REL))
0dcd74c7 507 {
49fd4b14 508 __libelf_seterrno (ELF_E_INVALID_HANDLE);
feba504d 509@@ -60,7 +54,8 @@
49fd4b14 510 if (scn->elf->class == ELFCLASS32)
0dcd74c7 511 {
49fd4b14
JB		 512 /* We have to convert the data. */
513- if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
514+ if (INVALID_NDX (ndx, Elf32_Rel)
515+ || unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
516 {
517 __libelf_seterrno (ELF_E_INVALID_INDEX);
518 result = NULL;
feba504d 519@@ -80,7 +75,8 @@
0dcd74c7 520 {
49fd4b14
JB		 521 /* Simply copy the data after we made sure we are actually getting
522 correct data. */
523- if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
524+ if (INVALID_NDX (ndx, Elf64_Rel)
525+ || unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
0dcd74c7 526 {
49fd4b14
JB		 527 __libelf_seterrno (ELF_E_INVALID_INDEX);
528 result = NULL;
feba504d
JB		 529--- elfutils-0.116/libelf/gelf_getsym.c
530+++ elfutils-0.116/libelf/gelf_getsym.c
0dcd74c7 531@@ -1,5 +1,5 @@
49fd4b14
JB		 532 /* Get symbol information from symbol table at the given index.
533- Copyright (C) 1999, 2000, 2001, 2002 Red Hat, Inc.
534+ Copyright (C) 1999, 2000, 2001, 2002, 2005 Red Hat, Inc.
535 Written by Ulrich Drepper <drepper@redhat.com>, 1999.
0dcd74c7
JR		 536
537 This program is free software; you can redistribute it and/or modify
feba504d 538@@ -57,7 +57,8 @@
49fd4b14
JB		 539 table entries has to be adopted. The user better has provided
540 a buffer where we can store the information. While copying the
541 data we are converting the format. */
542- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))
543+ if (INVALID_NDX (ndx, Elf32_Sym)
544+ || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))
545 {
546 __libelf_seterrno (ELF_E_INVALID_INDEX);
547 goto out;
feba504d 548@@ -86,7 +87,8 @@
0dcd74c7 549
49fd4b14
JB		 550 /* The data is already in the correct form. Just make sure the
551 index is OK. */
552- if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))
553+ if (INVALID_NDX (ndx, GElf_Sym)
554+ || unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))
555 {
556 __libelf_seterrno (ELF_E_INVALID_INDEX);
557 goto out;
feba504d
JB		 558--- elfutils-0.116/libelf/gelf_getsyminfo.c
559+++ elfutils-0.116/libelf/gelf_getsyminfo.c
0dcd74c7 560@@ -1,5 +1,5 @@
49fd4b14 561 /* Get additional symbol information from symbol table at the given index.
0dcd74c7
JR		 562- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
563+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
564 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
565
566 This program is free software; you can redistribute it and/or modify
feba504d 567@@ -51,7 +51,8 @@
0dcd74c7
JR		 568
569 /* The data is already in the correct form. Just make sure the
570 index is OK. */
49fd4b14
JB		 571- if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))
572+ if (INVALID_NDX (ndx, GElf_Syminfo)
573+ || unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))
0dcd74c7
JR		 574 {
575 __libelf_seterrno (ELF_E_INVALID_INDEX);
576 goto out;
feba504d
JB		 577--- elfutils-0.116/libelf/gelf_getsymshndx.c
578+++ elfutils-0.116/libelf/gelf_getsymshndx.c
0dcd74c7
JR		 579@@ -1,6 +1,6 @@
580 /* Get symbol information and separate section index from symbol table
581 at the given index.
582- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
583+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
584 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
585
586 This program is free software; you can redistribute it and/or modify
feba504d 587@@ -57,7 +57,9 @@
0dcd74c7
JR		 588 section index table. */
589 if (likely (shndxdata_scn != NULL))
590 {
591- if (unlikely ((ndx + 1) * sizeof (Elf32_Word) > shndxdata_scn->d.d_size))
592+ if (INVALID_NDX (ndx, Elf32_Word)
593+ || unlikely ((ndx + 1) * sizeof (Elf32_Word)
594+ > shndxdata_scn->d.d_size))
595 {
596 __libelf_seterrno (ELF_E_INVALID_INDEX);
597 goto out;
feba504d 598@@ -77,7 +79,8 @@
0dcd74c7
JR		 599 table entries has to be adopted. The user better has provided
600 a buffer where we can store the information. While copying the
601 data we are converting the format. */
602- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))
603+ if (INVALID_NDX (ndx, Elf32_Sym)
604+ || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))
605 {
606 __libelf_seterrno (ELF_E_INVALID_INDEX);
607 goto out;
feba504d 608@@ -106,7 +109,8 @@
0dcd74c7
JR		 609
610 /* The data is already in the correct form. Just make sure the
611 index is OK. */
612- if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))
613+ if (INVALID_NDX (ndx, GElf_Sym)
614+ || unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))
615 {
616 __libelf_seterrno (ELF_E_INVALID_INDEX);
617 goto out;
feba504d
JB		 618--- elfutils-0.116/libelf/gelf_getversym.c
619+++ elfutils-0.116/libelf/gelf_getversym.c
49fd4b14
JB		 620@@ -1,5 +1,5 @@
621 /* Get symbol version information at the given index.
622- Copyright (C) 1999, 2000, 2001, 2002 Red Hat, Inc.
623+ Copyright (C) 1999, 2000, 2001, 2002, 2005 Red Hat, Inc.
624 Written by Ulrich Drepper <drepper@redhat.com>, 1999.
625
626 This program is free software; you can redistribute it and/or modify
feba504d 627@@ -59,7 +59,8 @@
49fd4b14
JB		 628
629 /* The data is already in the correct form. Just make sure the
630 index is OK. */
631- if (unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))
632+ if (INVALID_NDX (ndx, GElf_Versym)
633+ || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))
634 {
635 __libelf_seterrno (ELF_E_INVALID_INDEX);
636 result = NULL;
feba504d
JB		 637--- elfutils-0.116/libelf/gelf_update_dyn.c
638+++ elfutils-0.116/libelf/gelf_update_dyn.c
49fd4b14
JB		 639@@ -1,5 +1,5 @@
640 /* Update information in dynamic table at the given index.
641- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
642+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
643 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
644
645 This program is free software; you can redistribute it and/or modify
feba504d 646@@ -38,12 +38,6 @@
49fd4b14
JB		 647 if (data == NULL)
648 return 0;
649
650- if (unlikely (ndx < 0))
651- {
652- __libelf_seterrno (ELF_E_INVALID_INDEX);
653- return 0;
654- }
655-
656 if (unlikely (data_scn->d.d_type != ELF_T_DYN))
657 {
658 /* The type of the data better should match. */
feba504d 659@@ -69,7 +63,8 @@
49fd4b14
JB		 660 }
661
662 /* Check whether we have to resize the data buffer. */
663- if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
664+ if (INVALID_NDX (ndx, Elf32_Dyn)
665+ || unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
666 {
667 __libelf_seterrno (ELF_E_INVALID_INDEX);
668 goto out;
feba504d 669@@ -83,7 +78,8 @@
49fd4b14
JB		 670 else
671 {
672 /* Check whether we have to resize the data buffer. */
673- if (unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))
674+ if (INVALID_NDX (ndx, Elf64_Dyn)
675+ || unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))
676 {
677 __libelf_seterrno (ELF_E_INVALID_INDEX);
678 goto out;
feba504d
JB		 679--- elfutils-0.116/libelf/gelf_update_lib.c
680+++ elfutils-0.116/libelf/gelf_update_lib.c
49fd4b14
JB		 681@@ -1,5 +1,5 @@
682 /* Update library in table at the given index.
683- Copyright (C) 2004 Red Hat, Inc.
684+ Copyright (C) 2004, 2005 Red Hat, Inc.
685 Written by Ulrich Drepper <drepper@redhat.com>, 2004.
686
687 This program is free software; you can redistribute it and/or modify
feba504d 688@@ -35,12 +35,6 @@
49fd4b14
JB		 689 if (data == NULL)
690 return 0;
691
692- if (unlikely (ndx < 0))
693- {
694- __libelf_seterrno (ELF_E_INVALID_INDEX);
695- return 0;
696- }
697-
698 Elf_Data_Scn *data_scn = (Elf_Data_Scn *) data;
699 if (unlikely (data_scn->d.d_type != ELF_T_LIB))
700 {
feba504d 701@@ -54,7 +48,8 @@
49fd4b14
JB		 702
703 /* Check whether we have to resize the data buffer. */
704 int result = 0;
705- if (unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))
706+ if (INVALID_NDX (ndx, Elf64_Lib)
707+ || unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))
708 __libelf_seterrno (ELF_E_INVALID_INDEX);
709 else
710 {
feba504d
JB		 711--- elfutils-0.116/libelf/gelf_update_move.c
712+++ elfutils-0.116/libelf/gelf_update_move.c
0dcd74c7
JR		 713@@ -1,5 +1,5 @@
714 /* Update move structure at the given index.
715- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
716+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
717 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
718
719 This program is free software; you can redistribute it and/or modify
feba504d 720@@ -42,7 +42,7 @@
0dcd74c7
JR		 721 assert (sizeof (GElf_Move) == sizeof (Elf64_Move));
722
723 /* Check whether we have to resize the data buffer. */
724- if (unlikely (ndx < 0)
725+ if (INVALID_NDX (ndx, GElf_Move)
726 || unlikely ((ndx + 1) * sizeof (GElf_Move) > data_scn->d.d_size))
727 {
728 __libelf_seterrno (ELF_E_INVALID_INDEX);
feba504d
JB		 729--- elfutils-0.116/libelf/gelf_update_rela.c
730+++ elfutils-0.116/libelf/gelf_update_rela.c
0dcd74c7 731@@ -1,5 +1,5 @@
49fd4b14 732 /* Update RELA relocation information at given index.
0dcd74c7
JR		 733- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
734+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
735 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
736
737 This program is free software; you can redistribute it and/or modify
feba504d 738@@ -35,12 +35,6 @@
49fd4b14 739 if (dst == NULL)
0dcd74c7
JR		 740 return 0;
741
742- if (unlikely (ndx < 0))
743- {
744- __libelf_seterrno (ELF_E_INVALID_INDEX);
745- return 0;
746- }
747-
49fd4b14 748 if (unlikely (data_scn->d.d_type != ELF_T_RELA))
0dcd74c7
JR		 749 {
750 /* The type of the data better should match. */
feba504d 751@@ -68,7 +62,8 @@
0dcd74c7
JR		 752 }
753
754 /* Check whether we have to resize the data buffer. */
49fd4b14
JB		 755- if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
756+ if (INVALID_NDX (ndx, Elf32_Rela)
757+ || unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
0dcd74c7
JR		 758 {
759 __libelf_seterrno (ELF_E_INVALID_INDEX);
760 goto out;
feba504d 761@@ -84,7 +79,8 @@
0dcd74c7
JR		 762 else
763 {
764 /* Check whether we have to resize the data buffer. */
49fd4b14
JB		 765- if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
766+ if (INVALID_NDX (ndx, Elf64_Rela)
767+ || unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
0dcd74c7
JR		 768 {
769 __libelf_seterrno (ELF_E_INVALID_INDEX);
770 goto out;
feba504d
JB		 771--- elfutils-0.116/libelf/gelf_update_rel.c
772+++ elfutils-0.116/libelf/gelf_update_rel.c
0dcd74c7 773@@ -1,5 +1,5 @@
49fd4b14 774 /* Update REL relocation information at given index.
0dcd74c7
JR		 775- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
776+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
777 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
778
779 This program is free software; you can redistribute it and/or modify
feba504d 780@@ -35,12 +35,6 @@
49fd4b14 781 if (dst == NULL)
0dcd74c7
JR		 782 return 0;
783
784- if (unlikely (ndx < 0))
785- {
786- __libelf_seterrno (ELF_E_INVALID_INDEX);
787- return 0;
788- }
789-
49fd4b14 790 if (unlikely (data_scn->d.d_type != ELF_T_REL))
0dcd74c7
JR		 791 {
792 /* The type of the data better should match. */
feba504d 793@@ -66,7 +60,8 @@
0dcd74c7
JR		 794 }
795
796 /* Check whether we have to resize the data buffer. */
49fd4b14
JB		 797- if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
798+ if (INVALID_NDX (ndx, Elf32_Rel)
799+ || unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
0dcd74c7
JR		 800 {
801 __libelf_seterrno (ELF_E_INVALID_INDEX);
802 goto out;
feba504d 803@@ -81,7 +76,8 @@
0dcd74c7
JR		 804 else
805 {
806 /* Check whether we have to resize the data buffer. */
49fd4b14
JB		 807- if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
808+ if (INVALID_NDX (ndx, Elf64_Rel)
809+ || unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
0dcd74c7
JR		 810 {
811 __libelf_seterrno (ELF_E_INVALID_INDEX);
812 goto out;
feba504d
JB		 813--- elfutils-0.116/libelf/gelf_update_sym.c
814+++ elfutils-0.116/libelf/gelf_update_sym.c
0dcd74c7 815@@ -1,5 +1,5 @@
49fd4b14 816 /* Update symbol information in symbol table at the given index.
0dcd74c7
JR		 817- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
818+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
819 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
820
821 This program is free software; you can redistribute it and/or modify
feba504d 822@@ -39,12 +39,6 @@
49fd4b14 823 if (data == NULL)
0dcd74c7
JR		 824 return 0;
825
826- if (unlikely (ndx < 0))
827- {
828- __libelf_seterrno (ELF_E_INVALID_INDEX);
829- return 0;
830- }
831-
49fd4b14 832 if (unlikely (data_scn->d.d_type != ELF_T_SYM))
0dcd74c7
JR		 833 {
834 /* The type of the data better should match. */
feba504d 835@@ -69,7 +63,8 @@
0dcd74c7
JR		 836 }
837
838 /* Check whether we have to resize the data buffer. */
49fd4b14
JB		 839- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))
840+ if (INVALID_NDX (ndx, Elf32_Sym)
841+ || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))
0dcd74c7
JR		 842 {
843 __libelf_seterrno (ELF_E_INVALID_INDEX);
844 goto out;
feba504d 845@@ -92,7 +87,8 @@
0dcd74c7
JR		 846 else
847 {
848 /* Check whether we have to resize the data buffer. */
49fd4b14
JB		 849- if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))
850+ if (INVALID_NDX (ndx, Elf64_Sym)
851+ || unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))
0dcd74c7
JR		 852 {
853 __libelf_seterrno (ELF_E_INVALID_INDEX);
854 goto out;
feba504d
JB		 855--- elfutils-0.116/libelf/gelf_update_syminfo.c
856+++ elfutils-0.116/libelf/gelf_update_syminfo.c
0dcd74c7 857@@ -1,5 +1,5 @@
49fd4b14
JB		 858 /* Update additional symbol information in symbol table at the given index.
859- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
860+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
861 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
0dcd74c7
JR		 862
863 This program is free software; you can redistribute it and/or modify
feba504d 864@@ -39,12 +39,6 @@
49fd4b14
JB		 865 if (data == NULL)
866 return 0;
867
868- if (unlikely (ndx < 0))
869- {
870- __libelf_seterrno (ELF_E_INVALID_INDEX);
871- return 0;
872- }
873-
874 if (unlikely (data_scn->d.d_type != ELF_T_SYMINFO))
875 {
876 /* The type of the data better should match. */
feba504d 877@@ -60,7 +54,8 @@
49fd4b14 878 rwlock_wrlock (scn->elf->lock);
0dcd74c7
JR		 879
880 /* Check whether we have to resize the data buffer. */
49fd4b14
JB		 881- if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))
882+ if (INVALID_NDX (ndx, GElf_Syminfo)
883+ || unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))
0dcd74c7
JR		 884 {
885 __libelf_seterrno (ELF_E_INVALID_INDEX);
49fd4b14 886 goto out;
feba504d
JB		 887--- elfutils-0.116/libelf/gelf_update_symshndx.c
888+++ elfutils-0.116/libelf/gelf_update_symshndx.c
49fd4b14
JB		 889@@ -1,6 +1,6 @@
890 /* Update symbol information and section index in symbol table at the
891 given index.
0dcd74c7
JR		 892- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
893+ Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
894 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
895
896 This program is free software; you can redistribute it and/or modify
feba504d 897@@ -44,12 +44,6 @@
49fd4b14 898 if (symdata == NULL)
0dcd74c7
JR		 899 return 0;
900
901- if (unlikely (ndx < 0))
902- {
903- __libelf_seterrno (ELF_E_INVALID_INDEX);
904- return 0;
905- }
906-
49fd4b14 907 if (unlikely (symdata_scn->d.d_type != ELF_T_SYM))
0dcd74c7
JR		 908 {
909 /* The type of the data better should match. */
feba504d 910@@ -95,7 +89,8 @@
0dcd74c7
JR		 911 }
912
913 /* Check whether we have to resize the data buffer. */
49fd4b14
JB		 914- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))
915+ if (INVALID_NDX (ndx, Elf32_Sym)
916+ || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))
0dcd74c7
JR		 917 {
918 __libelf_seterrno (ELF_E_INVALID_INDEX);
919 goto out;
feba504d 920@@ -118,7 +113,8 @@
0dcd74c7
JR		 921 else
922 {
49fd4b14
JB		 923 /* Check whether we have to resize the data buffer. */
924- if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))
925+ if (INVALID_NDX (ndx, Elf64_Sym)
926+ || unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))
927 {
928 __libelf_seterrno (ELF_E_INVALID_INDEX);
929 goto out;
feba504d
JB		 930--- elfutils-0.116/libelf/gelf_update_versym.c
931+++ elfutils-0.116/libelf/gelf_update_versym.c
49fd4b14
JB		 932@@ -1,5 +1,5 @@
933 /* Update symbol version information.
934- Copyright (C) 2001, 2002 Red Hat, Inc.
935+ Copyright (C) 2001, 2002, 2005 Red Hat, Inc.
936 Written by Ulrich Drepper <drepper@redhat.com>, 2001.
937
938 This program is free software; you can redistribute it and/or modify
feba504d 939@@ -42,7 +42,7 @@
49fd4b14
JB		 940 assert (sizeof (GElf_Versym) == sizeof (Elf64_Versym));
941
942 /* Check whether we have to resize the data buffer. */
943- if (unlikely (ndx < 0)
944+ if (INVALID_NDX (ndx, GElf_Versym)
945 || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data_scn->d.d_size))
946 {
947 __libelf_seterrno (ELF_E_INVALID_INDEX);
feba504d
JB		 948--- elfutils-0.116/libelf/libelfP.h
949+++ elfutils-0.116/libelf/libelfP.h
950@@ -536,4 +536,13 @@
49fd4b14
JB		 951 } while (0)
952 #endif
953
954+/* Convenience macro. Assumes int NDX and TYPE with size at least
955+ 2 bytes. */
956+#if SIZE_MAX > 4294967295U
957+# define INVALID_NDX(ndx, type) unlikely (ndx < 0)
958+#else
959+# define INVALID_NDX(ndx, type) \
960+ unlikely ((unsigned int) (ndx) >= SIZE_MAX / sizeof (type))
961+#endif
962+
963 #endif /* libelfP.h */
feba504d
JB		 964--- elfutils-0.116/src/elflint.c
965+++ elfutils-0.116/src/elflint.c
966@@ -111,6 +111,9 @@
0dcd74c7
JR		 967 /* Array to count references in section groups. */
968 static int *scnref;
969
970+/* Number of sections. */
971+static unsigned int shnum;
972+
973
974 int
975 main (int argc, char *argv[])
feba504d 976@@ -300,10 +303,19 @@
0dcd74c7
JR		 977 {
978 GElf_Shdr shdr_mem;
979 GElf_Shdr *shdr;
980+ const char *ret;
981+
982+ if ((unsigned int) idx > shnum)
983+ return "<invalid>";
984
985 shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);
49fd4b14
JB		 986+ if (shdr == NULL)
987+ return "<invalid>";
0dcd74c7
JR		 988
989- return elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
990+ ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
991+ if (ret == NULL)
992+ return "<invalid>";
993+ return ret;
994 }
995
996
feba504d 997@@ -325,10 +337,6 @@
0dcd74c7
JR		 998 (sizeof (valid_e_machine) / sizeof (valid_e_machine[0]))
999
1000
1001-/* Number of sections. */
1002-static unsigned int shnum;
1003-
1004-
1005 static void
1006 check_elf_header (Ebl *ebl, GElf_Ehdr *ehdr, size_t size)
1007 {
feba504d 1008@@ -591,7 +599,8 @@
49fd4b14
JB		 1009 }
1010 }
0dcd74c7
JR		 1011
1012- if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT))
1013+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT);
1014+ if (shdr->sh_entsize != sh_entsize)
1015 ERROR (gettext ("\
1016 section [%2zu] '%s': entry size is does not match ElfXX_Sym\n"),
1017 cnt, section_name (ebl, cnt));
feba504d 1018@@ -629,7 +638,7 @@
0dcd74c7
JR		 1019 xndxscnidx, section_name (ebl, xndxscnidx));
1020 }
1021
1022- for (cnt = 1; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1023+ for (cnt = 1; cnt < shdr->sh_size / sh_entsize; ++cnt)
1024 {
1025 sym = gelf_getsymshndx (data, xndxdata, cnt, &sym_mem, &xndx);
1026 if (sym == NULL)
feba504d 1027@@ -647,7 +656,8 @@
0dcd74c7
JR		 1028 else
1029 {
1030 name = elf_strptr (ebl->elf, shdr->sh_link, sym->st_name);
1031- assert (name != NULL);
1032+ assert (name != NULL
1033+ || strshdr->sh_type != SHT_STRTAB);
1034 }
1035
1036 if (sym->st_shndx == SHN_XINDEX)
feba504d 1037@@ -958,7 +968,7 @@
0dcd74c7
JR		 1038 const GElf_Shdr *rcshdr = gelf_getshdr (scn, &rcshdr_mem);
1039 assert (rcshdr != NULL);
1040
1041- if (rcshdr->sh_type == SHT_DYNAMIC)
1042+ if (rcshdr->sh_type == SHT_DYNAMIC && rcshdr->sh_entsize)
1043 {
1044 /* Found the dynamic section. Look through it. */
1045 Elf_Data *d = elf_getdata (scn, NULL);
feba504d 1046@@ -968,14 +978,17 @@
0dcd74c7
JR		 1047 {
1048 GElf_Dyn dyn_mem;
1049 GElf_Dyn *dyn = gelf_getdyn (d, cnt, &dyn_mem);
1050- assert (dyn != NULL);
1051+
1052+ if (dyn == NULL)
1053+ break;
1054
1055 if (dyn->d_tag == DT_RELCOUNT)
1056 {
1057 /* Found it. One last check: does the number
1058 specified number of relative relocations exceed
1059 the total number of relocations? */
1060- if (dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
1061+ if (shdr->sh_entsize
1062+ && dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
1063 ERROR (gettext ("\
1064 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
1065 idx, section_name (ebl, idx),
feba504d 1066@@ -1050,7 +1063,8 @@
0dcd74c7
JR		 1067 }
1068 }
1069
49fd4b14
JB		 1070- if (shdr->sh_entsize != gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT))
1071+ size_t sh_entsize = gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT);
0dcd74c7 1072+ if (shdr->sh_entsize != sh_entsize)
49fd4b14
JB		 1073 ERROR (gettext (reltype == ELF_T_RELA ? "\
1074 section [%2d] '%s': section entry size does not match ElfXX_Rela\n" : "\
0dcd74c7 1075 section [%2d] '%s': section entry size does not match ElfXX_Rel\n"),
feba504d 1076@@ -1258,7 +1272,8 @@
0dcd74c7 1077 Elf_Data *symdata = elf_getdata (symscn, NULL);
49fd4b14 1078 enum load_state state = state_undecided;
0dcd74c7 1079
49fd4b14
JB		 1080- for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1081+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
1082+ for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1083 {
1084 GElf_Rela rela_mem;
1085 GElf_Rela *rela = gelf_getrela (data, cnt, &rela_mem);
feba504d 1086@@ -1307,7 +1322,8 @@
49fd4b14
JB		 1087 Elf_Data *symdata = elf_getdata (symscn, NULL);
1088 enum load_state state = state_undecided;
0dcd74c7 1089
49fd4b14
JB		 1090- for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1091+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
1092+ for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1093 {
1094 GElf_Rel rel_mem;
1095 GElf_Rel *rel = gelf_getrel (data, cnt, &rel_mem);
feba504d 1096@@ -1408,7 +1424,8 @@
49fd4b14
JB		 1097 shdr->sh_link, section_name (ebl, shdr->sh_link),
1098 idx, section_name (ebl, idx));
0dcd74c7 1099
49fd4b14
JB		 1100- if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT))
1101+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
1102+ if (shdr->sh_entsize != sh_entsize)
1103 ERROR (gettext ("\
1104 section [%2d] '%s': section entry size does not match ElfXX_Dyn\n"),
1105 idx, section_name (ebl, idx));
feba504d 1106@@ -1418,7 +1435,7 @@
49fd4b14 1107 idx, section_name (ebl, idx));
0dcd74c7 1108
49fd4b14
JB		 1109 bool non_null_warned = false;
1110- for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1111+ for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1112 {
1113 GElf_Dyn dyn_mem;
1114 GElf_Dyn *dyn = gelf_getdyn (data, cnt, &dyn_mem);
feba504d 1115@@ -1559,6 +1576,8 @@
49fd4b14 1116 idx, section_name (ebl, idx));
0dcd74c7 1117
49fd4b14
JB		 1118 if (symshdr != NULL
1119+ && shdr->sh_entsize
1120+ && symshdr->sh_entsize
1121 && (shdr->sh_size / shdr->sh_entsize
1122 < symshdr->sh_size / symshdr->sh_entsize))
1123 ERROR (gettext ("\
feba504d 1124@@ -1585,6 +1604,12 @@
49fd4b14
JB		 1125 }
1126
1127 Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1128+ if (data == NULL)
1129+ {
1130+ ERROR (gettext ("section [%2d] '%s': cannot get section data\n"),
1131+ idx, section_name (ebl, idx));
1132+ return;
1133+ }
1134
1135 if (*((Elf32_Word *) data->d_buf) != 0)
1136 ERROR (gettext ("symbol 0 should have zero extended section index\n"));
feba504d 1137@@ -1665,23 +1690,30 @@
49fd4b14
JB		 1138 idx, section_name (ebl, idx), (long int) shdr->sh_size,
1139 (long int) ((2 + nbucket + nchain) * shdr->sh_entsize));
0dcd74c7 1140
49fd4b14
JB		 1141- if (symshdr != NULL)
1142+ if (symshdr != NULL && symshdr->sh_entsize)
0dcd74c7
JR		 1143 {
1144 size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
1145 size_t cnt;
1146+ Elf32_Word *buf, *end;
1147
1148 if (nchain < symshdr->sh_size / symshdr->sh_entsize)
1149 ERROR (gettext ("section [%2d] '%s': chain array not large enough\n"),
1150 idx, section_name (ebl, idx));
1151
1152+ buf = ((Elf32_Word *) data->d_buf) + 2;
1153+ end = (Elf32_Word *) ((char *) data->d_buf + shdr->sh_size);
1154 for (cnt = 2; cnt < 2 + nbucket; ++cnt)
1155- if (((Elf32_Word *) data->d_buf)[cnt] >= symsize)
1156+ if (buf >= end)
1157+ return;
1158+ else if (*buf++ >= symsize)
1159 ERROR (gettext ("\
1160 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
1161 idx, section_name (ebl, idx), cnt - 2);
1162
49fd4b14
JB		 1163 for (; cnt < 2 + nbucket + nchain; ++cnt)
1164- if (((Elf32_Word *) data->d_buf)[cnt] >= symsize)
1165+ if (buf >= end)
1166+ return;
1167+ else if (*buf++ >= symsize)
1168 ERROR (gettext ("\
1169 section [%2d] '%s': hash chain reference %zu out of bounds\n"),
1170 idx, section_name (ebl, idx), cnt - 2 - nbucket);
feba504d 1171@@ -2023,8 +2055,9 @@
49fd4b14
JB		 1172
1173 /* The number of elements in the version symbol table must be the
1174 same as the number of symbols. */
1175- if (shdr->sh_size / shdr->sh_entsize
1176- != symshdr->sh_size / symshdr->sh_entsize)
1177+ if (shdr->sh_entsize && symshdr->sh_entsize
1178+ && (shdr->sh_size / shdr->sh_entsize
1179+ != symshdr->sh_size / symshdr->sh_entsize))
1180 ERROR (gettext ("\
1181 section [%2d] '%s' has different number of entries than symbol table [%2d] '%s'\n"),
1182 idx, section_name (ebl, idx),
feba504d 1183@@ -2928,6 +2961,8 @@
49fd4b14
JB		 1184 return;
1185
1186 char *notemem = gelf_rawchunk (ebl->elf, phdr->p_offset, phdr->p_filesz);
1187+ if (notemem == NULL)
1188+ return;
1189
1190 /* ELF64 files often use note section entries in the 32-bit format.
1191 The p_align field is set to 8 in case the 64-bit format is used.
feba504d
JB		 1192--- elfutils-0.116/src/readelf.c
1193+++ elfutils-0.116/src/readelf.c
1194@@ -946,6 +946,8 @@
1195 Elf32_Word *grpref = (Elf32_Word *) data->d_buf;
49fd4b14 1196
feba504d
JB		 1197 GElf_Sym sym_mem;
1198+ GElf_Sym *sym = gelf_getsym (symdata, shdr->sh_info, &sym_mem);
49fd4b14 1199+
49fd4b14 1200 printf ((grpref[0] & GRP_COMDAT)
feba504d
JB		 1201 ? ngettext ("\
1202 \nCOMDAT section group [%2zu] '%s' with signature '%s' contains %zu entry:\n",
1203@@ -958,8 +960,8 @@
49fd4b14
JB		 1204 data->d_size / sizeof (Elf32_Word) - 1),
1205 elf_ndxscn (scn),
1206 elf_strptr (ebl->elf, shstrndx, shdr->sh_name),
1207- elf_strptr (ebl->elf, symshdr->sh_link,
1208- gelf_getsym (symdata, shdr->sh_info, &sym_mem)->st_name)
1209+ (sym == NULL ? NULL
1210+ : elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name))
1211 ?: gettext ("<INVALID SYMBOL>"),
1212 data->d_size / sizeof (Elf32_Word) - 1);
1213
feba504d 1214@@ -1110,7 +1112,8 @@
49fd4b14
JB		 1215 handle_dynamic (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
1216 {
1217 int class = gelf_getclass (ebl->elf);
1218- GElf_Shdr glink;
1219+ GElf_Shdr glink_mem;
1220+ GElf_Shdr *glink;
1221 Elf_Data *data;
1222 size_t cnt;
1223 size_t shstrndx;
feba504d 1224@@ -1125,6 +1128,11 @@
49fd4b14
JB		 1225 error (EXIT_FAILURE, 0,
1226 gettext ("cannot get section header string table index"));
1227
1228+ glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
1229+ if (glink == NULL)
1230+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1231+ elf_ndxscn (scn));
1232+
1233 printf (ngettext ("\
1234 \nDynamic segment contains %lu entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1235 "\
feba504d 1236@@ -1134,9 +1142,7 @@
49fd4b14
JB		 1237 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1238 shdr->sh_offset,
1239 (int) shdr->sh_link,
1240- elf_strptr (ebl->elf, shstrndx,
1241- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1242- &glink)->sh_name));
1243+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1244 fputs_unlocked (gettext (" Type Value\n"), stdout);
1245
1246 for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
feba504d 1247@@ -1654,6 +1660,13 @@
49fd4b14
JB		 1248 error (EXIT_FAILURE, 0,
1249 gettext ("cannot get section header string table index"));
1250
feba504d
JB		 1251+ GElf_Shdr glink_mem;
1252+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1253+ &glink_mem);
49fd4b14
JB		 1254+ if (glink == NULL)
1255+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1256+ elf_ndxscn (scn));
1257+
1258 /* Now we can compute the number of entries in the section. */
feba504d
JB		 1259 unsigned int nsyms = data->d_size / (class == ELFCLASS32
1260 ? sizeof (Elf32_Sym)
1261@@ -1664,15 +1677,12 @@
1262 nsyms),
1263 (unsigned int) elf_ndxscn (scn),
1264 elf_strptr (ebl->elf, shstrndx, shdr->sh_name), nsyms);
1265- GElf_Shdr glink;
1266 printf (ngettext (" %lu local symbol String table: [%2u] '%s'\n",
1267 " %lu local symbols String table: [%2u] '%s'\n",
49fd4b14
JB		 1268 shdr->sh_info),
1269 (unsigned long int) shdr->sh_info,
1270 (unsigned int) shdr->sh_link,
1271- elf_strptr (ebl->elf, shstrndx,
1272- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1273- &glink)->sh_name));
1274+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1275
1276 fputs_unlocked (class == ELFCLASS32
1277 ? gettext ("\
feba504d 1278@@ -1908,7 +1918,13 @@
49fd4b14
JB		 1279 error (EXIT_FAILURE, 0,
1280 gettext ("cannot get section header string table index"));
1281
1282- GElf_Shdr glink;
1283+ GElf_Shdr glink_mem;
1284+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1285+ &glink_mem);
1286+ if (glink == NULL)
1287+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1288+ elf_ndxscn (scn));
1289+
1290 printf (ngettext ("\
1291 \nVersion needs section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1292 "\
feba504d 1293@@ -1919,9 +1935,7 @@
49fd4b14
JB		 1294 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1295 shdr->sh_offset,
1296 (unsigned int) shdr->sh_link,
1297- elf_strptr (ebl->elf, shstrndx,
1298- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1299- &glink)->sh_name));
1300+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1301
1302 unsigned int offset = 0;
1303 for (int cnt = shdr->sh_info; --cnt >= 0; )
feba504d 1304@@ -1974,8 +1988,14 @@
49fd4b14
JB		 1305 error (EXIT_FAILURE, 0,
1306 gettext ("cannot get section header string table index"));
1307
1308+ GElf_Shdr glink_mem;
1309+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1310+ &glink_mem);
1311+ if (glink == NULL)
1312+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1313+ elf_ndxscn (scn));
1314+
1315 int class = gelf_getclass (ebl->elf);
1316- GElf_Shdr glink;
1317 printf (ngettext ("\
1318 \nVersion definition section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1319 "\
feba504d 1320@@ -1987,9 +2007,7 @@
49fd4b14
JB		 1321 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1322 shdr->sh_offset,
1323 (unsigned int) shdr->sh_link,
1324- elf_strptr (ebl->elf, shstrndx,
1325- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1326- &glink)->sh_name));
1327+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1328
1329 unsigned int offset = 0;
1330 for (int cnt = shdr->sh_info; --cnt >= 0; )
feba504d 1331@@ -2251,8 +2269,14 @@
49fd4b14
JB		 1332 filename = NULL;
1333 }
1334
1335+ GElf_Shdr glink_mem;
1336+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1337+ &glink_mem);
1338+ if (glink == NULL)
1339+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1340+ elf_ndxscn (scn));
1341+
1342 /* Print the header. */
feba504d 1343- GElf_Shdr glink;
49fd4b14
JB		 1344 printf (ngettext ("\
1345 \nVersion symbols section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'",
feba504d
JB		 1346 "\
1347@@ -2264,9 +2288,7 @@
49fd4b14
JB		 1348 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1349 shdr->sh_offset,
1350 (unsigned int) shdr->sh_link,
1351- elf_strptr (ebl->elf, shstrndx,
1352- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1353- &glink)->sh_name));
1354+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1355
1356 /* Now we can finally look at the actual contents of this section. */
1357 for (unsigned int cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
feba504d
JB		 1358@@ -2341,7 +2363,17 @@
1359 Elf32_Word *bucket = &((Elf32_Word *) data->d_buf)[2];
1360 Elf32_Word *chain = &((Elf32_Word *) data->d_buf)[2 + nbucket];
49fd4b14 1361
feba504d
JB		 1362- GElf_Shdr glink;
1363+ GElf_Shdr glink_mem;
1364+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf,
1365+ shdr->sh_link),
1366+ &glink_mem);
1367+ if (glink == NULL)
1368+ {
1369+ error (0, 0, gettext ("invalid sh_link value in section %Zu"),
1370+ elf_ndxscn (scn));
1371+ continue;
1372+ }
49fd4b14 1373+
feba504d
JB		 1374 printf (ngettext ("\
1375 \nHistogram for bucket list length in section [%2u] '%s' (total of %d bucket):\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1376 "\
1377@@ -2354,10 +2386,7 @@
49fd4b14
JB		 1378 shdr->sh_addr,
1379 shdr->sh_offset,
1380 (unsigned int) shdr->sh_link,
1381- elf_strptr (ebl->elf, shstrndx,
1382- gelf_getshdr (elf_getscn (ebl->elf,
1383- shdr->sh_link),
1384- &glink)->sh_name));
1385+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1386
feba504d
JB		 1387 uint32_t *lengths = (uint32_t *) xcalloc (nbucket,
1388 sizeof (uint32_t));
1389@@ -3460,6 +3489,16 @@
49fd4b14
JB		 1390 return;
1391 }
0dcd74c7 1392
49fd4b14
JB		 1393+ GElf_Shdr glink_mem;
1394+ GElf_Shdr *glink;
1395+ glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
1396+ if (glink == NULL)
1397+ {
1398+ error (0, 0, gettext ("invalid sh_link value in section %Zu"),
1399+ elf_ndxscn (scn));
1400+ return;
1401+ }
1402+
1403 printf (ngettext ("\
1404 \nDWARF section '%s' at offset %#" PRIx64 " contains %zu entry:\n",
1405 "\
feba504d
JB		 1406--- elfutils-0.116/src/strip.c
1407+++ elfutils-0.116/src/strip.c
1408@@ -400,6 +400,7 @@
0dcd74c7
JR		 1409 Elf_Data debuglink_crc_data;
1410 bool any_symtab_changes = false;
1411 Elf_Data *shstrtab_data = NULL;
1412+ size_t shdridx = 0;
1413
1414 /* Create the full name of the file. */
1415 if (prefix != NULL)
feba504d 1416@@ -530,6 +531,11 @@
0dcd74c7
JR		 1417 goto fail_close;
1418 }
1419
1420+ if (shstrndx >= shnum)
1421+ goto illformed;
1422+
1423+#define elf_assert(test) do { if (!(test)) goto illformed; } while (0)
1424+
1425 /* Storage for section information. We leave room for two more
1426 entries since we unconditionally create a section header string
1427 table. Maybe some weird tool created an ELF file without one.
feba504d 1428@@ -551,7 +557,7 @@
0dcd74c7
JR		 1429 {
1430 /* This should always be true (i.e., there should not be any
1431 holes in the numbering). */
1432- assert (elf_ndxscn (scn) == cnt);
1433+ elf_assert (elf_ndxscn (scn) == cnt);
1434
1435 shdr_info[cnt].scn = scn;
1436
feba504d 1437@@ -564,6 +570,7 @@
0dcd74c7
JR		 1438 shdr_info[cnt].shdr.sh_name);
1439 if (shdr_info[cnt].name == NULL)
1440 {
1441+ illformed:
1442 error (0, 0, gettext ("illformed file '%s'"), fname);
1443 goto fail_close;
1444 }
feba504d 1445@@ -573,6 +580,8 @@
0dcd74c7
JR		 1446
1447 /* Remember the shdr.sh_link value. */
1448 shdr_info[cnt].old_sh_link = shdr_info[cnt].shdr.sh_link;
1449+ if (shdr_info[cnt].old_sh_link >= shnum)
1450+ goto illformed;
1451
1452 /* Sections in files other than relocatable object files which
1453 are not loaded can be freely moved by us. In relocatable
feba504d 1454@@ -585,7 +594,7 @@
0dcd74c7
JR		 1455 appropriate reference. */
1456 if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB_SHNDX))
1457 {
1458- assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
1459+ elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
1460 shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx = cnt;
1461 }
1462 else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GROUP))
feba504d 1463@@ -602,7 +611,12 @@
0dcd74c7
JR		 1464 for (inner = 1;
1465 inner < shdr_info[cnt].data->d_size / sizeof (Elf32_Word);
1466 ++inner)
1467- shdr_info[grpref[inner]].group_idx = cnt;
1468+ {
1469+ if (grpref[inner] < shnum)
1470+ shdr_info[grpref[inner]].group_idx = cnt;
1471+ else
1472+ goto illformed;
1473+ }
1474
1475 if (inner == 1 || (inner == 2 && (grpref[0] & GRP_COMDAT) == 0))
1476 /* If the section group contains only one element and this
feba504d 1477@@ -613,7 +627,7 @@
0dcd74c7
JR		 1478 }
1479 else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GNU_versym))
1480 {
1481- assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
1482+ elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
1483 shdr_info[shdr_info[cnt].shdr.sh_link].version_idx = cnt;
1484 }
1485
feba504d 1486@@ -621,7 +635,7 @@
0dcd74c7
JR		 1487 discarded right away. */
1488 if ((shdr_info[cnt].shdr.sh_flags & SHF_GROUP) != 0)
1489 {
1490- assert (shdr_info[cnt].group_idx != 0);
1491+ elf_assert (shdr_info[cnt].group_idx != 0);
1492
1493 if (shdr_info[shdr_info[cnt].group_idx].idx == 0)
1494 {
feba504d 1495@@ -696,10 +710,14 @@
0dcd74c7
JR		 1496 {
1497 /* If a relocation section is marked as being removed make
1498 sure the section it is relocating is removed, too. */
1499- if ((shdr_info[cnt].shdr.sh_type == SHT_REL
1500- || shdr_info[cnt].shdr.sh_type == SHT_RELA)
1501- && shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
1502- shdr_info[cnt].idx = 1;
1503+ if (shdr_info[cnt].shdr.sh_type == SHT_REL
1504+ || shdr_info[cnt].shdr.sh_type == SHT_RELA)
1505+ {
1506+ if (shdr_info[cnt].shdr.sh_info >= shnum)
1507+ goto illformed;
1508+ else if (shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
1509+ shdr_info[cnt].idx = 1;
1510+ }
1511 }
1512
1513 if (shdr_info[cnt].idx == 1)
feba504d 1514@@ -725,7 +743,7 @@
0dcd74c7
JR		 1515 if (shdr_info[cnt].symtab_idx != 0
1516 && shdr_info[shdr_info[cnt].symtab_idx].data == NULL)
1517 {
1518- assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
1519+ elf_assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
1520
1521 shdr_info[shdr_info[cnt].symtab_idx].data
1522 = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
feba504d 1523@@ -765,6 +783,9 @@
0dcd74c7
JR		 1524 else if (scnidx == SHN_XINDEX)
1525 scnidx = xndx;
1526
1527+ if (scnidx >= shnum)
1528+ goto illformed;
1529+
1530 if (shdr_info[scnidx].idx == 0)
1531 {
1532 /* Mark this section as used. */
feba504d 1533@@ -796,11 +817,15 @@
0dcd74c7
JR		 1534 }
1535
1536 /* Handle references through sh_info. */
1537- if (SH_INFO_LINK_P (&shdr_info[cnt].shdr)
1538- && shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
1539+ if (SH_INFO_LINK_P (&shdr_info[cnt].shdr))
1540 {
1541- shdr_info[shdr_info[cnt].shdr.sh_info].idx = 1;
1542- changes |= shdr_info[cnt].shdr.sh_info < cnt;
1543+ if (shdr_info[cnt].shdr.sh_info >= shnum)
1544+ goto illformed;
1545+ else if ( shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
1546+ {
1547+ shdr_info[shdr_info[cnt].shdr.sh_info].idx = 1;
1548+ changes |= shdr_info[cnt].shdr.sh_info < cnt;
1549+ }
1550 }
1551
1552 /* Mark the section as investigated. */
feba504d 1553@@ -900,7 +925,7 @@
0dcd74c7
JR		 1554 error (EXIT_FAILURE, 0, gettext ("while generating output file: %s"),
1555 elf_errmsg (-1));
1556
1557- assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1558+ elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1559
1560 /* Add this name to the section header string table. */
1561 shdr_info[cnt].se = ebl_strtabadd (shst, shdr_info[cnt].name, 0);
feba504d 1562@@ -937,7 +962,7 @@
0dcd74c7
JR		 1563 error (EXIT_FAILURE, 0,
1564 gettext ("while create section header section: %s"),
1565 elf_errmsg (-1));
1566- assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1567+ elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1568
1569 shdr_info[cnt].data = elf_newdata (shdr_info[cnt].newscn);
1570 if (shdr_info[cnt].data == NULL)
feba504d 1571@@ -968,7 +993,7 @@
0dcd74c7
JR		 1572 }
1573
1574 /* Index of the section header table in the shdr_info array. */
1575- size_t shdridx = cnt;
1576+ shdridx = cnt;
1577
1578 /* Add the section header string table section name. */
1579 shdr_info[cnt].se = ebl_strtabadd (shst, ".shstrtab", 10);
feba504d 1580@@ -993,7 +1018,7 @@
0dcd74c7
JR		 1581 error (EXIT_FAILURE, 0,
1582 gettext ("while create section header section: %s"),
1583 elf_errmsg (-1));
1584- assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
1585+ elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
1586
1587 /* Finalize the string table and fill in the correct indices in the
1588 section headers. */
feba504d 1589@@ -1083,21 +1108,21 @@
0dcd74c7
JR		 1590 shndxdata = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
1591 NULL);
1592
1593- assert ((versiondata->d_size / sizeof (Elf32_Word))
1594- >= shdr_info[cnt].data->d_size / elsize);
1595+ elf_assert ((versiondata->d_size / sizeof (Elf32_Word))
1596+ >= shdr_info[cnt].data->d_size / elsize);
1597 }
1598
1599 if (shdr_info[cnt].version_idx != 0)
1600 {
1601- assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
1602+ elf_assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
1603 /* This section has associated version
1604 information. We have to modify that
1605 information, too. */
1606 versiondata = elf_getdata (shdr_info[shdr_info[cnt].version_idx].scn,
1607 NULL);
1608
1609- assert ((versiondata->d_size / sizeof (GElf_Versym))
1610- >= shdr_info[cnt].data->d_size / elsize);
1611+ elf_assert ((versiondata->d_size / sizeof (GElf_Versym))
1612+ >= shdr_info[cnt].data->d_size / elsize);
1613 }
1614
1615 shdr_info[cnt].newsymidx
feba504d 1616@@ -1151,7 +1176,7 @@
0dcd74c7
JR		 1617 sec = shdr_info[sym->st_shndx].idx;
1618 else
1619 {
1620- assert (shndxdata != NULL);
1621+ elf_assert (shndxdata != NULL);
1622
1623 sec = shdr_info[xshndx].idx;
1624 }
feba504d 1625@@ -1172,7 +1197,7 @@
0dcd74c7
JR		 1626 nxshndx = sec;
1627 }
1628
1629- assert (sec < SHN_LORESERVE || shndxdata != NULL);
1630+ elf_assert (sec < SHN_LORESERVE || shndxdata != NULL);
1631
1632 if ((inner != destidx || nshndx != sym->st_shndx
1633 || (shndxdata != NULL && nxshndx != xshndx))
feba504d 1634@@ -1195,7 +1220,7 @@
0dcd74c7
JR		 1635 else
1636 /* This is a section symbol for a section which has
1637 been removed. */
1638- assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION);
1639+ elf_assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION);
1640 }
1641
1642 if (destidx != inner)
feba504d 1643@@ -1359,11 +1384,11 @@
0dcd74c7
JR		 1644 {
1645 GElf_Sym sym_mem;
1646 GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
1647- assert (sym != NULL);
1648+ elf_assert (sym != NULL);
1649
1650 const char *name = elf_strptr (elf, strshndx,
1651 sym->st_name);
1652- assert (name != NULL);
1653+ elf_assert (name != NULL);
1654 size_t hidx = elf_hash (name) % nbucket;
1655
1656 if (bucket[hidx] == 0)
feba504d 1657@@ -1382,8 +1407,8 @@
0dcd74c7
JR		 1658 else
1659 {
1660 /* Alpha and S390 64-bit use 64-bit SHT_HASH entries. */
1661- assert (shdr_info[cnt].shdr.sh_entsize
1662- == sizeof (Elf64_Xword));
1663+ elf_assert (shdr_info[cnt].shdr.sh_entsize
1664+ == sizeof (Elf64_Xword));
1665
1666 Elf64_Xword *bucket = (Elf64_Xword *) hashd->d_buf;
1667
feba504d 1668@@ -1416,11 +1441,11 @@
0dcd74c7
JR		 1669 {
1670 GElf_Sym sym_mem;
1671 GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
1672- assert (sym != NULL);
1673+ elf_assert (sym != NULL);
1674
1675 const char *name = elf_strptr (elf, strshndx,
1676 sym->st_name);
1677- assert (name != NULL);
1678+ elf_assert (name != NULL);
1679 size_t hidx = elf_hash (name) % nbucket;
1680
1681 if (bucket[hidx] == 0)
A collection of utilities and DSOs to handle compiled objects
This page took 0.289148 seconds and 4 git commands to generate.