2 2005-06-09 Roland McGrath <roland@redhat.com>
4 * readelf.c (handle_dynamic, handle_symtab): Check for bogus sh_link.
5 (handle_verneed, handle_verdef, handle_versym, handle_hash): Likewise.
6 (handle_scngrp): Check for bogus sh_info.
8 * strip.c (handle_elf): Check for bogus values in sh_link, sh_info,
9 st_shndx, e_shstrndx, and SHT_GROUP or SHT_SYMTAB_SHNDX data.
10 Don't use assert on input values, instead bail with "illformed" error.
12 2005-05-17 Jakub Jelinek <jakub@redhat.com>
15 * elf32_getphdr.c (elfw2(LIBELFBITS,getphdr)): Check if program header
16 table fits into object's bounds.
17 * elf_getshstrndx.c (elf_getshstrndx): Add elf->start_offset to
18 elf->map_address. Check if first section header fits into object's
20 * elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)): Fix comment pasto.
21 Check if section header table fits into object's bounds.
22 * elf_begin.c (get_shnum): Ensure section headers fits into
24 (file_read_elf): Make sure scncnt is small enough to allocate both
25 ElfXX_Shdr and Elf_Scn array. Make sure section and program header
26 tables fit into object's bounds. Avoid memory leak on failure.
29 * elflint.c (check_hash): Don't check entries beyond end of section.
30 (check_note): Don't crash if gelf_rawchunk fails.
31 (section_name): Return <invalid> if gelf_getshdr returns NULL.
33 2005-05-14 Jakub Jelinek <jakub@redhat.com>
36 * libelfP.h (INVALID_NDX): Define.
37 * gelf_getdyn.c (gelf_getdyn): Use it. Remove ndx < 0 test if any.
38 * gelf_getlib.c (gelf_getlib): Likewise.
39 * gelf_getmove.c (gelf_getmove): Likewise.
40 * gelf_getrel.c (gelf_getrel): Likewise.
41 * gelf_getrela.c (gelf_getrela): Likewise.
42 * gelf_getsym.c (gelf_getsym): Likewise.
43 * gelf_getsyminfo.c (gelf_getsyminfo): Likewise.
44 * gelf_getsymshndx.c (gelf_getsymshndx): Likewise.
45 * gelf_getversym.c (gelf_getversym): Likewise.
46 * gelf_update_dyn.c (gelf_update_dyn): Likewise.
47 * gelf_update_lib.c (gelf_update_lib): Likewise.
48 * gelf_update_move.c (gelf_update_move): Likewise.
49 * gelf_update_rel.c (gelf_update_rel): Likewise.
50 * gelf_update_rela.c (gelf_update_rela): Likewise.
51 * gelf_update_sym.c (gelf_update_sym): Likewise.
52 * gelf_update_syminfo.c (gelf_update_syminfo): Likewise.
53 * gelf_update_symshndx.c (gelf_update_symshndx): Likewise.
54 * gelf_update_versym.c (gelf_update_versym): Likewise.
55 * elf_newscn.c (elf_newscn): Check for overflow.
56 * elf32_updatefile.c (__elfw2(LIBELFBITS,updatemmap)): Likewise.
57 (__elfw2(LIBELFBITS,updatefile)): Likewise.
58 * elf_begin.c (file_read_elf): Likewise.
59 * elf32_newphdr.c (elfw2(LIBELFBITS,newphdr)): Likewise.
60 * elf_getarsym.c (elf_getarsym): Likewise.
61 * elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)): Likewise.
63 * elflint.c (section_name): Return "<invalid>" instead of
64 crashing on invalid section name.
65 (check_symtab, is_rel_dyn, check_rela, check_rel, check_dynamic,
66 check_symtab_shndx, check_hash, check_versym): Robustify.
68 --- elfutils-0.122/libelf/elf32_getphdr.c
69 +++ elfutils-0.122/libelf/elf32_getphdr.c
70 @@ -115,6 +115,16 @@ elfw2(LIBELFBITS,getphdr) (elf)
72 if (elf->map_address != NULL)
74 + /* First see whether the information in the ELF header is
75 + valid and it does not ask for too much. */
76 + if (unlikely (ehdr->e_phoff >= elf->maximum_size)
77 + || unlikely (ehdr->e_phoff + size > elf->maximum_size))
79 + /* Something is wrong. */
80 + __libelf_seterrno (ELF_E_INVALID_PHDR);
84 /* All the data is already mapped. Use it. */
85 if (ehdr->e_ident[EI_DATA] == MY_ELFDATA
87 --- elfutils-0.122/libelf/elf32_getshdr.c
88 +++ elfutils-0.122/libelf/elf32_getshdr.c
89 @@ -101,11 +101,12 @@ elfw2(LIBELFBITS,getshdr) (scn)
93 - if (INTUSE (elf_getshnum) (elf, &shnum) != 0)
94 + if (INTUSE (elf_getshnum) (elf, &shnum) != 0
95 + || shnum > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Shdr)))
97 size_t size = shnum * sizeof (ElfW2(LIBELFBITS,Shdr));
99 - /* Allocate memory for the program headers. We know the number
100 + /* Allocate memory for the section headers. We know the number
101 of entries from the ELF header. */
102 ElfW2(LIBELFBITS,Shdr) *shdr = elf->state.ELFW(elf,LIBELFBITS).shdr =
103 (ElfW2(LIBELFBITS,Shdr) *) malloc (size);
104 @@ -128,6 +129,16 @@ elfw2(LIBELFBITS,getshdr) (scn)
106 & (__alignof__ (ElfW2(LIBELFBITS,Shdr)) - 1)) != 0));
108 + /* First see whether the information in the ELF header is
109 + valid and it does not ask for too much. */
110 + if (unlikely (ehdr->e_shoff >= elf->maximum_size)
111 + || unlikely (ehdr->e_shoff + size > elf->maximum_size))
113 + /* Something is wrong. */
114 + __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
118 /* Now copy the data and at the same time convert the byte
121 --- elfutils-0.122/libelf/elf32_newphdr.c
122 +++ elfutils-0.122/libelf/elf32_newphdr.c
123 @@ -124,6 +124,12 @@ elfw2(LIBELFBITS,newphdr) (elf, count)
124 else if (elf->state.ELFW(elf,LIBELFBITS).ehdr->e_phnum != count
125 || elf->state.ELFW(elf,LIBELFBITS).phdr == NULL)
127 + if (unlikely (count > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Phdr))))
133 /* Allocate a new program header with the appropriate number of
135 result = (ElfW2(LIBELFBITS,Phdr) *)
136 --- elfutils-0.122/libelf/elf32_updatefile.c
137 +++ elfutils-0.122/libelf/elf32_updatefile.c
138 @@ -201,6 +201,9 @@ __elfw2(LIBELFBITS,updatemmap) (Elf *elf
139 /* Write all the sections. Well, only those which are modified. */
142 + if (unlikely (shnum > SIZE_MAX / sizeof (Elf_Scn *)))
145 Elf_ScnList *list = &elf->state.ELFW(elf,LIBELFBITS).scns;
146 Elf_Scn **scns = (Elf_Scn **) alloca (shnum * sizeof (Elf_Scn *));
147 char *const shdr_start = ((char *) elf->map_address + elf->start_offset
148 @@ -571,6 +574,10 @@ __elfw2(LIBELFBITS,updatefile) (Elf *elf
149 /* Write all the sections. Well, only those which are modified. */
152 + if (unlikely (shnum > SIZE_MAX / (sizeof (Elf_Scn *)
153 + + sizeof (ElfW2(LIBELFBITS,Shdr)))))
156 off_t shdr_offset = elf->start_offset + ehdr->e_shoff;
158 xfct_t shdr_fctp = __elf_xfctstom[__libelf_version - 1][EV_CURRENT - 1][ELFW(ELFCLASS, LIBELFBITS) - 1][ELF_T_SHDR];
159 --- elfutils-0.122/libelf/elf_begin.c
160 +++ elfutils-0.122/libelf/elf_begin.c
161 @@ -155,7 +155,8 @@ get_shnum (void *map_address, unsigned c
163 if (unlikely (result == 0) && ehdr.e32->e_shoff != 0)
165 - if (offset + ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize)
166 + if (unlikely (ehdr.e32->e_shoff >= maxsize)
167 + || unlikely (ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize))
168 /* Cannot read the first section header. */
171 @@ -198,7 +199,8 @@ get_shnum (void *map_address, unsigned c
173 if (unlikely (result == 0) && ehdr.e64->e_shoff != 0)
175 - if (offset + ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize)
176 + if (unlikely (ehdr.e64->e_shoff >= maxsize)
177 + || unlikely (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize))
178 /* Cannot read the first section header. */
181 @@ -265,6 +267,15 @@ file_read_elf (int fildes, void *map_add
182 /* Could not determine the number of sections. */
185 + /* Check for too many sections. */
186 + if (e_ident[EI_CLASS] == ELFCLASS32)
188 + if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf32_Shdr)))
191 + else if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf64_Shdr)))
194 /* We can now allocate the memory. */
195 Elf *elf = allocate_elf (fildes, map_address, offset, maxsize, cmd, parent,
196 ELF_K_ELF, scncnt * sizeof (Elf_Scn));
197 @@ -298,13 +309,31 @@ file_read_elf (int fildes, void *map_add
199 /* We can use the mmapped memory. */
200 elf->state.elf32.ehdr = ehdr;
202 + if (unlikely (ehdr->e_shoff >= maxsize)
203 + || unlikely (ehdr->e_shoff
204 + + scncnt * sizeof (Elf32_Shdr) > maxsize))
208 + __libelf_seterrno (ELF_E_INVALID_FILE);
211 elf->state.elf32.shdr
212 = (Elf32_Shdr *) ((char *) ehdr + ehdr->e_shoff);
214 if (ehdr->e_phnum > 0)
216 /* Assign a value only if there really is a program
217 header. Otherwise the value remains NULL. */
218 + if (unlikely (ehdr->e_phoff >= maxsize)
219 + || unlikely (ehdr->e_phoff
221 + * sizeof (Elf32_Phdr) > maxsize))
223 elf->state.elf32.phdr
224 = (Elf32_Phdr *) ((char *) ehdr + ehdr->e_phoff);
227 for (size_t cnt = 0; cnt < scncnt; ++cnt)
229 @@ -373,13 +402,26 @@ file_read_elf (int fildes, void *map_add
231 /* We can use the mmapped memory. */
232 elf->state.elf64.ehdr = ehdr;
234 + if (unlikely (ehdr->e_shoff >= maxsize)
235 + || unlikely (ehdr->e_shoff
236 + + scncnt * sizeof (Elf32_Shdr) > maxsize))
238 elf->state.elf64.shdr
239 = (Elf64_Shdr *) ((char *) ehdr + ehdr->e_shoff);
241 if (ehdr->e_phnum > 0)
243 /* Assign a value only if there really is a program
244 header. Otherwise the value remains NULL. */
245 + if (unlikely (ehdr->e_phoff >= maxsize)
246 + || unlikely (ehdr->e_phoff
248 + * sizeof (Elf32_Phdr) > maxsize))
250 elf->state.elf64.phdr
251 = (Elf64_Phdr *) ((char *) ehdr + ehdr->e_phoff);
254 for (size_t cnt = 0; cnt < scncnt; ++cnt)
256 --- elfutils-0.122/libelf/elf_getarsym.c
257 +++ elfutils-0.122/libelf/elf_getarsym.c
258 @@ -179,6 +179,9 @@ elf_getarsym (elf, ptr)
259 size_t index_size = atol (tmpbuf);
261 if (SARMAG + sizeof (struct ar_hdr) + index_size > elf->maximum_size
262 +#if SIZE_MAX <= 4294967295U
263 + || n >= SIZE_MAX / sizeof (Elf_Arsym)
265 || n * sizeof (uint32_t) > index_size)
267 /* This index table cannot be right since it does not fit into
268 --- elfutils-0.122/libelf/elf_getshstrndx.c
269 +++ elfutils-0.122/libelf/elf_getshstrndx.c
270 @@ -125,10 +125,25 @@ elf_getshstrndx (elf, dst)
271 if (elf->map_address != NULL
272 && elf->state.elf32.ehdr->e_ident[EI_DATA] == MY_ELFDATA
274 - || (((size_t) ((char *) elf->map_address + offset))
275 + || (((size_t) ((char *) elf->map_address
276 + + elf->start_offset + offset))
277 & (__alignof__ (Elf32_Shdr) - 1)) == 0))
279 + /* First see whether the information in the ELF header is
280 + valid and it does not ask for too much. */
281 + if (unlikely (offset + sizeof (Elf32_Shdr)
282 + > elf->maximum_size))
284 + /* Something is wrong. */
285 + __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
290 /* We can directly access the memory. */
291 - num = ((Elf32_Shdr *) (elf->map_address + offset))->sh_link;
292 + num = ((Elf32_Shdr *) (elf->map_address + elf->start_offset
293 + + offset))->sh_link;
297 /* We avoid reading in all the section headers. Just read
298 @@ -163,10 +178,25 @@ elf_getshstrndx (elf, dst)
299 if (elf->map_address != NULL
300 && elf->state.elf64.ehdr->e_ident[EI_DATA] == MY_ELFDATA
302 - || (((size_t) ((char *) elf->map_address + offset))
303 + || (((size_t) ((char *) elf->map_address
304 + + elf->start_offset + offset))
305 & (__alignof__ (Elf64_Shdr) - 1)) == 0))
307 + /* First see whether the information in the ELF header is
308 + valid and it does not ask for too much. */
309 + if (unlikely (offset + sizeof (Elf64_Shdr)
310 + > elf->maximum_size))
312 + /* Something is wrong. */
313 + __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
318 /* We can directly access the memory. */
319 - num = ((Elf64_Shdr *) (elf->map_address + offset))->sh_link;
320 + num = ((Elf64_Shdr *) (elf->map_address
321 + + elf->start_offset + offset))->sh_link;
325 /* We avoid reading in all the section headers. Just read
326 --- elfutils-0.122/libelf/elf_newscn.c
327 +++ elfutils-0.122/libelf/elf_newscn.c
328 @@ -104,10 +104,18 @@ elf_newscn (elf)
331 /* We must allocate a new element. */
333 + Elf_ScnList *newp = NULL;
335 assert (elf->state.elf.scnincr > 0);
338 +#if SIZE_MAX <= 4294967295U
339 + likely (elf->state.elf.scnincr
340 + < SIZE_MAX / 2 / sizeof (Elf_Scn) - sizeof (Elf_ScnList))
345 newp = (Elf_ScnList *) calloc (sizeof (Elf_ScnList)
346 + ((elf->state.elf.scnincr *= 2)
347 * sizeof (Elf_Scn)), 1);
348 --- elfutils-0.122/libelf/gelf_getdyn.c
349 +++ elfutils-0.122/libelf/gelf_getdyn.c
350 @@ -93,7 +93,8 @@ gelf_getdyn (data, ndx, dst)
351 table entries has to be adopted. The user better has provided
352 a buffer where we can store the information. While copying the
353 data we are converting the format. */
354 - if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
355 + if (INVALID_NDX (ndx, Elf32_Dyn)
356 + || unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
358 __libelf_seterrno (ELF_E_INVALID_INDEX);
360 @@ -114,7 +115,8 @@ gelf_getdyn (data, ndx, dst)
362 /* The data is already in the correct form. Just make sure the
364 - if (unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))
365 + if (INVALID_NDX (ndx, GElf_Dyn)
366 + || unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))
368 __libelf_seterrno (ELF_E_INVALID_INDEX);
370 --- elfutils-0.122/libelf/gelf_getlib.c
371 +++ elfutils-0.122/libelf/gelf_getlib.c
372 @@ -86,7 +86,8 @@ gelf_getlib (data, ndx, dst)
373 /* The data is already in the correct form. Just make sure the
375 GElf_Lib *result = NULL;
376 - if (unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))
377 + if (INVALID_NDX (ndx, GElf_Lib)
378 + || unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))
379 __libelf_seterrno (ELF_E_INVALID_INDEX);
382 --- elfutils-0.122/libelf/gelf_getmove.c
383 +++ elfutils-0.122/libelf/gelf_getmove.c
384 @@ -83,7 +83,8 @@ gelf_getmove (data, ndx, dst)
386 /* The data is already in the correct form. Just make sure the
388 - if (unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))
389 + if (INVALID_NDX (ndx, GElf_Move)
390 + || unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))
392 __libelf_seterrno (ELF_E_INVALID_INDEX);
394 --- elfutils-0.122/libelf/gelf_getrela.c
395 +++ elfutils-0.122/libelf/gelf_getrela.c
396 @@ -71,12 +71,6 @@ gelf_getrela (data, ndx, dst)
397 if (data_scn == NULL)
400 - if (unlikely (ndx < 0))
402 - __libelf_seterrno (ELF_E_INVALID_INDEX);
406 if (unlikely (data_scn->d.d_type != ELF_T_RELA))
408 __libelf_seterrno (ELF_E_INVALID_HANDLE);
409 @@ -93,7 +87,8 @@ gelf_getrela (data, ndx, dst)
410 if (scn->elf->class == ELFCLASS32)
412 /* We have to convert the data. */
413 - if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
414 + if (INVALID_NDX (ndx, Elf32_Rela)
415 + || unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
417 __libelf_seterrno (ELF_E_INVALID_INDEX);
419 @@ -114,7 +109,8 @@ gelf_getrela (data, ndx, dst)
421 /* Simply copy the data after we made sure we are actually getting
423 - if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
424 + if (INVALID_NDX (ndx, Elf64_Rela)
425 + || unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
427 __libelf_seterrno (ELF_E_INVALID_INDEX);
429 --- elfutils-0.122/libelf/gelf_getrel.c
430 +++ elfutils-0.122/libelf/gelf_getrel.c
431 @@ -71,12 +71,6 @@ gelf_getrel (data, ndx, dst)
432 if (data_scn == NULL)
435 - if (unlikely (ndx < 0))
437 - __libelf_seterrno (ELF_E_INVALID_INDEX);
441 if (unlikely (data_scn->d.d_type != ELF_T_REL))
443 __libelf_seterrno (ELF_E_INVALID_HANDLE);
444 @@ -93,7 +87,8 @@ gelf_getrel (data, ndx, dst)
445 if (scn->elf->class == ELFCLASS32)
447 /* We have to convert the data. */
448 - if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
449 + if (INVALID_NDX (ndx, Elf32_Rel)
450 + || unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
452 __libelf_seterrno (ELF_E_INVALID_INDEX);
454 @@ -113,7 +108,8 @@ gelf_getrel (data, ndx, dst)
456 /* Simply copy the data after we made sure we are actually getting
458 - if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
459 + if (INVALID_NDX (ndx, Elf64_Rel)
460 + || unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
462 __libelf_seterrno (ELF_E_INVALID_INDEX);
464 --- elfutils-0.122/libelf/gelf_getsym.c
465 +++ elfutils-0.122/libelf/gelf_getsym.c
466 @@ -90,7 +90,8 @@ gelf_getsym (data, ndx, dst)
467 table entries has to be adopted. The user better has provided
468 a buffer where we can store the information. While copying the
469 data we are converting the format. */
470 - if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))
471 + if (INVALID_NDX (ndx, Elf32_Sym)
472 + || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))
474 __libelf_seterrno (ELF_E_INVALID_INDEX);
476 @@ -119,7 +120,8 @@ gelf_getsym (data, ndx, dst)
478 /* The data is already in the correct form. Just make sure the
480 - if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))
481 + if (INVALID_NDX (ndx, GElf_Sym)
482 + || unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))
484 __libelf_seterrno (ELF_E_INVALID_INDEX);
486 --- elfutils-0.122/libelf/gelf_getsyminfo.c
487 +++ elfutils-0.122/libelf/gelf_getsyminfo.c
488 @@ -84,7 +84,8 @@ gelf_getsyminfo (data, ndx, dst)
490 /* The data is already in the correct form. Just make sure the
492 - if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))
493 + if (INVALID_NDX (ndx, GElf_Syminfo)
494 + || unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))
496 __libelf_seterrno (ELF_E_INVALID_INDEX);
498 --- elfutils-0.122/libelf/gelf_getsymshndx.c
499 +++ elfutils-0.122/libelf/gelf_getsymshndx.c
500 @@ -90,7 +90,9 @@ gelf_getsymshndx (symdata, shndxdata, nd
501 section index table. */
502 if (likely (shndxdata_scn != NULL))
504 - if (unlikely ((ndx + 1) * sizeof (Elf32_Word) > shndxdata_scn->d.d_size))
505 + if (INVALID_NDX (ndx, Elf32_Word)
506 + || unlikely ((ndx + 1) * sizeof (Elf32_Word)
507 + > shndxdata_scn->d.d_size))
509 __libelf_seterrno (ELF_E_INVALID_INDEX);
511 @@ -110,7 +112,8 @@ gelf_getsymshndx (symdata, shndxdata, nd
512 table entries has to be adopted. The user better has provided
513 a buffer where we can store the information. While copying the
514 data we are converting the format. */
515 - if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))
516 + if (INVALID_NDX (ndx, Elf32_Sym)
517 + || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))
519 __libelf_seterrno (ELF_E_INVALID_INDEX);
521 @@ -139,7 +142,8 @@ gelf_getsymshndx (symdata, shndxdata, nd
523 /* The data is already in the correct form. Just make sure the
525 - if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))
526 + if (INVALID_NDX (ndx, GElf_Sym)
527 + || unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))
529 __libelf_seterrno (ELF_E_INVALID_INDEX);
531 --- elfutils-0.122/libelf/gelf_getversym.c
532 +++ elfutils-0.122/libelf/gelf_getversym.c
533 @@ -92,7 +92,8 @@ gelf_getversym (data, ndx, dst)
535 /* The data is already in the correct form. Just make sure the
537 - if (unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))
538 + if (INVALID_NDX (ndx, GElf_Versym)
539 + || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))
541 __libelf_seterrno (ELF_E_INVALID_INDEX);
543 --- elfutils-0.122/libelf/gelf_update_dyn.c
544 +++ elfutils-0.122/libelf/gelf_update_dyn.c
545 @@ -71,12 +71,6 @@ gelf_update_dyn (data, ndx, src)
549 - if (unlikely (ndx < 0))
551 - __libelf_seterrno (ELF_E_INVALID_INDEX);
555 if (unlikely (data_scn->d.d_type != ELF_T_DYN))
557 /* The type of the data better should match. */
558 @@ -102,7 +96,8 @@ gelf_update_dyn (data, ndx, src)
561 /* Check whether we have to resize the data buffer. */
562 - if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
563 + if (INVALID_NDX (ndx, Elf32_Dyn)
564 + || unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
566 __libelf_seterrno (ELF_E_INVALID_INDEX);
568 @@ -116,7 +111,8 @@ gelf_update_dyn (data, ndx, src)
571 /* Check whether we have to resize the data buffer. */
572 - if (unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))
573 + if (INVALID_NDX (ndx, Elf64_Dyn)
574 + || unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))
576 __libelf_seterrno (ELF_E_INVALID_INDEX);
578 --- elfutils-0.122/libelf/gelf_update_lib.c
579 +++ elfutils-0.122/libelf/gelf_update_lib.c
580 @@ -68,12 +68,6 @@ gelf_update_lib (data, ndx, src)
584 - if (unlikely (ndx < 0))
586 - __libelf_seterrno (ELF_E_INVALID_INDEX);
590 Elf_Data_Scn *data_scn = (Elf_Data_Scn *) data;
591 if (unlikely (data_scn->d.d_type != ELF_T_LIB))
593 @@ -87,7 +81,8 @@ gelf_update_lib (data, ndx, src)
595 /* Check whether we have to resize the data buffer. */
597 - if (unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))
598 + if (INVALID_NDX (ndx, Elf64_Lib)
599 + || unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))
600 __libelf_seterrno (ELF_E_INVALID_INDEX);
603 --- elfutils-0.122/libelf/gelf_update_move.c
604 +++ elfutils-0.122/libelf/gelf_update_move.c
605 @@ -75,7 +75,7 @@ gelf_update_move (data, ndx, src)
606 assert (sizeof (GElf_Move) == sizeof (Elf64_Move));
608 /* Check whether we have to resize the data buffer. */
609 - if (unlikely (ndx < 0)
610 + if (INVALID_NDX (ndx, GElf_Move)
611 || unlikely ((ndx + 1) * sizeof (GElf_Move) > data_scn->d.d_size))
613 __libelf_seterrno (ELF_E_INVALID_INDEX);
614 --- elfutils-0.122/libelf/gelf_update_rela.c
615 +++ elfutils-0.122/libelf/gelf_update_rela.c
616 @@ -68,12 +68,6 @@ gelf_update_rela (Elf_Data *dst, int ndx
620 - if (unlikely (ndx < 0))
622 - __libelf_seterrno (ELF_E_INVALID_INDEX);
626 if (unlikely (data_scn->d.d_type != ELF_T_RELA))
628 /* The type of the data better should match. */
629 @@ -101,7 +95,8 @@ gelf_update_rela (Elf_Data *dst, int ndx
632 /* Check whether we have to resize the data buffer. */
633 - if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
634 + if (INVALID_NDX (ndx, Elf32_Rela)
635 + || unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
637 __libelf_seterrno (ELF_E_INVALID_INDEX);
639 @@ -117,7 +112,8 @@ gelf_update_rela (Elf_Data *dst, int ndx
642 /* Check whether we have to resize the data buffer. */
643 - if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
644 + if (INVALID_NDX (ndx, Elf64_Rela)
645 + || unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
647 __libelf_seterrno (ELF_E_INVALID_INDEX);
649 --- elfutils-0.122/libelf/gelf_update_rel.c
650 +++ elfutils-0.122/libelf/gelf_update_rel.c
651 @@ -68,12 +68,6 @@ gelf_update_rel (Elf_Data *dst, int ndx,
655 - if (unlikely (ndx < 0))
657 - __libelf_seterrno (ELF_E_INVALID_INDEX);
661 if (unlikely (data_scn->d.d_type != ELF_T_REL))
663 /* The type of the data better should match. */
664 @@ -99,7 +93,8 @@ gelf_update_rel (Elf_Data *dst, int ndx,
667 /* Check whether we have to resize the data buffer. */
668 - if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
669 + if (INVALID_NDX (ndx, Elf32_Rel)
670 + || unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
672 __libelf_seterrno (ELF_E_INVALID_INDEX);
674 @@ -114,7 +109,8 @@ gelf_update_rel (Elf_Data *dst, int ndx,
677 /* Check whether we have to resize the data buffer. */
678 - if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
679 + if (INVALID_NDX (ndx, Elf64_Rel)
680 + || unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
682 __libelf_seterrno (ELF_E_INVALID_INDEX);
684 --- elfutils-0.122/libelf/gelf_update_sym.c
685 +++ elfutils-0.122/libelf/gelf_update_sym.c
686 @@ -72,12 +72,6 @@ gelf_update_sym (data, ndx, src)
690 - if (unlikely (ndx < 0))
692 - __libelf_seterrno (ELF_E_INVALID_INDEX);
696 if (unlikely (data_scn->d.d_type != ELF_T_SYM))
698 /* The type of the data better should match. */
699 @@ -102,7 +96,8 @@ gelf_update_sym (data, ndx, src)
702 /* Check whether we have to resize the data buffer. */
703 - if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))
704 + if (INVALID_NDX (ndx, Elf32_Sym)
705 + || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))
707 __libelf_seterrno (ELF_E_INVALID_INDEX);
709 @@ -125,7 +120,8 @@ gelf_update_sym (data, ndx, src)
712 /* Check whether we have to resize the data buffer. */
713 - if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))
714 + if (INVALID_NDX (ndx, Elf64_Sym)
715 + || unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))
717 __libelf_seterrno (ELF_E_INVALID_INDEX);
719 --- elfutils-0.122/libelf/gelf_update_syminfo.c
720 +++ elfutils-0.122/libelf/gelf_update_syminfo.c
721 @@ -72,12 +72,6 @@ gelf_update_syminfo (data, ndx, src)
725 - if (unlikely (ndx < 0))
727 - __libelf_seterrno (ELF_E_INVALID_INDEX);
731 if (unlikely (data_scn->d.d_type != ELF_T_SYMINFO))
733 /* The type of the data better should match. */
734 @@ -93,7 +87,8 @@ gelf_update_syminfo (data, ndx, src)
735 rwlock_wrlock (scn->elf->lock);
737 /* Check whether we have to resize the data buffer. */
738 - if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))
739 + if (INVALID_NDX (ndx, GElf_Syminfo)
740 + || unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))
742 __libelf_seterrno (ELF_E_INVALID_INDEX);
744 --- elfutils-0.122/libelf/gelf_update_symshndx.c
745 +++ elfutils-0.122/libelf/gelf_update_symshndx.c
746 @@ -77,12 +77,6 @@ gelf_update_symshndx (symdata, shndxdata
750 - if (unlikely (ndx < 0))
752 - __libelf_seterrno (ELF_E_INVALID_INDEX);
756 if (unlikely (symdata_scn->d.d_type != ELF_T_SYM))
758 /* The type of the data better should match. */
759 @@ -128,7 +122,8 @@ gelf_update_symshndx (symdata, shndxdata
762 /* Check whether we have to resize the data buffer. */
763 - if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))
764 + if (INVALID_NDX (ndx, Elf32_Sym)
765 + || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))
767 __libelf_seterrno (ELF_E_INVALID_INDEX);
769 @@ -151,7 +146,8 @@ gelf_update_symshndx (symdata, shndxdata
772 /* Check whether we have to resize the data buffer. */
773 - if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))
774 + if (INVALID_NDX (ndx, Elf64_Sym)
775 + || unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))
777 __libelf_seterrno (ELF_E_INVALID_INDEX);
779 --- elfutils-0.122/libelf/gelf_update_versym.c
780 +++ elfutils-0.122/libelf/gelf_update_versym.c
781 @@ -75,7 +75,7 @@ gelf_update_versym (data, ndx, src)
782 assert (sizeof (GElf_Versym) == sizeof (Elf64_Versym));
784 /* Check whether we have to resize the data buffer. */
785 - if (unlikely (ndx < 0)
786 + if (INVALID_NDX (ndx, GElf_Versym)
787 || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data_scn->d.d_size))
789 __libelf_seterrno (ELF_E_INVALID_INDEX);
790 --- elfutils-0.122/libelf/libelfP.h
791 +++ elfutils-0.122/libelf/libelfP.h
792 @@ -558,4 +558,13 @@ extern uint32_t __libelf_crc32 (uint32_t
796 +/* Convenience macro. Assumes int NDX and TYPE with size at least
798 +#if SIZE_MAX > 4294967295U
799 +# define INVALID_NDX(ndx, type) unlikely (ndx < 0)
801 +# define INVALID_NDX(ndx, type) \
802 + unlikely ((unsigned int) (ndx) >= SIZE_MAX / sizeof (type))
805 #endif /* libelfP.h */
806 --- elfutils-0.122/src/elflint.c
807 +++ elfutils-0.122/src/elflint.c
808 @@ -123,6 +123,9 @@ static uint32_t shstrndx;
809 /* Array to count references in section groups. */
812 +/* Number of sections. */
813 +static unsigned int shnum;
817 main (int argc, char *argv[])
818 @@ -312,10 +315,19 @@ section_name (Ebl *ebl, int idx)
824 + if ((unsigned int) idx > shnum)
825 + return "<invalid>";
827 shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);
829 + return "<invalid>";
831 - return elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
832 + ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
834 + return "<invalid>";
839 @@ -337,10 +349,6 @@ static const int valid_e_machine[] =
840 (sizeof (valid_e_machine) / sizeof (valid_e_machine[0]))
843 -/* Number of sections. */
844 -static unsigned int shnum;
848 check_elf_header (Ebl *ebl, GElf_Ehdr *ehdr, size_t size)
850 @@ -603,7 +611,8 @@ section [%2d] '%s': symbol table cannot
854 - if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT))
855 + size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT);
856 + if (shdr->sh_entsize != sh_entsize)
858 section [%2zu] '%s': entry size is does not match ElfXX_Sym\n"),
859 cnt, section_name (ebl, cnt));
860 @@ -641,7 +650,7 @@ section [%2d] '%s': XINDEX for zeroth en
861 xndxscnidx, section_name (ebl, xndxscnidx));
864 - for (cnt = 1; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
865 + for (cnt = 1; cnt < shdr->sh_size / sh_entsize; ++cnt)
867 sym = gelf_getsymshndx (data, xndxdata, cnt, &sym_mem, &xndx);
869 @@ -659,7 +668,8 @@ section [%2d] '%s': symbol %zu: invalid
872 name = elf_strptr (ebl->elf, shdr->sh_link, sym->st_name);
873 - assert (name != NULL);
874 + assert (name != NULL
875 + || strshdr->sh_type != SHT_STRTAB);
878 if (sym->st_shndx == SHN_XINDEX)
879 @@ -968,9 +978,11 @@ is_rel_dyn (Ebl *ebl, const GElf_Ehdr *e
881 GElf_Shdr rcshdr_mem;
882 const GElf_Shdr *rcshdr = gelf_getshdr (scn, &rcshdr_mem);
883 - assert (rcshdr != NULL);
885 - if (rcshdr->sh_type == SHT_DYNAMIC)
886 + if (rcshdr == NULL)
889 + if (rcshdr->sh_type == SHT_DYNAMIC && rcshdr->sh_entsize)
891 /* Found the dynamic section. Look through it. */
892 Elf_Data *d = elf_getdata (scn, NULL);
893 @@ -980,7 +992,9 @@ is_rel_dyn (Ebl *ebl, const GElf_Ehdr *e
896 GElf_Dyn *dyn = gelf_getdyn (d, cnt, &dyn_mem);
897 - assert (dyn != NULL);
902 if (dyn->d_tag == DT_RELCOUNT)
904 @@ -994,7 +1008,9 @@ section [%2d] '%s': DT_RELCOUNT used for
905 /* Does the number specified number of relative
906 relocations exceed the total number of
908 - if (dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
909 + if (shdr->sh_entsize != 0
910 + && dyn->d_un.d_val > (shdr->sh_size
911 + / shdr->sh_entsize))
913 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
914 idx, section_name (ebl, idx),
915 @@ -1154,7 +1170,8 @@ section [%2d] '%s': no relocations for m
919 - if (shdr->sh_entsize != gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT))
920 + size_t sh_entsize = gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT);
921 + if (shdr->sh_entsize != sh_entsize)
922 ERROR (gettext (reltype == ELF_T_RELA ? "\
923 section [%2d] '%s': section entry size does not match ElfXX_Rela\n" : "\
924 section [%2d] '%s': section entry size does not match ElfXX_Rel\n"),
925 @@ -1376,7 +1393,8 @@ check_rela (Ebl *ebl, GElf_Ehdr *ehdr, G
926 Elf_Data *symdata = elf_getdata (symscn, NULL);
927 enum load_state state = state_undecided;
929 - for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
930 + size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
931 + for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
934 GElf_Rela *rela = gelf_getrela (data, cnt, &rela_mem);
935 @@ -1426,7 +1444,8 @@ check_rel (Ebl *ebl, GElf_Ehdr *ehdr, GE
936 Elf_Data *symdata = elf_getdata (symscn, NULL);
937 enum load_state state = state_undecided;
939 - for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
940 + size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
941 + for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
944 GElf_Rel *rel = gelf_getrel (data, cnt, &rel_mem);
945 @@ -1528,7 +1547,8 @@ section [%2d] '%s': referenced as string
946 shdr->sh_link, section_name (ebl, shdr->sh_link),
947 idx, section_name (ebl, idx));
949 - if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT))
950 + size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
951 + if (shdr->sh_entsize != sh_entsize)
953 section [%2d] '%s': section entry size does not match ElfXX_Dyn\n"),
954 idx, section_name (ebl, idx));
955 @@ -1538,7 +1558,7 @@ section [%2d] '%s': section entry size d
956 idx, section_name (ebl, idx));
958 bool non_null_warned = false;
959 - for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
960 + for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
963 GElf_Dyn *dyn = gelf_getdyn (data, cnt, &dyn_mem);
964 @@ -1756,6 +1776,8 @@ section [%2d] '%s': entry size does not
965 idx, section_name (ebl, idx));
968 + && shdr->sh_entsize
969 + && symshdr->sh_entsize
970 && (shdr->sh_size / shdr->sh_entsize
971 < symshdr->sh_size / symshdr->sh_entsize))
973 @@ -1782,6 +1804,12 @@ section [%2d] '%s': extended section ind
976 Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
979 + ERROR (gettext ("section [%2d] '%s': cannot get section data\n"),
980 + idx, section_name (ebl, idx));
984 if (*((Elf32_Word *) data->d_buf) != 0)
985 ERROR (gettext ("symbol 0 should have zero extended section index\n"));
986 @@ -1824,7 +1852,7 @@ section [%2d] '%s': hash table section i
988 size_t maxidx = nchain;
990 - if (symshdr != NULL)
991 + if (symshdr != NULL && symshdr->sh_entsize != 0)
993 size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
995 @@ -1835,18 +1863,28 @@ section [%2d] '%s': hash table section i
999 + Elf32_Word *buf = (Elf32_Word *) data->d_buf;
1000 + Elf32_Word *end = (Elf32_Word *) ((char *) data->d_buf + shdr->sh_size);
1002 for (cnt = 2; cnt < 2 + nbucket; ++cnt)
1003 - if (((Elf32_Word *) data->d_buf)[cnt] >= maxidx)
1004 - ERROR (gettext ("\
1006 + if (buf + cnt >= end)
1008 + else if (buf[cnt] >= maxidx)
1009 + ERROR (gettext ("\
1010 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
1011 - idx, section_name (ebl, idx), cnt - 2);
1012 + idx, section_name (ebl, idx), cnt - 2);
1015 for (; cnt < 2 + nbucket + nchain; ++cnt)
1016 - if (((Elf32_Word *) data->d_buf)[cnt] >= maxidx)
1017 - ERROR (gettext ("\
1019 + if (buf + cnt >= end)
1021 + else if (buf[cnt] >= maxidx)
1022 + ERROR (gettext ("\
1023 section [%2d] '%s': hash chain reference %zu out of bounds\n"),
1024 - idx, section_name (ebl, idx), cnt - 2 - nbucket);
1025 + idx, section_name (ebl, idx), cnt - 2 - nbucket);
1030 @@ -1876,18 +1914,28 @@ section [%2d] '%s': hash table section i
1034 + Elf64_Xword *buf = (Elf64_Xword *) data->d_buf;
1035 + Elf64_Xword *end = (Elf64_Xword *) ((char *) data->d_buf + shdr->sh_size);
1037 for (cnt = 2; cnt < 2 + nbucket; ++cnt)
1038 - if (((Elf64_Xword *) data->d_buf)[cnt] >= maxidx)
1039 - ERROR (gettext ("\
1041 + if (buf + cnt >= end)
1043 + else if (buf[cnt] >= maxidx)
1044 + ERROR (gettext ("\
1045 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
1046 - idx, section_name (ebl, idx), cnt - 2);
1047 + idx, section_name (ebl, idx), cnt - 2);
1050 for (; cnt < 2 + nbucket + nchain; ++cnt)
1051 - if (((Elf64_Xword *) data->d_buf)[cnt] >= maxidx)
1052 - ERROR (gettext ("\
1054 + if (buf + cnt >= end)
1056 + else if (buf[cnt] >= maxidx)
1057 + ERROR (gettext ("\
1058 section [%2d] '%s': hash chain reference %" PRIu64 " out of bounds\n"),
1059 - idx, section_name (ebl, idx), (uint64_t) (cnt - 2 - nbucket));
1060 + idx, section_name (ebl, idx), (uint64_t) cnt - 2 - nbucket);
1065 @@ -1912,7 +1960,7 @@ section [%2d] '%s': bitmask size not pow
1066 if (shdr->sh_size < (4 + bitmask_words + nbuckets) * sizeof (Elf32_Word))
1069 -section [%2d] '%s': hash table section is too small (is %ld, expected at least%ld)\n"),
1070 +section [%2d] '%s': hash table section is too small (is %ld, expected at least %ld)\n"),
1071 idx, section_name (ebl, idx), (long int) shdr->sh_size,
1072 (long int) ((4 + bitmask_words + nbuckets) * sizeof (Elf32_Word)));
1074 @@ -2430,8 +2478,9 @@ section [%2d] '%s' refers in sh_link to
1076 /* The number of elements in the version symbol table must be the
1077 same as the number of symbols. */
1078 - if (shdr->sh_size / shdr->sh_entsize
1079 - != symshdr->sh_size / symshdr->sh_entsize)
1080 + if (shdr->sh_entsize && symshdr->sh_entsize
1081 + && (shdr->sh_size / shdr->sh_entsize
1082 + != symshdr->sh_size / symshdr->sh_entsize))
1084 section [%2d] '%s' has different number of entries than symbol table [%2d] '%s'\n"),
1085 idx, section_name (ebl, idx),
1086 @@ -3336,6 +3385,8 @@ phdr[%d]: no note entries defined for th
1089 char *notemem = gelf_rawchunk (ebl->elf, phdr->p_offset, phdr->p_filesz);
1090 + if (notemem == NULL)
1093 /* ELF64 files often use note section entries in the 32-bit format.
1094 The p_align field is set to 8 in case the 64-bit format is used.
1095 --- elfutils-0.122/src/readelf.c
1096 +++ elfutils-0.122/src/readelf.c
1097 @@ -958,6 +958,8 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
1098 Elf32_Word *grpref = (Elf32_Word *) data->d_buf;
1101 + GElf_Sym *sym = gelf_getsym (symdata, shdr->sh_info, &sym_mem);
1103 printf ((grpref[0] & GRP_COMDAT)
1105 \nCOMDAT section group [%2zu] '%s' with signature '%s' contains %zu entry:\n",
1106 @@ -970,8 +972,8 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
1107 data->d_size / sizeof (Elf32_Word) - 1),
1109 elf_strptr (ebl->elf, shstrndx, shdr->sh_name),
1110 - elf_strptr (ebl->elf, symshdr->sh_link,
1111 - gelf_getsym (symdata, shdr->sh_info, &sym_mem)->st_name)
1112 + (sym == NULL ? NULL
1113 + : elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name))
1114 ?: gettext ("<INVALID SYMBOL>"),
1115 data->d_size / sizeof (Elf32_Word) - 1);
1117 @@ -1122,7 +1124,8 @@ static void
1118 handle_dynamic (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
1120 int class = gelf_getclass (ebl->elf);
1122 + GElf_Shdr glink_mem;
1127 @@ -1137,6 +1140,11 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn,
1128 error (EXIT_FAILURE, 0,
1129 gettext ("cannot get section header string table index"));
1131 + glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
1132 + if (glink == NULL)
1133 + error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1134 + elf_ndxscn (scn));
1136 printf (ngettext ("\
1137 \nDynamic segment contains %lu entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1139 @@ -1146,9 +1154,7 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn,
1140 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1142 (int) shdr->sh_link,
1143 - elf_strptr (ebl->elf, shstrndx,
1144 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1145 - &glink)->sh_name));
1146 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1147 fputs_unlocked (gettext (" Type Value\n"), stdout);
1149 for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1150 @@ -1666,6 +1672,13 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
1151 error (EXIT_FAILURE, 0,
1152 gettext ("cannot get section header string table index"));
1154 + GElf_Shdr glink_mem;
1155 + GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1157 + if (glink == NULL)
1158 + error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1159 + elf_ndxscn (scn));
1161 /* Now we can compute the number of entries in the section. */
1162 unsigned int nsyms = data->d_size / (class == ELFCLASS32
1163 ? sizeof (Elf32_Sym)
1164 @@ -1676,15 +1689,12 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
1166 (unsigned int) elf_ndxscn (scn),
1167 elf_strptr (ebl->elf, shstrndx, shdr->sh_name), nsyms);
1169 printf (ngettext (" %lu local symbol String table: [%2u] '%s'\n",
1170 " %lu local symbols String table: [%2u] '%s'\n",
1172 (unsigned long int) shdr->sh_info,
1173 (unsigned int) shdr->sh_link,
1174 - elf_strptr (ebl->elf, shstrndx,
1175 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1176 - &glink)->sh_name));
1177 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1179 fputs_unlocked (class == ELFCLASS32
1181 @@ -1920,7 +1930,13 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn,
1182 error (EXIT_FAILURE, 0,
1183 gettext ("cannot get section header string table index"));
1186 + GElf_Shdr glink_mem;
1187 + GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1189 + if (glink == NULL)
1190 + error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1191 + elf_ndxscn (scn));
1193 printf (ngettext ("\
1194 \nVersion needs section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1196 @@ -1931,9 +1947,7 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn,
1197 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1199 (unsigned int) shdr->sh_link,
1200 - elf_strptr (ebl->elf, shstrndx,
1201 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1202 - &glink)->sh_name));
1203 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1205 unsigned int offset = 0;
1206 for (int cnt = shdr->sh_info; --cnt >= 0; )
1207 @@ -1986,8 +2000,14 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
1208 error (EXIT_FAILURE, 0,
1209 gettext ("cannot get section header string table index"));
1211 + GElf_Shdr glink_mem;
1212 + GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1214 + if (glink == NULL)
1215 + error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1216 + elf_ndxscn (scn));
1218 int class = gelf_getclass (ebl->elf);
1220 printf (ngettext ("\
1221 \nVersion definition section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1223 @@ -1999,9 +2019,7 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
1224 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1226 (unsigned int) shdr->sh_link,
1227 - elf_strptr (ebl->elf, shstrndx,
1228 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1229 - &glink)->sh_name));
1230 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1232 unsigned int offset = 0;
1233 for (int cnt = shdr->sh_info; --cnt >= 0; )
1234 @@ -2263,8 +2281,14 @@ handle_versym (Ebl *ebl, Elf_Scn *scn, G
1238 + GElf_Shdr glink_mem;
1239 + GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1241 + if (glink == NULL)
1242 + error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1243 + elf_ndxscn (scn));
1245 /* Print the header. */
1247 printf (ngettext ("\
1248 \nVersion symbols section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'",
1250 @@ -2276,9 +2300,7 @@ handle_versym (Ebl *ebl, Elf_Scn *scn, G
1251 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1253 (unsigned int) shdr->sh_link,
1254 - elf_strptr (ebl->elf, shstrndx,
1255 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1256 - &glink)->sh_name));
1257 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1259 /* Now we can finally look at the actual contents of this section. */
1260 for (unsigned int cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1261 @@ -2330,7 +2352,17 @@ print_hash_info (Ebl *ebl, Elf_Scn *scn,
1262 for (Elf32_Word cnt = 0; cnt < nbucket; ++cnt)
1263 ++counts[lengths[cnt]];
1266 + GElf_Shdr glink_mem;
1267 + GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf,
1270 + if (glink == NULL)
1272 + error (0, 0, gettext ("invalid sh_link value in section %Zu"),
1273 + elf_ndxscn (scn));
1277 printf (ngettext ("\
1278 \nHistogram for bucket list length in section [%2u] '%s' (total of %d bucket):\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1280 @@ -2343,9 +2375,7 @@ print_hash_info (Ebl *ebl, Elf_Scn *scn,
1283 (unsigned int) shdr->sh_link,
1284 - elf_strptr (ebl->elf, shstrndx,
1285 - gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1286 - &glink)->sh_name));
1287 + elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1289 if (extrastr != NULL)
1290 fputs (extrastr, stdout);
1291 @@ -3654,6 +3684,16 @@ print_debug_aranges_section (Ebl *ebl __
1295 + GElf_Shdr glink_mem;
1297 + glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
1298 + if (glink == NULL)
1300 + error (0, 0, gettext ("invalid sh_link value in section %Zu"),
1301 + elf_ndxscn (scn));
1305 printf (ngettext ("\
1306 \nDWARF section '%s' at offset %#" PRIx64 " contains %zu entry:\n",
1308 --- elfutils-0.122/src/strip.c
1309 +++ elfutils-0.122/src/strip.c
1310 @@ -412,6 +412,7 @@ handle_elf (int fd, Elf *elf, const char
1311 Elf_Data debuglink_crc_data;
1312 bool any_symtab_changes = false;
1313 Elf_Data *shstrtab_data = NULL;
1314 + size_t shdridx = 0;
1316 /* Create the full name of the file. */
1318 @@ -542,6 +543,11 @@ handle_elf (int fd, Elf *elf, const char
1322 + if (shstrndx >= shnum)
1325 +#define elf_assert(test) do { if (!(test)) goto illformed; } while (0)
1327 /* Storage for section information. We leave room for two more
1328 entries since we unconditionally create a section header string
1329 table. Maybe some weird tool created an ELF file without one.
1330 @@ -563,7 +569,7 @@ handle_elf (int fd, Elf *elf, const char
1332 /* This should always be true (i.e., there should not be any
1333 holes in the numbering). */
1334 - assert (elf_ndxscn (scn) == cnt);
1335 + elf_assert (elf_ndxscn (scn) == cnt);
1337 shdr_info[cnt].scn = scn;
1339 @@ -576,6 +582,7 @@ handle_elf (int fd, Elf *elf, const char
1340 shdr_info[cnt].shdr.sh_name);
1341 if (shdr_info[cnt].name == NULL)
1344 error (0, 0, gettext ("illformed file '%s'"), fname);
1347 @@ -585,6 +592,8 @@ handle_elf (int fd, Elf *elf, const char
1349 /* Remember the shdr.sh_link value. */
1350 shdr_info[cnt].old_sh_link = shdr_info[cnt].shdr.sh_link;
1351 + if (shdr_info[cnt].old_sh_link >= shnum)
1354 /* Sections in files other than relocatable object files which
1355 are not loaded can be freely moved by us. In relocatable
1356 @@ -597,7 +606,7 @@ handle_elf (int fd, Elf *elf, const char
1357 appropriate reference. */
1358 if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB_SHNDX))
1360 - assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
1361 + elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
1362 shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx = cnt;
1364 else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GROUP))
1365 @@ -614,7 +623,12 @@ handle_elf (int fd, Elf *elf, const char
1367 inner < shdr_info[cnt].data->d_size / sizeof (Elf32_Word);
1370 + if (grpref[inner] < shnum)
1371 shdr_info[grpref[inner]].group_idx = cnt;
1376 if (inner == 1 || (inner == 2 && (grpref[0] & GRP_COMDAT) == 0))
1377 /* If the section group contains only one element and this
1378 @@ -625,7 +639,7 @@ handle_elf (int fd, Elf *elf, const char
1380 else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GNU_versym))
1382 - assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
1383 + elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
1384 shdr_info[shdr_info[cnt].shdr.sh_link].version_idx = cnt;
1387 @@ -633,7 +647,7 @@ handle_elf (int fd, Elf *elf, const char
1388 discarded right away. */
1389 if ((shdr_info[cnt].shdr.sh_flags & SHF_GROUP) != 0)
1391 - assert (shdr_info[cnt].group_idx != 0);
1392 + elf_assert (shdr_info[cnt].group_idx != 0);
1394 if (shdr_info[shdr_info[cnt].group_idx].idx == 0)
1396 @@ -708,11 +722,15 @@ handle_elf (int fd, Elf *elf, const char
1398 /* If a relocation section is marked as being removed make
1399 sure the section it is relocating is removed, too. */
1400 - if ((shdr_info[cnt].shdr.sh_type == SHT_REL
1401 + if (shdr_info[cnt].shdr.sh_type == SHT_REL
1402 || shdr_info[cnt].shdr.sh_type == SHT_RELA)
1403 - && shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
1405 + if (shdr_info[cnt].shdr.sh_info >= shnum)
1407 + else if (shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
1408 shdr_info[cnt].idx = 1;
1412 if (shdr_info[cnt].idx == 1)
1414 @@ -737,7 +755,7 @@ handle_elf (int fd, Elf *elf, const char
1415 if (shdr_info[cnt].symtab_idx != 0
1416 && shdr_info[shdr_info[cnt].symtab_idx].data == NULL)
1418 - assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
1419 + elf_assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
1421 shdr_info[shdr_info[cnt].symtab_idx].data
1422 = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
1423 @@ -777,6 +795,9 @@ handle_elf (int fd, Elf *elf, const char
1424 else if (scnidx == SHN_XINDEX)
1427 + if (scnidx >= shnum)
1430 if (shdr_info[scnidx].idx == 0)
1432 /* Mark this section as used. */
1433 @@ -808,12 +829,16 @@ handle_elf (int fd, Elf *elf, const char
1436 /* Handle references through sh_info. */
1437 - if (SH_INFO_LINK_P (&shdr_info[cnt].shdr)
1438 - && shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
1439 + if (SH_INFO_LINK_P (&shdr_info[cnt].shdr))
1441 + if (shdr_info[cnt].shdr.sh_info >= shnum)
1443 + else if ( shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
1445 shdr_info[shdr_info[cnt].shdr.sh_info].idx = 1;
1446 changes |= shdr_info[cnt].shdr.sh_info < cnt;
1450 /* Mark the section as investigated. */
1451 shdr_info[cnt].idx = 2;
1452 @@ -912,7 +937,7 @@ handle_elf (int fd, Elf *elf, const char
1453 error (EXIT_FAILURE, 0, gettext ("while generating output file: %s"),
1456 - assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1457 + elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1459 /* Add this name to the section header string table. */
1460 shdr_info[cnt].se = ebl_strtabadd (shst, shdr_info[cnt].name, 0);
1461 @@ -949,7 +974,7 @@ handle_elf (int fd, Elf *elf, const char
1462 error (EXIT_FAILURE, 0,
1463 gettext ("while create section header section: %s"),
1465 - assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1466 + elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1468 shdr_info[cnt].data = elf_newdata (shdr_info[cnt].newscn);
1469 if (shdr_info[cnt].data == NULL)
1470 @@ -980,7 +1005,7 @@ handle_elf (int fd, Elf *elf, const char
1473 /* Index of the section header table in the shdr_info array. */
1474 - size_t shdridx = cnt;
1477 /* Add the section header string table section name. */
1478 shdr_info[cnt].se = ebl_strtabadd (shst, ".shstrtab", 10);
1479 @@ -1005,7 +1030,7 @@ handle_elf (int fd, Elf *elf, const char
1480 error (EXIT_FAILURE, 0,
1481 gettext ("while create section header section: %s"),
1483 - assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
1484 + elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
1486 /* Finalize the string table and fill in the correct indices in the
1488 @@ -1095,20 +1120,20 @@ handle_elf (int fd, Elf *elf, const char
1489 shndxdata = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
1492 - assert ((versiondata->d_size / sizeof (Elf32_Word))
1493 + elf_assert ((versiondata->d_size / sizeof (Elf32_Word))
1494 >= shdr_info[cnt].data->d_size / elsize);
1497 if (shdr_info[cnt].version_idx != 0)
1499 - assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
1500 + elf_assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
1501 /* This section has associated version
1502 information. We have to modify that
1503 information, too. */
1504 versiondata = elf_getdata (shdr_info[shdr_info[cnt].version_idx].scn,
1507 - assert ((versiondata->d_size / sizeof (GElf_Versym))
1508 + elf_assert ((versiondata->d_size / sizeof (GElf_Versym))
1509 >= shdr_info[cnt].data->d_size / elsize);
1512 @@ -1163,7 +1188,7 @@ handle_elf (int fd, Elf *elf, const char
1513 sec = shdr_info[sym->st_shndx].idx;
1516 - assert (shndxdata != NULL);
1517 + elf_assert (shndxdata != NULL);
1519 sec = shdr_info[xshndx].idx;
1521 @@ -1184,7 +1209,7 @@ handle_elf (int fd, Elf *elf, const char
1525 - assert (sec < SHN_LORESERVE || shndxdata != NULL);
1526 + elf_assert (sec < SHN_LORESERVE || shndxdata != NULL);
1528 if ((inner != destidx || nshndx != sym->st_shndx
1529 || (shndxdata != NULL && nxshndx != xshndx))
1530 @@ -1207,7 +1232,7 @@ handle_elf (int fd, Elf *elf, const char
1532 /* This is a section symbol for a section which has
1534 - assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION);
1535 + elf_assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION);
1538 if (destidx != inner)
1539 @@ -1371,11 +1396,11 @@ handle_elf (int fd, Elf *elf, const char
1542 GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
1543 - assert (sym != NULL);
1544 + elf_assert (sym != NULL);
1546 const char *name = elf_strptr (elf, strshndx,
1548 - assert (name != NULL);
1549 + elf_assert (name != NULL);
1550 size_t hidx = elf_hash (name) % nbucket;
1552 if (bucket[hidx] == 0)
1553 @@ -1394,7 +1419,7 @@ handle_elf (int fd, Elf *elf, const char
1556 /* Alpha and S390 64-bit use 64-bit SHT_HASH entries. */
1557 - assert (shdr_info[cnt].shdr.sh_entsize
1558 + elf_assert (shdr_info[cnt].shdr.sh_entsize
1559 == sizeof (Elf64_Xword));
1561 Elf64_Xword *bucket = (Elf64_Xword *) hashd->d_buf;
1562 @@ -1428,11 +1453,11 @@ handle_elf (int fd, Elf *elf, const char
1565 GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
1566 - assert (sym != NULL);
1567 + elf_assert (sym != NULL);
1569 const char *name = elf_strptr (elf, strshndx,
1571 - assert (name != NULL);
1572 + elf_assert (name != NULL);
1573 size_t hidx = elf_hash (name) % nbucket;
1575 if (bucket[hidx] == 0)
projects / packages / elfutils.git / blob