1 --- elfutils/libelf/ChangeLog
2 +++ elfutils/libelf/ChangeLog
4 If section content hasn't been read yet, do it before looking for the
5 block size. If no section data present, infer size of section header.
7 +2005-05-14 Jakub Jelinek <jakub@redhat.com>
9 + * libelfP.h (INVALID_NDX): Define.
10 + * gelf_getdyn.c (gelf_getdyn): Use it. Remove ndx < 0 test if any.
11 + * gelf_getlib.c (gelf_getlib): Likewise.
12 + * gelf_getmove.c (gelf_getmove): Likewise.
13 + * gelf_getrel.c (gelf_getrel): Likewise.
14 + * gelf_getrela.c (gelf_getrela): Likewise.
15 + * gelf_getsym.c (gelf_getsym): Likewise.
16 + * gelf_getsyminfo.c (gelf_getsyminfo): Likewise.
17 + * gelf_getsymshndx.c (gelf_getsymshndx): Likewise.
18 + * gelf_getversym.c (gelf_getversym): Likewise.
19 + * gelf_update_dyn.c (gelf_update_dyn): Likewise.
20 + * gelf_update_lib.c (gelf_update_lib): Likewise.
21 + * gelf_update_move.c (gelf_update_move): Likewise.
22 + * gelf_update_rel.c (gelf_update_rel): Likewise.
23 + * gelf_update_rela.c (gelf_update_rela): Likewise.
24 + * gelf_update_sym.c (gelf_update_sym): Likewise.
25 + * gelf_update_syminfo.c (gelf_update_syminfo): Likewise.
26 + * gelf_update_symshndx.c (gelf_update_symshndx): Likewise.
27 + * gelf_update_versym.c (gelf_update_versym): Likewise.
28 + * elf_newscn.c (elf_newscn): Check for overflow.
29 + * elf32_updatefile.c (__elfw2(LIBELFBITS,updatemmap)): Likewise.
30 + (__elfw2(LIBELFBITS,updatefile)): Likewise.
31 + * elf_begin.c (file_read_elf): Likewise.
32 + * elf32_newphdr.c (elfw2(LIBELFBITS,newphdr)): Likewise.
33 + * elf_getarsym.c (elf_getarsym): Likewise.
34 + * elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)): Likewise.
35 2005-05-11 Ulrich Drepper <drepper@redhat.com>
37 * elf.h: Update again.
39 +2005-05-17 Jakub Jelinek <jakub@redhat.com>
41 + * elf32_getphdr.c (elfw2(LIBELFBITS,getphdr)): Check if program header
42 + table fits into object's bounds.
43 + * elf_getshstrndx.c (elf_getshstrndx): Add elf->start_offset to
44 + elf->map_address. Check if first section header fits into object's
46 + * elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)):
47 + Check if section header table fits into object's bounds.
48 + * elf_begin.c (get_shnum): Ensure section headers fits into
50 + (file_read_elf): Make sure scncnt is small enough to allocate both
51 + ElfXX_Shdr and Elf_Scn array. Make sure section and program header
52 + tables fit into object's bounds. Avoid memory leak on failure.
54 2005-05-09 Ulrich Drepper <drepper@redhat.com>
56 * elf.h: Update from glibc.
57 --- elfutils/libelf/elf32_getphdr.c
58 +++ elfutils/libelf/elf32_getphdr.c
59 @@ -114,6 +114,16 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
61 if (elf->map_address != NULL)
63 + /* First see whether the information in the ELF header is
64 + valid and it does not ask for too much. */
65 + if (unlikely (ehdr->e_phoff >= elf->maximum_size)
66 + || unlikely (elf->maximum_size - ehdr->e_phoff < size))
68 + /* Something is wrong. */
69 + __libelf_seterrno (ELF_E_INVALID_PHDR);
73 /* All the data is already mapped. Use it. */
74 void *file_phdr = ((char *) elf->map_address
75 + elf->start_offset + ehdr->e_phoff);
76 --- elfutils/libelf/elf32_getshdr.c
77 +++ elfutils/libelf/elf32_getshdr.c
79 /* Return section header.
80 - Copyright (C) 1998, 1999, 2000, 2001, 2002, 2005, 2007, 2009 Red Hat, Inc.
81 + Copyright (C) 1998-2009 Red Hat, Inc.
82 This file is part of Red Hat elfutils.
83 Written by Ulrich Drepper <drepper@redhat.com>, 1998.
85 @@ -81,7 +81,8 @@ load_shdr_wrlock (Elf_Scn *scn)
89 - if (__elf_getshdrnum_rdlock (elf, &shnum) != 0)
90 + if (__elf_getshdrnum_rdlock (elf, &shnum) != 0
91 + || shnum > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Shdr)))
93 size_t size = shnum * sizeof (ElfW2(LIBELFBITS,Shdr));
95 @@ -98,6 +99,16 @@ load_shdr_wrlock (Elf_Scn *scn)
97 if (elf->map_address != NULL)
99 + /* First see whether the information in the ELF header is
100 + valid and it does not ask for too much. */
101 + if (unlikely (ehdr->e_shoff >= elf->maximum_size)
102 + || unlikely (elf->maximum_size - ehdr->e_shoff < size))
104 + /* Something is wrong. */
105 + __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
109 ElfW2(LIBELFBITS,Shdr) *notcvt;
111 /* All the data is already mapped. If we could use it
112 --- elfutils/libelf/elf32_newphdr.c
113 +++ elfutils/libelf/elf32_newphdr.c
114 @@ -135,6 +135,12 @@ elfw2(LIBELFBITS,newphdr) (elf, count)
116 || elf->state.ELFW(elf,LIBELFBITS).phdr == NULL)
118 + if (unlikely (count > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Phdr))))
124 /* Allocate a new program header with the appropriate number of
126 result = (ElfW2(LIBELFBITS,Phdr) *)
127 --- elfutils/libelf/elf32_updatefile.c
128 +++ elfutils/libelf/elf32_updatefile.c
129 @@ -223,6 +223,9 @@ __elfw2(LIBELFBITS,updatemmap) (Elf *elf
130 /* Write all the sections. Well, only those which are modified. */
133 + if (unlikely (shnum > SIZE_MAX / sizeof (Elf_Scn *)))
136 Elf_ScnList *list = &elf->state.ELFW(elf,LIBELFBITS).scns;
137 Elf_Scn **scns = (Elf_Scn **) alloca (shnum * sizeof (Elf_Scn *));
138 char *const shdr_start = ((char *) elf->map_address + elf->start_offset
139 @@ -645,6 +648,10 @@ __elfw2(LIBELFBITS,updatefile) (Elf *elf
140 /* Write all the sections. Well, only those which are modified. */
143 + if (unlikely (shnum > SIZE_MAX / (sizeof (Elf_Scn *)
144 + + sizeof (ElfW2(LIBELFBITS,Shdr)))))
147 off_t shdr_offset = elf->start_offset + ehdr->e_shoff;
149 xfct_t shdr_fctp = __elf_xfctstom[__libelf_version - 1][EV_CURRENT - 1][ELFW(ELFCLASS, LIBELFBITS) - 1][ELF_T_SHDR];
150 --- elfutils/libelf/elf_begin.c
151 +++ elfutils/libelf/elf_begin.c
152 @@ -165,7 +165,8 @@ get_shnum (void *map_address, unsigned c
154 if (unlikely (result == 0) && ehdr.e32->e_shoff != 0)
156 - if (ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize)
157 + if (unlikely (ehdr.e32->e_shoff >= maxsize)
158 + || unlikely (maxsize - ehdr.e32->e_shoff < sizeof (Elf32_Shdr)))
159 /* Cannot read the first section header. */
162 @@ -213,7 +214,8 @@ get_shnum (void *map_address, unsigned c
164 if (unlikely (result == 0) && ehdr.e64->e_shoff != 0)
166 - if (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize)
167 + if (unlikely (ehdr.e64->e_shoff >= maxsize)
168 + || unlikely (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize))
169 /* Cannot read the first section header. */
172 @@ -285,6 +287,15 @@ file_read_elf (int fildes, void *map_add
173 /* Could not determine the number of sections. */
176 + /* Check for too many sections. */
177 + if (e_ident[EI_CLASS] == ELFCLASS32)
179 + if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf32_Shdr)))
182 + else if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf64_Shdr)))
185 /* We can now allocate the memory. Even if there are no section headers,
186 we allocate space for a zeroth section in case we need it later. */
187 const size_t scnmax = (scncnt ?: (cmd == ELF_C_RDWR || cmd == ELF_C_RDWR_MMAP)
188 @@ -324,6 +335,16 @@ file_read_elf (int fildes, void *map_add
190 /* We can use the mmapped memory. */
191 elf->state.elf32.ehdr = ehdr;
193 + if (unlikely (ehdr->e_shoff >= maxsize)
194 + || unlikely (maxsize - ehdr->e_shoff
195 + < scncnt * sizeof (Elf32_Shdr)))
199 + __libelf_seterrno (ELF_E_INVALID_FILE);
202 elf->state.elf32.shdr
203 = (Elf32_Shdr *) ((char *) ehdr + ehdr->e_shoff);
205 @@ -410,6 +431,11 @@ file_read_elf (int fildes, void *map_add
207 /* We can use the mmapped memory. */
208 elf->state.elf64.ehdr = ehdr;
210 + if (unlikely (ehdr->e_shoff >= maxsize)
211 + || unlikely (ehdr->e_shoff
212 + + scncnt * sizeof (Elf32_Shdr) > maxsize))
214 elf->state.elf64.shdr
215 = (Elf64_Shdr *) ((char *) ehdr + ehdr->e_shoff);
217 --- elfutils/libelf/elf_getarsym.c
218 +++ elfutils/libelf/elf_getarsym.c
219 @@ -179,6 +179,9 @@ elf_getarsym (elf, ptr)
220 size_t index_size = atol (tmpbuf);
222 if (SARMAG + sizeof (struct ar_hdr) + index_size > elf->maximum_size
223 +#if SIZE_MAX <= 4294967295U
224 + || n >= SIZE_MAX / sizeof (Elf_Arsym)
226 || n * sizeof (uint32_t) > index_size)
228 /* This index table cannot be right since it does not fit into
229 --- elfutils/libelf/elf_getshdrstrndx.c
230 +++ elfutils/libelf/elf_getshdrstrndx.c
231 @@ -125,10 +125,25 @@ elf_getshdrstrndx (elf, dst)
232 if (elf->map_address != NULL
233 && elf->state.elf32.ehdr->e_ident[EI_DATA] == MY_ELFDATA
235 - || (((size_t) ((char *) elf->map_address + offset))
236 + || (((size_t) ((char *) elf->map_address
237 + + elf->start_offset + offset))
238 & (__alignof__ (Elf32_Shdr) - 1)) == 0))
239 - /* We can directly access the memory. */
240 - num = ((Elf32_Shdr *) (elf->map_address + offset))->sh_link;
242 + /* First see whether the information in the ELF header is
243 + valid and it does not ask for too much. */
244 + if (unlikely (elf->maximum_size - offset
245 + < sizeof (Elf32_Shdr)))
247 + /* Something is wrong. */
248 + __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
253 + /* We can directly access the memory. */
254 + num = ((Elf32_Shdr *) (elf->map_address + elf->start_offset
255 + + offset))->sh_link;
259 /* We avoid reading in all the section headers. Just read
260 @@ -163,10 +178,25 @@ elf_getshdrstrndx (elf, dst)
261 if (elf->map_address != NULL
262 && elf->state.elf64.ehdr->e_ident[EI_DATA] == MY_ELFDATA
264 - || (((size_t) ((char *) elf->map_address + offset))
265 + || (((size_t) ((char *) elf->map_address
266 + + elf->start_offset + offset))
267 & (__alignof__ (Elf64_Shdr) - 1)) == 0))
268 - /* We can directly access the memory. */
269 - num = ((Elf64_Shdr *) (elf->map_address + offset))->sh_link;
271 + /* First see whether the information in the ELF header is
272 + valid and it does not ask for too much. */
273 + if (unlikely (elf->maximum_size - offset
274 + < sizeof (Elf64_Shdr)))
276 + /* Something is wrong. */
277 + __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
282 + /* We can directly access the memory. */
283 + num = ((Elf64_Shdr *) (elf->map_address + elf->start_offset
284 + + offset))->sh_link;
288 /* We avoid reading in all the section headers. Just read
289 --- elfutils/libelf/elf_newscn.c
290 +++ elfutils/libelf/elf_newscn.c
291 @@ -104,10 +104,18 @@ elf_newscn (elf)
294 /* We must allocate a new element. */
296 + Elf_ScnList *newp = NULL;
298 assert (elf->state.elf.scnincr > 0);
301 +#if SIZE_MAX <= 4294967295U
302 + likely (elf->state.elf.scnincr
303 + < SIZE_MAX / 2 / sizeof (Elf_Scn) - sizeof (Elf_ScnList))
308 newp = (Elf_ScnList *) calloc (sizeof (Elf_ScnList)
309 + ((elf->state.elf.scnincr *= 2)
310 * sizeof (Elf_Scn)), 1);
311 --- elfutils/libelf/gelf_getdyn.c
312 +++ elfutils/libelf/gelf_getdyn.c
314 /* Get information from dynamic table at the given index.
315 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
316 + Copyright (C) 2000-2009 Red Hat, Inc.
317 This file is part of Red Hat elfutils.
318 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
320 @@ -93,7 +93,7 @@ gelf_getdyn (data, ndx, dst)
321 table entries has to be adopted. The user better has provided
322 a buffer where we can store the information. While copying the
323 data we are converting the format. */
324 - if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
325 + if (INVALID_NDX (ndx, Elf32_Dyn, &data_scn->d))
327 __libelf_seterrno (ELF_E_INVALID_INDEX);
329 @@ -114,7 +114,7 @@ gelf_getdyn (data, ndx, dst)
331 /* The data is already in the correct form. Just make sure the
333 - if (unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))
334 + if (INVALID_NDX (ndx, GElf_Dyn, &data_scn->d))
336 __libelf_seterrno (ELF_E_INVALID_INDEX);
338 --- elfutils/libelf/gelf_getlib.c
339 +++ elfutils/libelf/gelf_getlib.c
341 /* Get library from table at the given index.
342 - Copyright (C) 2004 Red Hat, Inc.
343 + Copyright (C) 2004-2009 Red Hat, Inc.
344 This file is part of Red Hat elfutils.
345 Written by Ulrich Drepper <drepper@redhat.com>, 2004.
347 @@ -86,7 +86,7 @@ gelf_getlib (data, ndx, dst)
348 /* The data is already in the correct form. Just make sure the
350 GElf_Lib *result = NULL;
351 - if (unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))
352 + if (INVALID_NDX (ndx, GElf_Lib, data))
353 __libelf_seterrno (ELF_E_INVALID_INDEX);
356 --- elfutils/libelf/gelf_getmove.c
357 +++ elfutils/libelf/gelf_getmove.c
359 /* Get move structure at the given index.
360 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
361 + Copyright (C) 2000-2009 Red Hat, Inc.
362 This file is part of Red Hat elfutils.
363 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
365 @@ -83,7 +83,7 @@ gelf_getmove (data, ndx, dst)
367 /* The data is already in the correct form. Just make sure the
369 - if (unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))
370 + if (INVALID_NDX (ndx, GElf_Move, data))
372 __libelf_seterrno (ELF_E_INVALID_INDEX);
374 --- elfutils/libelf/gelf_getrela.c
375 +++ elfutils/libelf/gelf_getrela.c
377 /* Get RELA relocation information at given index.
378 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
379 + Copyright (C) 2000-2009 Red Hat, Inc.
380 This file is part of Red Hat elfutils.
381 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
383 @@ -71,12 +71,6 @@ gelf_getrela (data, ndx, dst)
384 if (data_scn == NULL)
387 - if (unlikely (ndx < 0))
389 - __libelf_seterrno (ELF_E_INVALID_INDEX);
393 if (unlikely (data_scn->d.d_type != ELF_T_RELA))
395 __libelf_seterrno (ELF_E_INVALID_HANDLE);
396 @@ -93,7 +87,7 @@ gelf_getrela (data, ndx, dst)
397 if (scn->elf->class == ELFCLASS32)
399 /* We have to convert the data. */
400 - if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
401 + if (INVALID_NDX (ndx, Elf32_Rela, &data_scn->d))
403 __libelf_seterrno (ELF_E_INVALID_INDEX);
405 @@ -114,7 +108,7 @@ gelf_getrela (data, ndx, dst)
407 /* Simply copy the data after we made sure we are actually getting
409 - if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
410 + if (INVALID_NDX (ndx, Elf64_Rela, &data_scn->d))
412 __libelf_seterrno (ELF_E_INVALID_INDEX);
414 --- elfutils/libelf/gelf_getrel.c
415 +++ elfutils/libelf/gelf_getrel.c
417 /* Get REL relocation information at given index.
418 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
419 + Copyright (C) 2000-2009 Red Hat, Inc.
420 This file is part of Red Hat elfutils.
421 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
423 @@ -71,12 +71,6 @@ gelf_getrel (data, ndx, dst)
424 if (data_scn == NULL)
427 - if (unlikely (ndx < 0))
429 - __libelf_seterrno (ELF_E_INVALID_INDEX);
433 if (unlikely (data_scn->d.d_type != ELF_T_REL))
435 __libelf_seterrno (ELF_E_INVALID_HANDLE);
436 @@ -93,7 +87,7 @@ gelf_getrel (data, ndx, dst)
437 if (scn->elf->class == ELFCLASS32)
439 /* We have to convert the data. */
440 - if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
441 + if (INVALID_NDX (ndx, Elf32_Rel, &data_scn->d))
443 __libelf_seterrno (ELF_E_INVALID_INDEX);
445 @@ -113,7 +107,7 @@ gelf_getrel (data, ndx, dst)
447 /* Simply copy the data after we made sure we are actually getting
449 - if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
450 + if (INVALID_NDX (ndx, Elf64_Rel, &data_scn->d))
452 __libelf_seterrno (ELF_E_INVALID_INDEX);
454 --- elfutils/libelf/gelf_getsym.c
455 +++ elfutils/libelf/gelf_getsym.c
457 /* Get symbol information from symbol table at the given index.
458 - Copyright (C) 1999, 2000, 2001, 2002 Red Hat, Inc.
459 + Copyright (C) 1999-2009 Red Hat, Inc.
460 This file is part of Red Hat elfutils.
461 Written by Ulrich Drepper <drepper@redhat.com>, 1999.
463 @@ -90,7 +90,7 @@ gelf_getsym (data, ndx, dst)
464 table entries has to be adopted. The user better has provided
465 a buffer where we can store the information. While copying the
466 data we are converting the format. */
467 - if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))
468 + if (INVALID_NDX (ndx, Elf32_Sym, data))
470 __libelf_seterrno (ELF_E_INVALID_INDEX);
472 @@ -119,7 +119,7 @@ gelf_getsym (data, ndx, dst)
474 /* The data is already in the correct form. Just make sure the
476 - if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))
477 + if (INVALID_NDX (ndx, GElf_Sym, data))
479 __libelf_seterrno (ELF_E_INVALID_INDEX);
481 --- elfutils/libelf/gelf_getsyminfo.c
482 +++ elfutils/libelf/gelf_getsyminfo.c
484 /* Get additional symbol information from symbol table at the given index.
485 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
486 + Copyright (C) 2000-2009 Red Hat, Inc.
487 This file is part of Red Hat elfutils.
488 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
490 @@ -84,7 +84,7 @@ gelf_getsyminfo (data, ndx, dst)
492 /* The data is already in the correct form. Just make sure the
494 - if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))
495 + if (INVALID_NDX (ndx, GElf_Syminfo, data))
497 __libelf_seterrno (ELF_E_INVALID_INDEX);
499 --- elfutils/libelf/gelf_getsymshndx.c
500 +++ elfutils/libelf/gelf_getsymshndx.c
502 /* Get symbol information and separate section index from symbol table
504 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
505 + Copyright (C) 2000-2009 Red Hat, Inc.
506 This file is part of Red Hat elfutils.
507 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
509 @@ -90,7 +90,7 @@ gelf_getsymshndx (symdata, shndxdata, nd
510 section index table. */
511 if (likely (shndxdata_scn != NULL))
513 - if (unlikely ((ndx + 1) * sizeof (Elf32_Word) > shndxdata_scn->d.d_size))
514 + if (INVALID_NDX (ndx, Elf32_Word, &shndxdata_scn->d))
516 __libelf_seterrno (ELF_E_INVALID_INDEX);
518 @@ -110,7 +110,7 @@ gelf_getsymshndx (symdata, shndxdata, nd
519 table entries has to be adopted. The user better has provided
520 a buffer where we can store the information. While copying the
521 data we are converting the format. */
522 - if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))
523 + if (INVALID_NDX (ndx, Elf32_Sym, symdata))
525 __libelf_seterrno (ELF_E_INVALID_INDEX);
527 @@ -139,7 +139,7 @@ gelf_getsymshndx (symdata, shndxdata, nd
529 /* The data is already in the correct form. Just make sure the
531 - if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))
532 + if (INVALID_NDX (ndx, GElf_Sym, symdata))
534 __libelf_seterrno (ELF_E_INVALID_INDEX);
536 --- elfutils/libelf/gelf_getversym.c
537 +++ elfutils/libelf/gelf_getversym.c
539 /* Get symbol version information at the given index.
540 - Copyright (C) 1999, 2000, 2001, 2002 Red Hat, Inc.
541 + Copyright (C) 1999-2009 Red Hat, Inc.
542 This file is part of Red Hat elfutils.
543 Written by Ulrich Drepper <drepper@redhat.com>, 1999.
545 @@ -92,7 +92,7 @@ gelf_getversym (data, ndx, dst)
547 /* The data is already in the correct form. Just make sure the
549 - if (unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))
550 + if (INVALID_NDX (ndx, GElf_Versym, data))
552 __libelf_seterrno (ELF_E_INVALID_INDEX);
554 --- elfutils/libelf/gelf_update_dyn.c
555 +++ elfutils/libelf/gelf_update_dyn.c
557 /* Update information in dynamic table at the given index.
558 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
559 + Copyright (C) 2000-2009 Red Hat, Inc.
560 This file is part of Red Hat elfutils.
561 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
563 @@ -71,12 +71,6 @@ gelf_update_dyn (data, ndx, src)
567 - if (unlikely (ndx < 0))
569 - __libelf_seterrno (ELF_E_INVALID_INDEX);
573 if (unlikely (data_scn->d.d_type != ELF_T_DYN))
575 /* The type of the data better should match. */
576 @@ -102,7 +96,7 @@ gelf_update_dyn (data, ndx, src)
579 /* Check whether we have to resize the data buffer. */
580 - if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
581 + if (INVALID_NDX (ndx, Elf32_Dyn, &data_scn->d))
583 __libelf_seterrno (ELF_E_INVALID_INDEX);
585 @@ -116,7 +110,7 @@ gelf_update_dyn (data, ndx, src)
588 /* Check whether we have to resize the data buffer. */
589 - if (unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))
590 + if (INVALID_NDX (ndx, Elf64_Dyn, &data_scn->d))
592 __libelf_seterrno (ELF_E_INVALID_INDEX);
594 --- elfutils/libelf/gelf_update_lib.c
595 +++ elfutils/libelf/gelf_update_lib.c
597 /* Update library in table at the given index.
598 - Copyright (C) 2004 Red Hat, Inc.
599 + Copyright (C) 2004-2009 Red Hat, Inc.
600 This file is part of Red Hat elfutils.
601 Written by Ulrich Drepper <drepper@redhat.com>, 2004.
603 @@ -68,12 +68,6 @@ gelf_update_lib (data, ndx, src)
607 - if (unlikely (ndx < 0))
609 - __libelf_seterrno (ELF_E_INVALID_INDEX);
613 Elf_Data_Scn *data_scn = (Elf_Data_Scn *) data;
614 if (unlikely (data_scn->d.d_type != ELF_T_LIB))
616 @@ -87,7 +81,7 @@ gelf_update_lib (data, ndx, src)
618 /* Check whether we have to resize the data buffer. */
620 - if (unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))
621 + if (INVALID_NDX (ndx, Elf64_Lib, &data_scn->d))
622 __libelf_seterrno (ELF_E_INVALID_INDEX);
625 --- elfutils/libelf/gelf_update_move.c
626 +++ elfutils/libelf/gelf_update_move.c
628 /* Update move structure at the given index.
629 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
630 + Copyright (C) 2000-2009 Red Hat, Inc.
631 This file is part of Red Hat elfutils.
632 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
634 @@ -75,8 +75,7 @@ gelf_update_move (data, ndx, src)
635 assert (sizeof (GElf_Move) == sizeof (Elf64_Move));
637 /* Check whether we have to resize the data buffer. */
638 - if (unlikely (ndx < 0)
639 - || unlikely ((ndx + 1) * sizeof (GElf_Move) > data_scn->d.d_size))
640 + if (INVALID_NDX (ndx, GElf_Move, &data_scn->d))
642 __libelf_seterrno (ELF_E_INVALID_INDEX);
644 --- elfutils/libelf/gelf_update_rela.c
645 +++ elfutils/libelf/gelf_update_rela.c
647 /* Update RELA relocation information at given index.
648 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
649 + Copyright (C) 2000-2009 Red Hat, Inc.
650 This file is part of Red Hat elfutils.
651 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
653 @@ -68,12 +68,6 @@ gelf_update_rela (Elf_Data *dst, int ndx
657 - if (unlikely (ndx < 0))
659 - __libelf_seterrno (ELF_E_INVALID_INDEX);
663 if (unlikely (data_scn->d.d_type != ELF_T_RELA))
665 /* The type of the data better should match. */
666 @@ -101,7 +95,7 @@ gelf_update_rela (Elf_Data *dst, int ndx
669 /* Check whether we have to resize the data buffer. */
670 - if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
671 + if (INVALID_NDX (ndx, Elf32_Rela, &data_scn->d))
673 __libelf_seterrno (ELF_E_INVALID_INDEX);
675 @@ -117,7 +111,7 @@ gelf_update_rela (Elf_Data *dst, int ndx
678 /* Check whether we have to resize the data buffer. */
679 - if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
680 + if (INVALID_NDX (ndx, Elf64_Rela, &data_scn->d))
682 __libelf_seterrno (ELF_E_INVALID_INDEX);
684 --- elfutils/libelf/gelf_update_rel.c
685 +++ elfutils/libelf/gelf_update_rel.c
687 /* Update REL relocation information at given index.
688 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
689 + Copyright (C) 2000-2009 Red Hat, Inc.
690 This file is part of Red Hat elfutils.
691 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
693 @@ -68,12 +68,6 @@ gelf_update_rel (Elf_Data *dst, int ndx,
697 - if (unlikely (ndx < 0))
699 - __libelf_seterrno (ELF_E_INVALID_INDEX);
703 if (unlikely (data_scn->d.d_type != ELF_T_REL))
705 /* The type of the data better should match. */
706 @@ -99,7 +93,7 @@ gelf_update_rel (Elf_Data *dst, int ndx,
709 /* Check whether we have to resize the data buffer. */
710 - if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
711 + if (INVALID_NDX (ndx, Elf32_Rel, &data_scn->d))
713 __libelf_seterrno (ELF_E_INVALID_INDEX);
715 @@ -114,7 +108,7 @@ gelf_update_rel (Elf_Data *dst, int ndx,
718 /* Check whether we have to resize the data buffer. */
719 - if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
720 + if (INVALID_NDX (ndx, Elf64_Rel, &data_scn->d))
722 __libelf_seterrno (ELF_E_INVALID_INDEX);
724 --- elfutils/libelf/gelf_update_sym.c
725 +++ elfutils/libelf/gelf_update_sym.c
727 /* Update symbol information in symbol table at the given index.
728 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
729 + Copyright (C) 2000-2009 Red Hat, Inc.
730 This file is part of Red Hat elfutils.
731 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
733 @@ -72,12 +72,6 @@ gelf_update_sym (data, ndx, src)
737 - if (unlikely (ndx < 0))
739 - __libelf_seterrno (ELF_E_INVALID_INDEX);
743 if (unlikely (data_scn->d.d_type != ELF_T_SYM))
745 /* The type of the data better should match. */
746 @@ -102,7 +96,7 @@ gelf_update_sym (data, ndx, src)
749 /* Check whether we have to resize the data buffer. */
750 - if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))
751 + if (INVALID_NDX (ndx, Elf32_Sym, &data_scn->d))
753 __libelf_seterrno (ELF_E_INVALID_INDEX);
755 @@ -125,7 +119,7 @@ gelf_update_sym (data, ndx, src)
758 /* Check whether we have to resize the data buffer. */
759 - if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))
760 + if (INVALID_NDX (ndx, Elf64_Sym, &data_scn->d))
762 __libelf_seterrno (ELF_E_INVALID_INDEX);
764 --- elfutils/libelf/gelf_update_syminfo.c
765 +++ elfutils/libelf/gelf_update_syminfo.c
767 /* Update additional symbol information in symbol table at the given index.
768 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
769 + Copyright (C) 2000-2009 Red Hat, Inc.
770 This file is part of Red Hat elfutils.
771 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
773 @@ -72,12 +72,6 @@ gelf_update_syminfo (data, ndx, src)
777 - if (unlikely (ndx < 0))
779 - __libelf_seterrno (ELF_E_INVALID_INDEX);
783 if (unlikely (data_scn->d.d_type != ELF_T_SYMINFO))
785 /* The type of the data better should match. */
786 @@ -93,7 +87,7 @@ gelf_update_syminfo (data, ndx, src)
787 rwlock_wrlock (scn->elf->lock);
789 /* Check whether we have to resize the data buffer. */
790 - if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))
791 + if (INVALID_NDX (ndx, GElf_Syminfo, &data_scn->d))
793 __libelf_seterrno (ELF_E_INVALID_INDEX);
795 --- elfutils/libelf/gelf_update_symshndx.c
796 +++ elfutils/libelf/gelf_update_symshndx.c
798 /* Update symbol information and section index in symbol table at the
800 - Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
801 + Copyright (C) 2000-2009 Red Hat, Inc.
802 This file is part of Red Hat elfutils.
803 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
805 @@ -77,12 +77,6 @@ gelf_update_symshndx (symdata, shndxdata
809 - if (unlikely (ndx < 0))
811 - __libelf_seterrno (ELF_E_INVALID_INDEX);
815 if (unlikely (symdata_scn->d.d_type != ELF_T_SYM))
817 /* The type of the data better should match. */
818 @@ -128,7 +122,7 @@ gelf_update_symshndx (symdata, shndxdata
821 /* Check whether we have to resize the data buffer. */
822 - if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))
823 + if (INVALID_NDX (ndx, Elf32_Sym, &symdata_scn->d))
825 __libelf_seterrno (ELF_E_INVALID_INDEX);
827 @@ -151,7 +145,7 @@ gelf_update_symshndx (symdata, shndxdata
830 /* Check whether we have to resize the data buffer. */
831 - if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))
832 + if (INVALID_NDX (ndx, Elf64_Sym, &symdata_scn->d))
834 __libelf_seterrno (ELF_E_INVALID_INDEX);
836 --- elfutils/libelf/gelf_update_versym.c
837 +++ elfutils/libelf/gelf_update_versym.c
839 /* Update symbol version information.
840 - Copyright (C) 2001, 2002 Red Hat, Inc.
841 + Copyright (C) 2001-2009 Red Hat, Inc.
842 This file is part of Red Hat elfutils.
843 Written by Ulrich Drepper <drepper@redhat.com>, 2001.
845 @@ -75,8 +75,7 @@ gelf_update_versym (data, ndx, src)
846 assert (sizeof (GElf_Versym) == sizeof (Elf64_Versym));
848 /* Check whether we have to resize the data buffer. */
849 - if (unlikely (ndx < 0)
850 - || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data_scn->d.d_size))
851 + if (INVALID_NDX (ndx, GElf_Versym, &data_scn->d))
853 __libelf_seterrno (ELF_E_INVALID_INDEX);
855 --- elfutils/libelf/libelfP.h
856 +++ elfutils/libelf/libelfP.h
857 @@ -608,4 +608,8 @@ extern uint32_t __libelf_crc32 (uint32_t
858 /* Align offset to 4 bytes as needed for note name and descriptor data. */
859 #define NOTE_ALIGN(n) (((n) + 3) & -4U)
861 +/* Convenience macro. */
862 +#define INVALID_NDX(ndx, type, data) \
863 + unlikely ((data)->d_size / sizeof (type) <= (unsigned int) (ndx))
865 #endif /* libelfP.h */
866 --- elfutils/src/ChangeLog
867 +++ elfutils/src/ChangeLog
868 @@ -1686,6 +1686,16 @@
869 object symbols or symbols with unknown type.
870 (check_rel): Likewise.
872 +2005-06-09 Roland McGrath <roland@redhat.com>
874 + * readelf.c (handle_dynamic, handle_symtab): Check for bogus sh_link.
875 + (handle_verneed, handle_verdef, handle_versym, handle_hash): Likewise.
876 + (handle_scngrp): Check for bogus sh_info.
878 + * strip.c (handle_elf): Check for bogus values in sh_link, sh_info,
879 + st_shndx, e_shstrndx, and SHT_GROUP or SHT_SYMTAB_SHNDX data.
880 + Don't use assert on input values, instead bail with "illformed" error.
882 2005-06-08 Roland McGrath <roland@redhat.com>
884 * readelf.c (print_ops): Add consts.
885 @@ -1731,6 +1741,19 @@
887 * readelf.c (dwarf_tag_string): Add new tags.
889 +2005-05-17 Jakub Jelinek <jakub@redhat.com>
891 + * elflint.c (check_hash): Don't check entries beyond end of section.
892 + (check_note): Don't crash if gelf_rawchunk fails.
893 + (section_name): Return <invalid> if gelf_getshdr returns NULL.
895 +2005-05-14 Jakub Jelinek <jakub@redhat.com>
897 + * elflint.c (section_name): Return "<invalid>" instead of
898 + crashing on invalid section name.
899 + (check_symtab, is_rel_dyn, check_rela, check_rel, check_dynamic,
900 + check_symtab_shndx, check_hash, check_versym): Robustify.
902 2005-05-08 Roland McGrath <roland@redhat.com>
904 * strip.c (handle_elf): Don't translate hash and versym data formats,
905 --- elfutils/src/elflint.c
906 +++ elfutils/src/elflint.c
907 @@ -131,6 +131,10 @@ static uint32_t shstrndx;
908 /* Array to count references in section groups. */
911 +/* Numbers of sections and program headers. */
912 +static unsigned int shnum;
913 +static unsigned int phnum;
917 main (int argc, char *argv[])
918 @@ -319,10 +323,19 @@ section_name (Ebl *ebl, int idx)
924 + if ((unsigned int) idx > shnum)
925 + return "<invalid>";
927 shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);
929 + return "<invalid>";
931 - return elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
932 + ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
934 + return "<invalid>";
939 @@ -344,11 +357,6 @@ static const int valid_e_machine[] =
940 (sizeof (valid_e_machine) / sizeof (valid_e_machine[0]))
943 -/* Numbers of sections and program headers. */
944 -static unsigned int shnum;
945 -static unsigned int phnum;
949 check_elf_header (Ebl *ebl, GElf_Ehdr *ehdr, size_t size)
951 @@ -632,7 +640,8 @@ section [%2d] '%s': symbol table cannot
955 - if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT))
956 + size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT);
957 + if (shdr->sh_entsize != sh_entsize)
959 section [%2u] '%s': entry size is does not match ElfXX_Sym\n"),
960 idx, section_name (ebl, idx));
961 @@ -670,7 +679,7 @@ section [%2d] '%s': XINDEX for zeroth en
962 xndxscnidx, section_name (ebl, xndxscnidx));
965 - for (size_t cnt = 1; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
966 + for (size_t cnt = 1; cnt < shdr->sh_size / sh_entsize; ++cnt)
968 sym = gelf_getsymshndx (data, xndxdata, cnt, &sym_mem, &xndx);
970 @@ -690,7 +699,8 @@ section [%2d] '%s': symbol %zu: invalid
973 name = elf_strptr (ebl->elf, shdr->sh_link, sym->st_name);
974 - assert (name != NULL);
975 + assert (name != NULL
976 + || strshdr->sh_type != SHT_STRTAB);
979 if (sym->st_shndx == SHN_XINDEX)
980 @@ -1038,9 +1048,11 @@ is_rel_dyn (Ebl *ebl, const GElf_Ehdr *e
982 GElf_Shdr rcshdr_mem;
983 const GElf_Shdr *rcshdr = gelf_getshdr (scn, &rcshdr_mem);
984 - assert (rcshdr != NULL);
986 - if (rcshdr->sh_type == SHT_DYNAMIC)
987 + if (rcshdr == NULL)
990 + if (rcshdr->sh_type == SHT_DYNAMIC && rcshdr->sh_entsize)
992 /* Found the dynamic section. Look through it. */
993 Elf_Data *d = elf_getdata (scn, NULL);
994 @@ -1050,7 +1062,9 @@ is_rel_dyn (Ebl *ebl, const GElf_Ehdr *e
997 GElf_Dyn *dyn = gelf_getdyn (d, cnt, &dyn_mem);
998 - assert (dyn != NULL);
1003 if (dyn->d_tag == DT_RELCOUNT)
1005 @@ -1064,7 +1078,9 @@ section [%2d] '%s': DT_RELCOUNT used for
1006 /* Does the number specified number of relative
1007 relocations exceed the total number of
1009 - if (dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
1010 + if (shdr->sh_entsize != 0
1011 + && dyn->d_un.d_val > (shdr->sh_size
1012 + / shdr->sh_entsize))
1014 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
1015 idx, section_name (ebl, idx),
1016 @@ -1224,7 +1240,8 @@ section [%2d] '%s': no relocations for m
1020 - if (shdr->sh_entsize != gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT))
1021 + size_t sh_entsize = gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT);
1022 + if (shdr->sh_entsize != sh_entsize)
1023 ERROR (gettext (reltype == ELF_T_RELA ? "\
1024 section [%2d] '%s': section entry size does not match ElfXX_Rela\n" : "\
1025 section [%2d] '%s': section entry size does not match ElfXX_Rel\n"),
1026 @@ -1447,7 +1464,8 @@ check_rela (Ebl *ebl, GElf_Ehdr *ehdr, G
1027 Elf_Data *symdata = elf_getdata (symscn, NULL);
1028 enum load_state state = state_undecided;
1030 - for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1031 + size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
1032 + for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1035 GElf_Rela *rela = gelf_getrela (data, cnt, &rela_mem);
1036 @@ -1497,7 +1515,8 @@ check_rel (Ebl *ebl, GElf_Ehdr *ehdr, GE
1037 Elf_Data *symdata = elf_getdata (symscn, NULL);
1038 enum load_state state = state_undecided;
1040 - for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1041 + size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
1042 + for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1045 GElf_Rel *rel = gelf_getrel (data, cnt, &rel_mem);
1046 @@ -1600,7 +1619,8 @@ section [%2d] '%s': referenced as string
1047 shdr->sh_link, section_name (ebl, shdr->sh_link),
1048 idx, section_name (ebl, idx));
1050 - if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT))
1051 + size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
1052 + if (shdr->sh_entsize != sh_entsize)
1054 section [%2d] '%s': section entry size does not match ElfXX_Dyn\n"),
1055 idx, section_name (ebl, idx));
1056 @@ -1610,7 +1630,7 @@ section [%2d] '%s': section entry size d
1057 idx, section_name (ebl, idx));
1059 bool non_null_warned = false;
1060 - for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1061 + for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1064 GElf_Dyn *dyn = gelf_getdyn (data, cnt, &dyn_mem);
1065 @@ -1891,6 +1911,8 @@ section [%2d] '%s': entry size does not
1066 idx, section_name (ebl, idx));
1069 + && shdr->sh_entsize
1070 + && symshdr->sh_entsize
1071 && (shdr->sh_size / shdr->sh_entsize
1072 < symshdr->sh_size / symshdr->sh_entsize))
1074 @@ -1917,6 +1939,12 @@ section [%2d] '%s': extended section ind
1077 Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1080 + ERROR (gettext ("section [%2d] '%s': cannot get section data\n"),
1081 + idx, section_name (ebl, idx));
1085 if (*((Elf32_Word *) data->d_buf) != 0)
1086 ERROR (gettext ("symbol 0 should have zero extended section index\n"));
1087 @@ -1959,7 +1987,7 @@ section [%2d] '%s': hash table section i
1089 size_t maxidx = nchain;
1091 - if (symshdr != NULL)
1092 + if (symshdr != NULL && symshdr->sh_entsize != 0)
1094 size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
1096 @@ -1970,18 +1998,28 @@ section [%2d] '%s': hash table section i
1100 + Elf32_Word *buf = (Elf32_Word *) data->d_buf;
1101 + Elf32_Word *end = (Elf32_Word *) ((char *) data->d_buf + shdr->sh_size);
1103 for (cnt = 2; cnt < 2 + nbucket; ++cnt)
1104 - if (((Elf32_Word *) data->d_buf)[cnt] >= maxidx)
1106 + if (buf + cnt >= end)
1108 + else if (buf[cnt] >= maxidx)
1110 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
1111 idx, section_name (ebl, idx), cnt - 2);
1114 for (; cnt < 2 + nbucket + nchain; ++cnt)
1115 - if (((Elf32_Word *) data->d_buf)[cnt] >= maxidx)
1117 + if (buf + cnt >= end)
1119 + else if (buf[cnt] >= maxidx)
1121 section [%2d] '%s': hash chain reference %zu out of bounds\n"),
1122 idx, section_name (ebl, idx), cnt - 2 - nbucket);
1127 @@ -2011,18 +2049,28 @@ section [%2d] '%s': hash table section i
1131 + Elf64_Xword *buf = (Elf64_Xword *) data->d_buf;
1132 + Elf64_Xword *end = (Elf64_Xword *) ((char *) data->d_buf + shdr->sh_size);
1134 for (cnt = 2; cnt < 2 + nbucket; ++cnt)
1135 - if (((Elf64_Xword *) data->d_buf)[cnt] >= maxidx)
1137 + if (buf + cnt >= end)
1139 + else if (buf[cnt] >= maxidx)
1141 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
1142 idx, section_name (ebl, idx), cnt - 2);
1145 for (; cnt < 2 + nbucket + nchain; ++cnt)
1146 - if (((Elf64_Xword *) data->d_buf)[cnt] >= maxidx)
1148 + if (buf + cnt >= end)
1150 + else if (buf[cnt] >= maxidx)
1152 section [%2d] '%s': hash chain reference %" PRIu64 " out of bounds\n"),
1153 - idx, section_name (ebl, idx), (uint64_t) (cnt - 2 - nbucket));
1154 + idx, section_name (ebl, idx), (uint64_t) cnt - 2 - nbucket);
1159 @@ -2047,7 +2095,7 @@ section [%2d] '%s': bitmask size not pow
1160 if (shdr->sh_size < (4 + bitmask_words + nbuckets) * sizeof (Elf32_Word))
1163 -section [%2d] '%s': hash table section is too small (is %ld, expected at least%ld)\n"),
1164 +section [%2d] '%s': hash table section is too small (is %ld, expected at least %ld)\n"),
1165 idx, section_name (ebl, idx), (long int) shdr->sh_size,
1166 (long int) ((4 + bitmask_words + nbuckets) * sizeof (Elf32_Word)));
1168 @@ -2719,8 +2767,9 @@ section [%2d] '%s' refers in sh_link to
1170 /* The number of elements in the version symbol table must be the
1171 same as the number of symbols. */
1172 - if (shdr->sh_size / shdr->sh_entsize
1173 - != symshdr->sh_size / symshdr->sh_entsize)
1174 + if (shdr->sh_entsize && symshdr->sh_entsize
1175 + && (shdr->sh_size / shdr->sh_entsize
1176 + != symshdr->sh_size / symshdr->sh_entsize))
1178 section [%2d] '%s' has different number of entries than symbol table [%2d] '%s'\n"),
1179 idx, section_name (ebl, idx),
1180 --- elfutils/src/readelf.c
1181 +++ elfutils/src/readelf.c
1182 @@ -1178,6 +1178,8 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
1183 Elf32_Word *grpref = (Elf32_Word *) data->d_buf;
1186 + GElf_Sym *sym = gelf_getsym (symdata, shdr->sh_info, &sym_mem);
1188 printf ((grpref[0] & GRP_COMDAT)
1190 \nCOMDAT section group [%2zu] '%s' with signature '%s' contains %zu entry:\n",
1191 @@ -1190,8 +1192,8 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
1192 data->d_size / sizeof (Elf32_Word) - 1),
1194 elf_strptr (ebl->elf, shstrndx, shdr->sh_name),
1195 - elf_strptr (ebl->elf, symshdr->sh_link,
1196 - gelf_getsym (symdata, shdr->sh_info, &sym_mem)->st_name)
1197 + (sym == NULL ? NULL
1198 + : elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name))
1199 ?: gettext ("<INVALID SYMBOL>"),
1200 data->d_size / sizeof (Elf32_Word) - 1);
1202 @@ -1342,7 +1344,8 @@ static void
1203 handle_dynamic (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
1205 int class = gelf_getclass (ebl->elf);
1207 + GElf_Shdr glink_mem;
1212 @@ -1357,6 +1360,11 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn,
1213 error (EXIT_FAILURE, 0,
1214 gettext ("cannot get section header string table index"));
1216 + glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
1217 + if (glink == NULL)
1218 + error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1219 + elf_ndxscn (scn));
1221 printf (ngettext ("\
1222 \nDynamic segment contains %lu entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1224 @@ -1366,9 +1374,7 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn,
1225 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1227 (int) shdr->sh_link,
1228 - elf_strptr (ebl->elf, shstrndx,
1229 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1230 - &glink)->sh_name));
1231 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1232 fputs_unlocked (gettext (" Type Value\n"), stdout);
1234 for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1235 @@ -1951,6 +1957,13 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
1236 error (EXIT_FAILURE, 0,
1237 gettext ("cannot get section header string table index"));
1239 + GElf_Shdr glink_mem;
1240 + GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1242 + if (glink == NULL)
1243 + error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1244 + elf_ndxscn (scn));
1246 /* Now we can compute the number of entries in the section. */
1247 unsigned int nsyms = data->d_size / (class == ELFCLASS32
1248 ? sizeof (Elf32_Sym)
1249 @@ -1961,15 +1974,12 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
1251 (unsigned int) elf_ndxscn (scn),
1252 elf_strptr (ebl->elf, shstrndx, shdr->sh_name), nsyms);
1254 printf (ngettext (" %lu local symbol String table: [%2u] '%s'\n",
1255 " %lu local symbols String table: [%2u] '%s'\n",
1257 (unsigned long int) shdr->sh_info,
1258 (unsigned int) shdr->sh_link,
1259 - elf_strptr (ebl->elf, shstrndx,
1260 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1261 - &glink)->sh_name));
1262 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1264 fputs_unlocked (class == ELFCLASS32
1266 @@ -2205,7 +2215,13 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn,
1267 error (EXIT_FAILURE, 0,
1268 gettext ("cannot get section header string table index"));
1271 + GElf_Shdr glink_mem;
1272 + GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1274 + if (glink == NULL)
1275 + error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1276 + elf_ndxscn (scn));
1278 printf (ngettext ("\
1279 \nVersion needs section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1281 @@ -2216,9 +2232,7 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn,
1282 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1284 (unsigned int) shdr->sh_link,
1285 - elf_strptr (ebl->elf, shstrndx,
1286 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1287 - &glink)->sh_name));
1288 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1290 unsigned int offset = 0;
1291 for (int cnt = shdr->sh_info; --cnt >= 0; )
1292 @@ -2271,8 +2285,14 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
1293 error (EXIT_FAILURE, 0,
1294 gettext ("cannot get section header string table index"));
1296 + GElf_Shdr glink_mem;
1297 + GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1299 + if (glink == NULL)
1300 + error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1301 + elf_ndxscn (scn));
1303 int class = gelf_getclass (ebl->elf);
1305 printf (ngettext ("\
1306 \nVersion definition section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1308 @@ -2284,9 +2304,7 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
1309 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1311 (unsigned int) shdr->sh_link,
1312 - elf_strptr (ebl->elf, shstrndx,
1313 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1314 - &glink)->sh_name));
1315 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1317 unsigned int offset = 0;
1318 for (int cnt = shdr->sh_info; --cnt >= 0; )
1319 @@ -2548,8 +2566,14 @@ handle_versym (Ebl *ebl, Elf_Scn *scn, G
1323 + GElf_Shdr glink_mem;
1324 + GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1326 + if (glink == NULL)
1327 + error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1328 + elf_ndxscn (scn));
1330 /* Print the header. */
1332 printf (ngettext ("\
1333 \nVersion symbols section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'",
1335 @@ -2561,9 +2585,7 @@ handle_versym (Ebl *ebl, Elf_Scn *scn, G
1336 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1338 (unsigned int) shdr->sh_link,
1339 - elf_strptr (ebl->elf, shstrndx,
1340 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1341 - &glink)->sh_name));
1342 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1344 /* Now we can finally look at the actual contents of this section. */
1345 for (unsigned int cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1346 @@ -2615,7 +2637,17 @@ print_hash_info (Ebl *ebl, Elf_Scn *scn,
1347 for (Elf32_Word cnt = 0; cnt < nbucket; ++cnt)
1348 ++counts[lengths[cnt]];
1351 + GElf_Shdr glink_mem;
1352 + GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf,
1355 + if (glink == NULL)
1357 + error (0, 0, gettext ("invalid sh_link value in section %Zu"),
1358 + elf_ndxscn (scn));
1362 printf (ngettext ("\
1363 \nHistogram for bucket list length in section [%2u] '%s' (total of %d bucket):\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1365 @@ -2628,9 +2660,7 @@ print_hash_info (Ebl *ebl, Elf_Scn *scn,
1368 (unsigned int) shdr->sh_link,
1369 - elf_strptr (ebl->elf, shstrndx,
1370 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1371 - &glink)->sh_name));
1372 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1374 if (extrastr != NULL)
1375 fputs (extrastr, stdout);
1376 @@ -4486,6 +4516,16 @@ print_debug_aranges_section (Dwfl_Module
1380 + GElf_Shdr glink_mem;
1382 + glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
1383 + if (glink == NULL)
1385 + error (0, 0, gettext ("invalid sh_link value in section %Zu"),
1386 + elf_ndxscn (scn));
1390 printf (ngettext ("\
1391 \nDWARF section [%2zu] '%s' at offset %#" PRIx64 " contains %zu entry:\n",
1393 --- elfutils/src/strip.c
1394 +++ elfutils/src/strip.c
1395 @@ -555,6 +555,11 @@ handle_elf (int fd, Elf *elf, const char
1399 + if (shstrndx >= shnum)
1402 +#define elf_assert(test) do { if (!(test)) goto illformed; } while (0)
1404 /* Storage for section information. We leave room for two more
1405 entries since we unconditionally create a section header string
1406 table. Maybe some weird tool created an ELF file without one.
1407 @@ -576,7 +581,7 @@ handle_elf (int fd, Elf *elf, const char
1409 /* This should always be true (i.e., there should not be any
1410 holes in the numbering). */
1411 - assert (elf_ndxscn (scn) == cnt);
1412 + elf_assert (elf_ndxscn (scn) == cnt);
1414 shdr_info[cnt].scn = scn;
1416 @@ -589,6 +594,7 @@ handle_elf (int fd, Elf *elf, const char
1417 shdr_info[cnt].shdr.sh_name);
1418 if (shdr_info[cnt].name == NULL)
1421 error (0, 0, gettext ("illformed file '%s'"), fname);
1424 @@ -598,6 +604,8 @@ handle_elf (int fd, Elf *elf, const char
1426 /* Remember the shdr.sh_link value. */
1427 shdr_info[cnt].old_sh_link = shdr_info[cnt].shdr.sh_link;
1428 + if (shdr_info[cnt].old_sh_link >= shnum)
1431 /* Sections in files other than relocatable object files which
1432 are not loaded can be freely moved by us. In relocatable
1433 @@ -610,7 +618,7 @@ handle_elf (int fd, Elf *elf, const char
1434 appropriate reference. */
1435 if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB_SHNDX))
1437 - assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
1438 + elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
1439 shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx = cnt;
1441 else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GROUP))
1442 @@ -627,7 +635,12 @@ handle_elf (int fd, Elf *elf, const char
1444 inner < shdr_info[cnt].data->d_size / sizeof (Elf32_Word);
1447 + if (grpref[inner] < shnum)
1448 shdr_info[grpref[inner]].group_idx = cnt;
1453 if (inner == 1 || (inner == 2 && (grpref[0] & GRP_COMDAT) == 0))
1454 /* If the section group contains only one element and this
1455 @@ -638,7 +651,7 @@ handle_elf (int fd, Elf *elf, const char
1457 else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GNU_versym))
1459 - assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
1460 + elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
1461 shdr_info[shdr_info[cnt].shdr.sh_link].version_idx = cnt;
1464 @@ -646,7 +659,7 @@ handle_elf (int fd, Elf *elf, const char
1465 discarded right away. */
1466 if ((shdr_info[cnt].shdr.sh_flags & SHF_GROUP) != 0)
1468 - assert (shdr_info[cnt].group_idx != 0);
1469 + elf_assert (shdr_info[cnt].group_idx != 0);
1471 if (shdr_info[shdr_info[cnt].group_idx].idx == 0)
1473 @@ -722,11 +735,15 @@ handle_elf (int fd, Elf *elf, const char
1475 /* If a relocation section is marked as being removed make
1476 sure the section it is relocating is removed, too. */
1477 - if ((shdr_info[cnt].shdr.sh_type == SHT_REL
1478 + if (shdr_info[cnt].shdr.sh_type == SHT_REL
1479 || shdr_info[cnt].shdr.sh_type == SHT_RELA)
1480 - && shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
1482 + if (shdr_info[cnt].shdr.sh_info >= shnum)
1484 + else if (shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
1485 shdr_info[cnt].idx = 1;
1489 if (shdr_info[cnt].idx == 1)
1491 @@ -753,7 +770,7 @@ handle_elf (int fd, Elf *elf, const char
1492 if (shdr_info[cnt].symtab_idx != 0
1493 && shdr_info[shdr_info[cnt].symtab_idx].data == NULL)
1495 - assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
1496 + elf_assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
1498 shdr_info[shdr_info[cnt].symtab_idx].data
1499 = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
1500 @@ -793,6 +810,9 @@ handle_elf (int fd, Elf *elf, const char
1501 else if (scnidx == SHN_XINDEX)
1504 + if (scnidx >= shnum)
1507 if (shdr_info[scnidx].idx == 0)
1508 /* This symbol table has a real symbol in
1509 a discarded section. So preserve the
1510 @@ -823,12 +843,16 @@ handle_elf (int fd, Elf *elf, const char
1513 /* Handle references through sh_info. */
1514 - if (SH_INFO_LINK_P (&shdr_info[cnt].shdr)
1515 - && shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
1516 + if (SH_INFO_LINK_P (&shdr_info[cnt].shdr))
1518 + if (shdr_info[cnt].shdr.sh_info >= shnum)
1520 + else if ( shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
1522 shdr_info[shdr_info[cnt].shdr.sh_info].idx = 1;
1523 changes |= shdr_info[cnt].shdr.sh_info < cnt;
1527 /* Mark the section as investigated. */
1528 shdr_info[cnt].idx = 2;
1529 @@ -967,7 +991,7 @@ handle_elf (int fd, Elf *elf, const char
1530 error (EXIT_FAILURE, 0, gettext ("while generating output file: %s"),
1533 - assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1534 + elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1536 /* Add this name to the section header string table. */
1537 shdr_info[cnt].se = ebl_strtabadd (shst, shdr_info[cnt].name, 0);
1538 @@ -1004,7 +1028,7 @@ handle_elf (int fd, Elf *elf, const char
1539 error (EXIT_FAILURE, 0,
1540 gettext ("while create section header section: %s"),
1542 - assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1543 + elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1545 shdr_info[cnt].data = elf_newdata (shdr_info[cnt].newscn);
1546 if (shdr_info[cnt].data == NULL)
1547 @@ -1060,7 +1084,7 @@ handle_elf (int fd, Elf *elf, const char
1548 error (EXIT_FAILURE, 0,
1549 gettext ("while create section header section: %s"),
1551 - assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
1552 + elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
1554 /* Finalize the string table and fill in the correct indices in the
1556 @@ -1150,20 +1174,20 @@ handle_elf (int fd, Elf *elf, const char
1557 shndxdata = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
1560 - assert ((versiondata->d_size / sizeof (Elf32_Word))
1561 + elf_assert ((versiondata->d_size / sizeof (Elf32_Word))
1562 >= shdr_info[cnt].data->d_size / elsize);
1565 if (shdr_info[cnt].version_idx != 0)
1567 - assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
1568 + elf_assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
1569 /* This section has associated version
1570 information. We have to modify that
1571 information, too. */
1572 versiondata = elf_getdata (shdr_info[shdr_info[cnt].version_idx].scn,
1575 - assert ((versiondata->d_size / sizeof (GElf_Versym))
1576 + elf_assert ((versiondata->d_size / sizeof (GElf_Versym))
1577 >= shdr_info[cnt].data->d_size / elsize);
1580 @@ -1218,7 +1242,7 @@ handle_elf (int fd, Elf *elf, const char
1581 sec = shdr_info[sym->st_shndx].idx;
1584 - assert (shndxdata != NULL);
1585 + elf_assert (shndxdata != NULL);
1587 sec = shdr_info[xshndx].idx;
1589 @@ -1239,7 +1263,7 @@ handle_elf (int fd, Elf *elf, const char
1593 - assert (sec < SHN_LORESERVE || shndxdata != NULL);
1594 + elf_assert (sec < SHN_LORESERVE || shndxdata != NULL);
1596 if ((inner != destidx || nshndx != sym->st_shndx
1597 || (shndxdata != NULL && nxshndx != xshndx))
1598 @@ -1263,7 +1287,7 @@ handle_elf (int fd, Elf *elf, const char
1599 || shdr_info[cnt].debug_data == NULL)
1600 /* This is a section symbol for a section which has
1602 - assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION);
1603 + elf_assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION);
1606 if (destidx != inner)
1607 @@ -1450,11 +1474,11 @@ handle_elf (int fd, Elf *elf, const char
1610 GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
1611 - assert (sym != NULL);
1612 + elf_assert (sym != NULL);
1614 const char *name = elf_strptr (elf, strshndx,
1616 - assert (name != NULL);
1617 + elf_assert (name != NULL);
1618 size_t hidx = elf_hash (name) % nbucket;
1620 if (bucket[hidx] == 0)
1621 @@ -1473,7 +1497,7 @@ handle_elf (int fd, Elf *elf, const char
1624 /* Alpha and S390 64-bit use 64-bit SHT_HASH entries. */
1625 - assert (shdr_info[cnt].shdr.sh_entsize
1626 + elf_assert (shdr_info[cnt].shdr.sh_entsize
1627 == sizeof (Elf64_Xword));
1629 Elf64_Xword *bucket = (Elf64_Xword *) hashd->d_buf;
1630 @@ -1504,11 +1528,11 @@ handle_elf (int fd, Elf *elf, const char
1633 GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
1634 - assert (sym != NULL);
1635 + elf_assert (sym != NULL);
1637 const char *name = elf_strptr (elf, strshndx,
1639 - assert (name != NULL);
1640 + elf_assert (name != NULL);
1641 size_t hidx = elf_hash (name) % nbucket;
1643 if (bucket[hidx] == 0)
projects / packages / elfutils.git / blob