]> git.pld-linux.org Git - packages/elfutils.git/blame - elfutils-robustify.patch
projects / packages / elfutils.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- update for 0.145 merged from FC.
[packages/elfutils.git] / elfutils-robustify.patch
CommitLineData
0969077b
PS		 1--- elfutils/libelf/ChangeLog
2+++ elfutils/libelf/ChangeLog
3@@ -616,6 +616,49 @@
4 If section content hasn't been read yet, do it before looking for the
5 block size. If no section data present, infer size of section header.
6
7+2005-05-17 Jakub Jelinek <jakub@redhat.com>
8+
9+ * elf32_getphdr.c (elfw2(LIBELFBITS,getphdr)): Check if program header
10+ table fits into object's bounds.
11+ * elf_getshstrndx.c (elf_getshstrndx): Add elf->start_offset to
12+ elf->map_address. Check if first section header fits into object's
13+ bounds.
14+ * elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)):
15+ Check if section header table fits into object's bounds.
16+ * elf_begin.c (get_shnum): Ensure section headers fits into
17+ object's bounds.
18+ (file_read_elf): Make sure scncnt is small enough to allocate both
19+ ElfXX_Shdr and Elf_Scn array. Make sure section and program header
20+ tables fit into object's bounds. Avoid memory leak on failure.
21+
22+2005-05-14 Jakub Jelinek <jakub@redhat.com>
23+
24+ * libelfP.h (INVALID_NDX): Define.
25+ * gelf_getdyn.c (gelf_getdyn): Use it. Remove ndx < 0 test if any.
26+ * gelf_getlib.c (gelf_getlib): Likewise.
27+ * gelf_getmove.c (gelf_getmove): Likewise.
28+ * gelf_getrel.c (gelf_getrel): Likewise.
29+ * gelf_getrela.c (gelf_getrela): Likewise.
30+ * gelf_getsym.c (gelf_getsym): Likewise.
31+ * gelf_getsyminfo.c (gelf_getsyminfo): Likewise.
32+ * gelf_getsymshndx.c (gelf_getsymshndx): Likewise.
33+ * gelf_getversym.c (gelf_getversym): Likewise.
34+ * gelf_update_dyn.c (gelf_update_dyn): Likewise.
35+ * gelf_update_lib.c (gelf_update_lib): Likewise.
36+ * gelf_update_move.c (gelf_update_move): Likewise.
37+ * gelf_update_rel.c (gelf_update_rel): Likewise.
38+ * gelf_update_rela.c (gelf_update_rela): Likewise.
39+ * gelf_update_sym.c (gelf_update_sym): Likewise.
40+ * gelf_update_syminfo.c (gelf_update_syminfo): Likewise.
41+ * gelf_update_symshndx.c (gelf_update_symshndx): Likewise.
42+ * gelf_update_versym.c (gelf_update_versym): Likewise.
43+ * elf_newscn.c (elf_newscn): Check for overflow.
44+ * elf32_updatefile.c (__elfw2(LIBELFBITS,updatemmap)): Likewise.
45+ (__elfw2(LIBELFBITS,updatefile)): Likewise.
46+ * elf_begin.c (file_read_elf): Likewise.
47+ * elf32_newphdr.c (elfw2(LIBELFBITS,newphdr)): Likewise.
48+ * elf_getarsym.c (elf_getarsym): Likewise.
49+ * elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)): Likewise.
50 2005-05-11 Ulrich Drepper <drepper@redhat.com>
51
52 * elf.h: Update again.
53--- elfutils/libelf/elf32_getphdr.c
54+++ elfutils/libelf/elf32_getphdr.c
55@@ -107,6 +107,16 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
d07e7be6 56
5f1d07b7
JB		 57 if (elf->map_address != NULL)
58 {
59+ /* First see whether the information in the ELF header is
60+ valid and it does not ask for too much. */
61+ if (unlikely (ehdr->e_phoff >= elf->maximum_size)
0969077b 62+ || unlikely (elf->maximum_size - ehdr->e_phoff < size))
5f1d07b7
JB		 63+ {
64+ /* Something is wrong. */
65+ __libelf_seterrno (ELF_E_INVALID_PHDR);
66+ goto out;
67+ }
d07e7be6 68+
5f1d07b7
JB		 69 /* All the data is already mapped. Use it. */
70 void *file_phdr = ((char *) elf->map_address
71 + elf->start_offset + ehdr->e_phoff);
0969077b
PS		 72--- elfutils/libelf/elf32_getshdr.c
73+++ elfutils/libelf/elf32_getshdr.c
5f1d07b7
JB		 74@@ -1,5 +1,5 @@
75 /* Return section header.
0969077b
PS		 76- Copyright (C) 1998, 1999, 2000, 2001, 2002, 2005, 2007, 2009 Red Hat, Inc.
77+ Copyright (C) 1998-2009 Red Hat, Inc.
5f1d07b7
JB		 78 This file is part of Red Hat elfutils.
79 Written by Ulrich Drepper <drepper@redhat.com>, 1998.
80
0969077b 81@@ -81,7 +81,8 @@ load_shdr_wrlock (Elf_Scn *scn)
5f1d07b7
JB		 82 goto out;
83
84 size_t shnum;
0969077b
PS		 85- if (__elf_getshdrnum_rdlock (elf, &shnum) != 0)
86+ if (__elf_getshdrnum_rdlock (elf, &shnum) != 0
5f1d07b7
JB		 87+ || shnum > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Shdr)))
88 goto out;
89 size_t size = shnum * sizeof (ElfW2(LIBELFBITS,Shdr));
90
0969077b 91@@ -98,6 +99,16 @@ load_shdr_wrlock (Elf_Scn *scn)
5f1d07b7
JB		 92
93 if (elf->map_address != NULL)
94 {
95+ /* First see whether the information in the ELF header is
96+ valid and it does not ask for too much. */
97+ if (unlikely (ehdr->e_shoff >= elf->maximum_size)
0969077b 98+ || unlikely (elf->maximum_size - ehdr->e_shoff < size))
5f1d07b7
JB		 99+ {
100+ /* Something is wrong. */
101+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
102+ goto free_and_out;
103+ }
d07e7be6 104+
5f1d07b7 105 ElfW2(LIBELFBITS,Shdr) *notcvt;
d07e7be6 106
5f1d07b7 107 /* All the data is already mapped. If we could use it
0969077b
PS		 108--- elfutils/libelf/elf32_newphdr.c
109+++ elfutils/libelf/elf32_newphdr.c
110@@ -135,6 +135,12 @@ elfw2(LIBELFBITS,newphdr) (elf, count)
111 || count == PN_XNUM
5f1d07b7
JB		 112 || elf->state.ELFW(elf,LIBELFBITS).phdr == NULL)
113 {
114+ if (unlikely (count > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Phdr))))
115+ {
116+ result = NULL;
117+ goto out;
118+ }
119+
120 /* Allocate a new program header with the appropriate number of
121 elements. */
122 result = (ElfW2(LIBELFBITS,Phdr) *)
0969077b
PS		 123--- elfutils/libelf/elf32_updatefile.c
124+++ elfutils/libelf/elf32_updatefile.c
125@@ -223,6 +223,9 @@ __elfw2(LIBELFBITS,updatemmap) (Elf *elf
5f1d07b7
JB		 126 /* Write all the sections. Well, only those which are modified. */
127 if (shnum > 0)
128 {
129+ if (unlikely (shnum > SIZE_MAX / sizeof (Elf_Scn *)))
130+ return 1;
131+
132 Elf_ScnList *list = &elf->state.ELFW(elf,LIBELFBITS).scns;
133 Elf_Scn **scns = (Elf_Scn **) alloca (shnum * sizeof (Elf_Scn *));
134 char *const shdr_start = ((char *) elf->map_address + elf->start_offset
0969077b 135@@ -645,6 +648,10 @@ __elfw2(LIBELFBITS,updatefile) (Elf *elf
5f1d07b7
JB		 136 /* Write all the sections. Well, only those which are modified. */
137 if (shnum > 0)
138 {
139+ if (unlikely (shnum > SIZE_MAX / (sizeof (Elf_Scn *)
140+ + sizeof (ElfW2(LIBELFBITS,Shdr)))))
141+ return 1;
142+
143 off_t shdr_offset = elf->start_offset + ehdr->e_shoff;
144 #if EV_NUM != 2
145 xfct_t shdr_fctp = __elf_xfctstom[__libelf_version - 1][EV_CURRENT - 1][ELFW(ELFCLASS, LIBELFBITS) - 1][ELF_T_SHDR];
0969077b
PS		 146--- elfutils/libelf/elf_begin.c
147+++ elfutils/libelf/elf_begin.c
148@@ -165,7 +165,8 @@ get_shnum (void *map_address, unsigned c
d07e7be6 149
5f1d07b7
JB		 150 if (unlikely (result == 0) && ehdr.e32->e_shoff != 0)
151 {
152- if (ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize)
153+ if (unlikely (ehdr.e32->e_shoff >= maxsize)
0969077b 154+ || unlikely (maxsize - ehdr.e32->e_shoff < sizeof (Elf32_Shdr)))
5f1d07b7
JB		 155 /* Cannot read the first section header. */
156 return 0;
d07e7be6 157
0969077b 158@@ -213,7 +214,8 @@ get_shnum (void *map_address, unsigned c
d07e7be6 159
5f1d07b7 160 if (unlikely (result == 0) && ehdr.e64->e_shoff != 0)
d07e7be6 161 {
5f1d07b7
JB		 162- if (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize)
163+ if (unlikely (ehdr.e64->e_shoff >= maxsize)
164+ || unlikely (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize))
165 /* Cannot read the first section header. */
166 return 0;
d07e7be6 167
0969077b 168@@ -285,6 +287,15 @@ file_read_elf (int fildes, void *map_add
5f1d07b7
JB		 169 /* Could not determine the number of sections. */
170 return NULL;
d07e7be6 171
5f1d07b7
JB		 172+ /* Check for too many sections. */
173+ if (e_ident[EI_CLASS] == ELFCLASS32)
174+ {
175+ if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf32_Shdr)))
176+ return NULL;
177+ }
178+ else if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf64_Shdr)))
179+ return NULL;
d07e7be6 180+
0969077b
PS		 181 /* We can now allocate the memory. Even if there are no section headers,
182 we allocate space for a zeroth section in case we need it later. */
183 const size_t scnmax = (scncnt ?: (cmd == ELF_C_RDWR || cmd == ELF_C_RDWR_MMAP)
184@@ -324,13 +335,33 @@ file_read_elf (int fildes, void *map_add
d07e7be6 185 {
5f1d07b7
JB		 186 /* We can use the mmapped memory. */
187 elf->state.elf32.ehdr = ehdr;
d07e7be6 188+
5f1d07b7 189+ if (unlikely (ehdr->e_shoff >= maxsize)
0969077b
PS		 190+ || unlikely (maxsize - ehdr->e_shoff
191+ < scncnt * sizeof (Elf32_Shdr)))
5f1d07b7
JB		 192+ {
193+ free_and_out:
194+ free (elf);
195+ __libelf_seterrno (ELF_E_INVALID_FILE);
196+ return NULL;
197+ }
198 elf->state.elf32.shdr
199 = (Elf32_Shdr *) ((char *) ehdr + ehdr->e_shoff);
0969077b
PS		 200- if (ehdr->e_phnum > 0)
201- /* Assign a value only if there really is a program
202- header. Otherwise the value remains NULL. */
203- elf->state.elf32.phdr
204- = (Elf32_Phdr *) ((char *) ehdr + ehdr->e_phoff);
5f1d07b7 205+
0969077b
PS		 206+ size_t phnum = ehdr->e_phnum;
207+ if (phnum == PN_XNUM && scncnt > 0)
208+ phnum = elf->state.elf32.shdr[0].sh_info;
209+ if (phnum > 0)
5f1d07b7 210+ {
0969077b
PS		 211+ /* Assign a value only if there really is a program
212+ header. Otherwise the value remains NULL. */
5f1d07b7 213+ if (unlikely (ehdr->e_phoff >= maxsize)
0969077b
PS		 214+ || unlikely (maxsize - ehdr->e_phoff
215+ < phnum * sizeof (Elf32_Phdr)))
5f1d07b7 216+ goto free_and_out;
0969077b
PS		 217+ elf->state.elf32.phdr
218+ = (Elf32_Phdr *) ((char *) ehdr + ehdr->e_phoff);
5f1d07b7 219+ }
d07e7be6 220
5f1d07b7
JB		 221 for (size_t cnt = 0; cnt < scncnt; ++cnt)
222 {
0969077b 223@@ -412,13 +443,28 @@ file_read_elf (int fildes, void *map_add
5f1d07b7
JB		 224 {
225 /* We can use the mmapped memory. */
226 elf->state.elf64.ehdr = ehdr;
227+
228+ if (unlikely (ehdr->e_shoff >= maxsize)
229+ || unlikely (ehdr->e_shoff
230+ + scncnt * sizeof (Elf32_Shdr) > maxsize))
231+ goto free_and_out;
232 elf->state.elf64.shdr
233 = (Elf64_Shdr *) ((char *) ehdr + ehdr->e_shoff);
0969077b
PS		 234- if (ehdr->e_phnum > 0)
235- /* Assign a value only if there really is a program
236- header. Otherwise the value remains NULL. */
237- elf->state.elf64.phdr
238- = (Elf64_Phdr *) ((char *) ehdr + ehdr->e_phoff);
5f1d07b7 239+
0969077b
PS		 240+ size_t phnum = ehdr->e_phnum;
241+ if (phnum == PN_XNUM && scncnt > 0)
242+ phnum = elf->state.elf64.shdr[0].sh_info;
243+ if (phnum > 0)
5f1d07b7 244+ {
0969077b
PS		 245+ /* Assign a value only if there really is a program
246+ header. Otherwise the value remains NULL. */
5f1d07b7
JB		 247+ if (unlikely (ehdr->e_phoff >= maxsize)
248+ || unlikely (ehdr->e_phoff
0969077b 249+ + phnum * sizeof (Elf32_Phdr) > maxsize))
5f1d07b7 250+ goto free_and_out;
0969077b
PS		 251+ elf->state.elf64.phdr
252+ = (Elf64_Phdr *) ((char *) ehdr + ehdr->e_phoff);
5f1d07b7 253+ }
d07e7be6 254
5f1d07b7
JB		 255 for (size_t cnt = 0; cnt < scncnt; ++cnt)
256 {
0969077b
PS		 257--- elfutils/libelf/elf_getarsym.c
258+++ elfutils/libelf/elf_getarsym.c
5f1d07b7
JB		 259@@ -179,6 +179,9 @@ elf_getarsym (elf, ptr)
260 size_t index_size = atol (tmpbuf);
d07e7be6 261
5f1d07b7
JB		 262 if (SARMAG + sizeof (struct ar_hdr) + index_size > elf->maximum_size
263+#if SIZE_MAX <= 4294967295U
264+ || n >= SIZE_MAX / sizeof (Elf_Arsym)
265+#endif
266 || n * sizeof (uint32_t) > index_size)
267 {
268 /* This index table cannot be right since it does not fit into
0969077b
PS		 269--- elfutils/libelf/elf_getshdrstrndx.c
270+++ elfutils/libelf/elf_getshdrstrndx.c
271@@ -125,10 +125,25 @@ elf_getshdrstrndx (elf, dst)
5f1d07b7
JB		 272 if (elf->map_address != NULL
273 && elf->state.elf32.ehdr->e_ident[EI_DATA] == MY_ELFDATA
274 && (ALLOW_UNALIGNED
275- || (((size_t) ((char *) elf->map_address + offset))
276+ || (((size_t) ((char *) elf->map_address
277+ + elf->start_offset + offset))
278 & (__alignof__ (Elf32_Shdr) - 1)) == 0))
0969077b
PS		 279- /* We can directly access the memory. */
280- num = ((Elf32_Shdr *) (elf->map_address + offset))->sh_link;
5f1d07b7
JB		 281+ {
282+ /* First see whether the information in the ELF header is
283+ valid and it does not ask for too much. */
0969077b
PS		 284+ if (unlikely (elf->maximum_size - offset
285+ < sizeof (Elf32_Shdr)))
5f1d07b7
JB		 286+ {
287+ /* Something is wrong. */
288+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
289+ result = -1;
290+ goto out;
291+ }
292+
0969077b 293+ /* We can directly access the memory. */
5f1d07b7
JB		 294+ num = ((Elf32_Shdr *) (elf->map_address + elf->start_offset
295+ + offset))->sh_link;
296+ }
297 else
298 {
299 /* We avoid reading in all the section headers. Just read
0969077b 300@@ -163,10 +178,25 @@ elf_getshdrstrndx (elf, dst)
5f1d07b7
JB		 301 if (elf->map_address != NULL
302 && elf->state.elf64.ehdr->e_ident[EI_DATA] == MY_ELFDATA
303 && (ALLOW_UNALIGNED
304- || (((size_t) ((char *) elf->map_address + offset))
305+ || (((size_t) ((char *) elf->map_address
306+ + elf->start_offset + offset))
307 & (__alignof__ (Elf64_Shdr) - 1)) == 0))
0969077b
PS		 308- /* We can directly access the memory. */
309- num = ((Elf64_Shdr *) (elf->map_address + offset))->sh_link;
5f1d07b7
JB		 310+ {
311+ /* First see whether the information in the ELF header is
312+ valid and it does not ask for too much. */
0969077b
PS		 313+ if (unlikely (elf->maximum_size - offset
314+ < sizeof (Elf64_Shdr)))
5f1d07b7
JB		 315+ {
316+ /* Something is wrong. */
317+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
318+ result = -1;
319+ goto out;
320+ }
321+
0969077b
PS		 322+ /* We can directly access the memory. */
323+ num = ((Elf64_Shdr *) (elf->map_address + elf->start_offset
324+ + offset))->sh_link;
5f1d07b7
JB		 325+ }
326 else
327 {
328 /* We avoid reading in all the section headers. Just read
0969077b
PS		 329--- elfutils/libelf/elf_newscn.c
330+++ elfutils/libelf/elf_newscn.c
5f1d07b7
JB		 331@@ -104,10 +104,18 @@ elf_newscn (elf)
332 else
d07e7be6 333 {
5f1d07b7
JB		 334 /* We must allocate a new element. */
335- Elf_ScnList *newp;
336+ Elf_ScnList *newp = NULL;
d07e7be6 337
5f1d07b7 338 assert (elf->state.elf.scnincr > 0);
d07e7be6 339
5f1d07b7
JB		 340+ if (
341+#if SIZE_MAX <= 4294967295U
342+ likely (elf->state.elf.scnincr
343+ < SIZE_MAX / 2 / sizeof (Elf_Scn) - sizeof (Elf_ScnList))
344+#else
345+ 1
346+#endif
347+ )
348 newp = (Elf_ScnList *) calloc (sizeof (Elf_ScnList)
349 + ((elf->state.elf.scnincr *= 2)
350 * sizeof (Elf_Scn)), 1);
0969077b
PS		 351--- elfutils/libelf/gelf_getdyn.c
352+++ elfutils/libelf/gelf_getdyn.c
353@@ -1,5 +1,5 @@
354 /* Get information from dynamic table at the given index.
355- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
356+ Copyright (C) 2000-2009 Red Hat, Inc.
357 This file is part of Red Hat elfutils.
358 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
359
360@@ -93,7 +93,7 @@ gelf_getdyn (data, ndx, dst)
5f1d07b7
JB		 361 table entries has to be adopted. The user better has provided
362 a buffer where we can store the information. While copying the
363 data we are converting the format. */
364- if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
0969077b 365+ if (INVALID_NDX (ndx, Elf32_Dyn, &data_scn->d))
5f1d07b7
JB		 366 {
367 __libelf_seterrno (ELF_E_INVALID_INDEX);
368 goto out;
0969077b 369@@ -114,7 +114,7 @@ gelf_getdyn (data, ndx, dst)
d07e7be6 370
5f1d07b7
JB		 371 /* The data is already in the correct form. Just make sure the
372 index is OK. */
373- if (unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))
0969077b 374+ if (INVALID_NDX (ndx, GElf_Dyn, &data_scn->d))
5f1d07b7
JB		 375 {
376 __libelf_seterrno (ELF_E_INVALID_INDEX);
377 goto out;
0969077b
PS		 378--- elfutils/libelf/gelf_getlib.c
379+++ elfutils/libelf/gelf_getlib.c
380@@ -1,5 +1,5 @@
381 /* Get library from table at the given index.
382- Copyright (C) 2004 Red Hat, Inc.
383+ Copyright (C) 2004-2009 Red Hat, Inc.
384 This file is part of Red Hat elfutils.
385 Written by Ulrich Drepper <drepper@redhat.com>, 2004.
386
387@@ -86,7 +86,7 @@ gelf_getlib (data, ndx, dst)
5f1d07b7
JB		 388 /* The data is already in the correct form. Just make sure the
389 index is OK. */
390 GElf_Lib *result = NULL;
391- if (unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))
0969077b 392+ if (INVALID_NDX (ndx, GElf_Lib, data))
5f1d07b7
JB		 393 __libelf_seterrno (ELF_E_INVALID_INDEX);
394 else
d07e7be6 395 {
0969077b
PS		 396--- elfutils/libelf/gelf_getmove.c
397+++ elfutils/libelf/gelf_getmove.c
398@@ -1,5 +1,5 @@
399 /* Get move structure at the given index.
400- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
401+ Copyright (C) 2000-2009 Red Hat, Inc.
402 This file is part of Red Hat elfutils.
403 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
404
405@@ -83,7 +83,7 @@ gelf_getmove (data, ndx, dst)
d07e7be6 406
5f1d07b7
JB		 407 /* The data is already in the correct form. Just make sure the
408 index is OK. */
409- if (unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))
0969077b 410+ if (INVALID_NDX (ndx, GElf_Move, data))
d07e7be6 411 {
5f1d07b7
JB		 412 __libelf_seterrno (ELF_E_INVALID_INDEX);
413 goto out;
0969077b
PS		 414--- elfutils/libelf/gelf_getrela.c
415+++ elfutils/libelf/gelf_getrela.c
416@@ -1,5 +1,5 @@
417 /* Get RELA relocation information at given index.
418- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
419+ Copyright (C) 2000-2009 Red Hat, Inc.
420 This file is part of Red Hat elfutils.
421 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
422
5f1d07b7
JB		 423@@ -71,12 +71,6 @@ gelf_getrela (data, ndx, dst)
424 if (data_scn == NULL)
425 return NULL;
49fd4b14 426
5f1d07b7
JB		 427- if (unlikely (ndx < 0))
428- {
429- __libelf_seterrno (ELF_E_INVALID_INDEX);
430- return NULL;
431- }
432-
433 if (unlikely (data_scn->d.d_type != ELF_T_RELA))
434 {
435 __libelf_seterrno (ELF_E_INVALID_HANDLE);
0969077b 436@@ -93,7 +87,7 @@ gelf_getrela (data, ndx, dst)
5f1d07b7
JB		 437 if (scn->elf->class == ELFCLASS32)
438 {
439 /* We have to convert the data. */
440- if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
0969077b 441+ if (INVALID_NDX (ndx, Elf32_Rela, &data_scn->d))
5f1d07b7
JB		 442 {
443 __libelf_seterrno (ELF_E_INVALID_INDEX);
444 result = NULL;
0969077b 445@@ -114,7 +108,7 @@ gelf_getrela (data, ndx, dst)
5f1d07b7
JB		 446 {
447 /* Simply copy the data after we made sure we are actually getting
448 correct data. */
449- if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
0969077b 450+ if (INVALID_NDX (ndx, Elf64_Rela, &data_scn->d))
5f1d07b7
JB		 451 {
452 __libelf_seterrno (ELF_E_INVALID_INDEX);
453 result = NULL;
0969077b
PS		 454--- elfutils/libelf/gelf_getrel.c
455+++ elfutils/libelf/gelf_getrel.c
456@@ -1,5 +1,5 @@
457 /* Get REL relocation information at given index.
458- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
459+ Copyright (C) 2000-2009 Red Hat, Inc.
460 This file is part of Red Hat elfutils.
461 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
462
5f1d07b7
JB		 463@@ -71,12 +71,6 @@ gelf_getrel (data, ndx, dst)
464 if (data_scn == NULL)
465 return NULL;
49fd4b14 466
5f1d07b7
JB		 467- if (unlikely (ndx < 0))
468- {
469- __libelf_seterrno (ELF_E_INVALID_INDEX);
470- return NULL;
471- }
472-
473 if (unlikely (data_scn->d.d_type != ELF_T_REL))
474 {
475 __libelf_seterrno (ELF_E_INVALID_HANDLE);
0969077b 476@@ -93,7 +87,7 @@ gelf_getrel (data, ndx, dst)
5f1d07b7
JB		 477 if (scn->elf->class == ELFCLASS32)
478 {
479 /* We have to convert the data. */
480- if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
0969077b 481+ if (INVALID_NDX (ndx, Elf32_Rel, &data_scn->d))
5f1d07b7
JB		 482 {
483 __libelf_seterrno (ELF_E_INVALID_INDEX);
484 result = NULL;
0969077b 485@@ -113,7 +107,7 @@ gelf_getrel (data, ndx, dst)
5f1d07b7
JB		 486 {
487 /* Simply copy the data after we made sure we are actually getting
488 correct data. */
489- if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
0969077b 490+ if (INVALID_NDX (ndx, Elf64_Rel, &data_scn->d))
5f1d07b7
JB		 491 {
492 __libelf_seterrno (ELF_E_INVALID_INDEX);
493 result = NULL;
0969077b
PS		 494--- elfutils/libelf/gelf_getsym.c
495+++ elfutils/libelf/gelf_getsym.c
496@@ -1,5 +1,5 @@
497 /* Get symbol information from symbol table at the given index.
498- Copyright (C) 1999, 2000, 2001, 2002 Red Hat, Inc.
499+ Copyright (C) 1999-2009 Red Hat, Inc.
500 This file is part of Red Hat elfutils.
501 Written by Ulrich Drepper <drepper@redhat.com>, 1999.
502
503@@ -90,7 +90,7 @@ gelf_getsym (data, ndx, dst)
5f1d07b7
JB		 504 table entries has to be adopted. The user better has provided
505 a buffer where we can store the information. While copying the
506 data we are converting the format. */
507- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))
0969077b 508+ if (INVALID_NDX (ndx, Elf32_Sym, data))
5f1d07b7
JB		 509 {
510 __libelf_seterrno (ELF_E_INVALID_INDEX);
511 goto out;
0969077b 512@@ -119,7 +119,7 @@ gelf_getsym (data, ndx, dst)
a8ca41f5 513
5f1d07b7
JB		 514 /* The data is already in the correct form. Just make sure the
515 index is OK. */
516- if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))
0969077b 517+ if (INVALID_NDX (ndx, GElf_Sym, data))
5f1d07b7
JB		 518 {
519 __libelf_seterrno (ELF_E_INVALID_INDEX);
520 goto out;
0969077b
PS		 521--- elfutils/libelf/gelf_getsyminfo.c
522+++ elfutils/libelf/gelf_getsyminfo.c
523@@ -1,5 +1,5 @@
524 /* Get additional symbol information from symbol table at the given index.
525- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
526+ Copyright (C) 2000-2009 Red Hat, Inc.
527 This file is part of Red Hat elfutils.
528 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
529
530@@ -84,7 +84,7 @@ gelf_getsyminfo (data, ndx, dst)
49fd4b14 531
5f1d07b7
JB		 532 /* The data is already in the correct form. Just make sure the
533 index is OK. */
534- if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))
0969077b 535+ if (INVALID_NDX (ndx, GElf_Syminfo, data))
0dcd74c7 536 {
5f1d07b7
JB		 537 __libelf_seterrno (ELF_E_INVALID_INDEX);
538 goto out;
0969077b
PS		 539--- elfutils/libelf/gelf_getsymshndx.c
540+++ elfutils/libelf/gelf_getsymshndx.c
541@@ -1,6 +1,6 @@
542 /* Get symbol information and separate section index from symbol table
543 at the given index.
544- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
545+ Copyright (C) 2000-2009 Red Hat, Inc.
546 This file is part of Red Hat elfutils.
547 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
548
549@@ -90,7 +90,7 @@ gelf_getsymshndx (symdata, shndxdata, nd
5f1d07b7
JB		 550 section index table. */
551 if (likely (shndxdata_scn != NULL))
552 {
553- if (unlikely ((ndx + 1) * sizeof (Elf32_Word) > shndxdata_scn->d.d_size))
0969077b 554+ if (INVALID_NDX (ndx, Elf32_Word, &shndxdata_scn->d))
5f1d07b7
JB		 555 {
556 __libelf_seterrno (ELF_E_INVALID_INDEX);
557 goto out;
0969077b 558@@ -110,7 +110,7 @@ gelf_getsymshndx (symdata, shndxdata, nd
5f1d07b7
JB		 559 table entries has to be adopted. The user better has provided
560 a buffer where we can store the information. While copying the
561 data we are converting the format. */
562- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))
0969077b 563+ if (INVALID_NDX (ndx, Elf32_Sym, symdata))
5f1d07b7
JB		 564 {
565 __libelf_seterrno (ELF_E_INVALID_INDEX);
566 goto out;
0969077b 567@@ -139,7 +139,7 @@ gelf_getsymshndx (symdata, shndxdata, nd
0dcd74c7 568
5f1d07b7
JB		 569 /* The data is already in the correct form. Just make sure the
570 index is OK. */
571- if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))
0969077b 572+ if (INVALID_NDX (ndx, GElf_Sym, symdata))
0dcd74c7 573 {
5f1d07b7
JB		 574 __libelf_seterrno (ELF_E_INVALID_INDEX);
575 goto out;
0969077b
PS		 576--- elfutils/libelf/gelf_getversym.c
577+++ elfutils/libelf/gelf_getversym.c
578@@ -1,5 +1,5 @@
579 /* Get symbol version information at the given index.
580- Copyright (C) 1999, 2000, 2001, 2002 Red Hat, Inc.
581+ Copyright (C) 1999-2009 Red Hat, Inc.
582 This file is part of Red Hat elfutils.
583 Written by Ulrich Drepper <drepper@redhat.com>, 1999.
584
585@@ -92,7 +92,7 @@ gelf_getversym (data, ndx, dst)
0dcd74c7 586
5f1d07b7
JB		 587 /* The data is already in the correct form. Just make sure the
588 index is OK. */
589- if (unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))
0969077b 590+ if (INVALID_NDX (ndx, GElf_Versym, data))
5f1d07b7
JB		 591 {
592 __libelf_seterrno (ELF_E_INVALID_INDEX);
593 result = NULL;
0969077b
PS		 594--- elfutils/libelf/gelf_update_dyn.c
595+++ elfutils/libelf/gelf_update_dyn.c
596@@ -1,5 +1,5 @@
597 /* Update information in dynamic table at the given index.
598- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
599+ Copyright (C) 2000-2009 Red Hat, Inc.
600 This file is part of Red Hat elfutils.
601 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
602
5f1d07b7
JB		 603@@ -71,12 +71,6 @@ gelf_update_dyn (data, ndx, src)
604 if (data == NULL)
605 return 0;
0dcd74c7 606
5f1d07b7
JB		 607- if (unlikely (ndx < 0))
608- {
609- __libelf_seterrno (ELF_E_INVALID_INDEX);
610- return 0;
611- }
612-
613 if (unlikely (data_scn->d.d_type != ELF_T_DYN))
614 {
615 /* The type of the data better should match. */
0969077b 616@@ -102,7 +96,7 @@ gelf_update_dyn (data, ndx, src)
a8ca41f5 617 }
0dcd74c7 618
5f1d07b7
JB		 619 /* Check whether we have to resize the data buffer. */
620- if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
0969077b 621+ if (INVALID_NDX (ndx, Elf32_Dyn, &data_scn->d))
49fd4b14 622 {
5f1d07b7
JB		 623 __libelf_seterrno (ELF_E_INVALID_INDEX);
624 goto out;
0969077b 625@@ -116,7 +110,7 @@ gelf_update_dyn (data, ndx, src)
5f1d07b7
JB		 626 else
627 {
628 /* Check whether we have to resize the data buffer. */
629- if (unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))
0969077b 630+ if (INVALID_NDX (ndx, Elf64_Dyn, &data_scn->d))
49fd4b14 631 {
5f1d07b7
JB		 632 __libelf_seterrno (ELF_E_INVALID_INDEX);
633 goto out;
0969077b
PS		 634--- elfutils/libelf/gelf_update_lib.c
635+++ elfutils/libelf/gelf_update_lib.c
636@@ -1,5 +1,5 @@
637 /* Update library in table at the given index.
638- Copyright (C) 2004 Red Hat, Inc.
639+ Copyright (C) 2004-2009 Red Hat, Inc.
640 This file is part of Red Hat elfutils.
641 Written by Ulrich Drepper <drepper@redhat.com>, 2004.
642
5f1d07b7
JB		 643@@ -68,12 +68,6 @@ gelf_update_lib (data, ndx, src)
644 if (data == NULL)
645 return 0;
0dcd74c7 646
5f1d07b7
JB		 647- if (unlikely (ndx < 0))
648- {
649- __libelf_seterrno (ELF_E_INVALID_INDEX);
650- return 0;
651- }
652-
653 Elf_Data_Scn *data_scn = (Elf_Data_Scn *) data;
654 if (unlikely (data_scn->d.d_type != ELF_T_LIB))
655 {
0969077b 656@@ -87,7 +81,7 @@ gelf_update_lib (data, ndx, src)
0dcd74c7 657
5f1d07b7
JB		 658 /* Check whether we have to resize the data buffer. */
659 int result = 0;
660- if (unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))
0969077b 661+ if (INVALID_NDX (ndx, Elf64_Lib, &data_scn->d))
5f1d07b7
JB		 662 __libelf_seterrno (ELF_E_INVALID_INDEX);
663 else
664 {
0969077b
PS		 665--- elfutils/libelf/gelf_update_move.c
666+++ elfutils/libelf/gelf_update_move.c
667@@ -1,5 +1,5 @@
668 /* Update move structure at the given index.
669- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
670+ Copyright (C) 2000-2009 Red Hat, Inc.
671 This file is part of Red Hat elfutils.
672 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
673
674@@ -75,8 +75,7 @@ gelf_update_move (data, ndx, src)
5f1d07b7 675 assert (sizeof (GElf_Move) == sizeof (Elf64_Move));
49fd4b14 676
5f1d07b7
JB		 677 /* Check whether we have to resize the data buffer. */
678- if (unlikely (ndx < 0)
0969077b
PS		 679- || unlikely ((ndx + 1) * sizeof (GElf_Move) > data_scn->d.d_size))
680+ if (INVALID_NDX (ndx, GElf_Move, &data_scn->d))
5f1d07b7
JB		 681 {
682 __libelf_seterrno (ELF_E_INVALID_INDEX);
0969077b
PS		 683 return 0;
684--- elfutils/libelf/gelf_update_rela.c
685+++ elfutils/libelf/gelf_update_rela.c
686@@ -1,5 +1,5 @@
687 /* Update RELA relocation information at given index.
688- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
689+ Copyright (C) 2000-2009 Red Hat, Inc.
690 This file is part of Red Hat elfutils.
691 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
692
5f1d07b7
JB		 693@@ -68,12 +68,6 @@ gelf_update_rela (Elf_Data *dst, int ndx
694 if (dst == NULL)
695 return 0;
696
697- if (unlikely (ndx < 0))
698- {
699- __libelf_seterrno (ELF_E_INVALID_INDEX);
700- return 0;
701- }
702-
703 if (unlikely (data_scn->d.d_type != ELF_T_RELA))
704 {
705 /* The type of the data better should match. */
0969077b 706@@ -101,7 +95,7 @@ gelf_update_rela (Elf_Data *dst, int ndx
5f1d07b7
JB		 707 }
708
709 /* Check whether we have to resize the data buffer. */
710- if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
0969077b 711+ if (INVALID_NDX (ndx, Elf32_Rela, &data_scn->d))
5f1d07b7
JB		 712 {
713 __libelf_seterrno (ELF_E_INVALID_INDEX);
714 goto out;
0969077b 715@@ -117,7 +111,7 @@ gelf_update_rela (Elf_Data *dst, int ndx
5f1d07b7
JB		 716 else
717 {
718 /* Check whether we have to resize the data buffer. */
719- if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
0969077b 720+ if (INVALID_NDX (ndx, Elf64_Rela, &data_scn->d))
5f1d07b7
JB		 721 {
722 __libelf_seterrno (ELF_E_INVALID_INDEX);
723 goto out;
0969077b
PS		 724--- elfutils/libelf/gelf_update_rel.c
725+++ elfutils/libelf/gelf_update_rel.c
726@@ -1,5 +1,5 @@
727 /* Update REL relocation information at given index.
728- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
729+ Copyright (C) 2000-2009 Red Hat, Inc.
730 This file is part of Red Hat elfutils.
731 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
732
5f1d07b7
JB		 733@@ -68,12 +68,6 @@ gelf_update_rel (Elf_Data *dst, int ndx,
734 if (dst == NULL)
735 return 0;
49fd4b14 736
5f1d07b7
JB		 737- if (unlikely (ndx < 0))
738- {
739- __libelf_seterrno (ELF_E_INVALID_INDEX);
740- return 0;
741- }
742-
743 if (unlikely (data_scn->d.d_type != ELF_T_REL))
744 {
745 /* The type of the data better should match. */
0969077b 746@@ -99,7 +93,7 @@ gelf_update_rel (Elf_Data *dst, int ndx,
5f1d07b7 747 }
49fd4b14 748
5f1d07b7
JB		 749 /* Check whether we have to resize the data buffer. */
750- if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
0969077b 751+ if (INVALID_NDX (ndx, Elf32_Rel, &data_scn->d))
5f1d07b7
JB		 752 {
753 __libelf_seterrno (ELF_E_INVALID_INDEX);
754 goto out;
0969077b 755@@ -114,7 +108,7 @@ gelf_update_rel (Elf_Data *dst, int ndx,
5f1d07b7
JB		 756 else
757 {
758 /* Check whether we have to resize the data buffer. */
759- if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
0969077b 760+ if (INVALID_NDX (ndx, Elf64_Rel, &data_scn->d))
5f1d07b7
JB		 761 {
762 __libelf_seterrno (ELF_E_INVALID_INDEX);
763 goto out;
0969077b
PS		 764--- elfutils/libelf/gelf_update_sym.c
765+++ elfutils/libelf/gelf_update_sym.c
766@@ -1,5 +1,5 @@
767 /* Update symbol information in symbol table at the given index.
768- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
769+ Copyright (C) 2000-2009 Red Hat, Inc.
770 This file is part of Red Hat elfutils.
771 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
772
5f1d07b7
JB		 773@@ -72,12 +72,6 @@ gelf_update_sym (data, ndx, src)
774 if (data == NULL)
775 return 0;
49fd4b14 776
5f1d07b7
JB		 777- if (unlikely (ndx < 0))
778- {
779- __libelf_seterrno (ELF_E_INVALID_INDEX);
780- return 0;
781- }
782-
783 if (unlikely (data_scn->d.d_type != ELF_T_SYM))
784 {
785 /* The type of the data better should match. */
0969077b 786@@ -102,7 +96,7 @@ gelf_update_sym (data, ndx, src)
5f1d07b7 787 }
49fd4b14 788
5f1d07b7
JB		 789 /* Check whether we have to resize the data buffer. */
790- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))
0969077b 791+ if (INVALID_NDX (ndx, Elf32_Sym, &data_scn->d))
5f1d07b7
JB		 792 {
793 __libelf_seterrno (ELF_E_INVALID_INDEX);
794 goto out;
0969077b 795@@ -125,7 +119,7 @@ gelf_update_sym (data, ndx, src)
5f1d07b7
JB		 796 else
797 {
798 /* Check whether we have to resize the data buffer. */
799- if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))
0969077b 800+ if (INVALID_NDX (ndx, Elf64_Sym, &data_scn->d))
5f1d07b7
JB		 801 {
802 __libelf_seterrno (ELF_E_INVALID_INDEX);
803 goto out;
0969077b
PS		 804--- elfutils/libelf/gelf_update_syminfo.c
805+++ elfutils/libelf/gelf_update_syminfo.c
806@@ -1,5 +1,5 @@
807 /* Update additional symbol information in symbol table at the given index.
808- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
809+ Copyright (C) 2000-2009 Red Hat, Inc.
810 This file is part of Red Hat elfutils.
811 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
812
5f1d07b7
JB		 813@@ -72,12 +72,6 @@ gelf_update_syminfo (data, ndx, src)
814 if (data == NULL)
815 return 0;
0dcd74c7 816
5f1d07b7
JB		 817- if (unlikely (ndx < 0))
818- {
819- __libelf_seterrno (ELF_E_INVALID_INDEX);
820- return 0;
821- }
822-
823 if (unlikely (data_scn->d.d_type != ELF_T_SYMINFO))
824 {
825 /* The type of the data better should match. */
0969077b 826@@ -93,7 +87,7 @@ gelf_update_syminfo (data, ndx, src)
5f1d07b7 827 rwlock_wrlock (scn->elf->lock);
0dcd74c7 828
5f1d07b7
JB		 829 /* Check whether we have to resize the data buffer. */
830- if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))
0969077b 831+ if (INVALID_NDX (ndx, GElf_Syminfo, &data_scn->d))
5f1d07b7
JB		 832 {
833 __libelf_seterrno (ELF_E_INVALID_INDEX);
834 goto out;
0969077b
PS		 835--- elfutils/libelf/gelf_update_symshndx.c
836+++ elfutils/libelf/gelf_update_symshndx.c
837@@ -1,6 +1,6 @@
838 /* Update symbol information and section index in symbol table at the
839 given index.
840- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
841+ Copyright (C) 2000-2009 Red Hat, Inc.
842 This file is part of Red Hat elfutils.
843 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
844
5f1d07b7
JB		 845@@ -77,12 +77,6 @@ gelf_update_symshndx (symdata, shndxdata
846 if (symdata == NULL)
847 return 0;
0dcd74c7 848
5f1d07b7
JB		 849- if (unlikely (ndx < 0))
850- {
851- __libelf_seterrno (ELF_E_INVALID_INDEX);
852- return 0;
853- }
854-
855 if (unlikely (symdata_scn->d.d_type != ELF_T_SYM))
856 {
857 /* The type of the data better should match. */
0969077b 858@@ -128,7 +122,7 @@ gelf_update_symshndx (symdata, shndxdata
5f1d07b7 859 }
0dcd74c7 860
5f1d07b7
JB		 861 /* Check whether we have to resize the data buffer. */
862- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))
0969077b 863+ if (INVALID_NDX (ndx, Elf32_Sym, &symdata_scn->d))
5f1d07b7
JB		 864 {
865 __libelf_seterrno (ELF_E_INVALID_INDEX);
866 goto out;
0969077b 867@@ -151,7 +145,7 @@ gelf_update_symshndx (symdata, shndxdata
5f1d07b7
JB		 868 else
869 {
870 /* Check whether we have to resize the data buffer. */
871- if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))
0969077b 872+ if (INVALID_NDX (ndx, Elf64_Sym, &symdata_scn->d))
5f1d07b7
JB		 873 {
874 __libelf_seterrno (ELF_E_INVALID_INDEX);
875 goto out;
0969077b
PS		 876--- elfutils/libelf/gelf_update_versym.c
877+++ elfutils/libelf/gelf_update_versym.c
878@@ -1,5 +1,5 @@
879 /* Update symbol version information.
880- Copyright (C) 2001, 2002 Red Hat, Inc.
881+ Copyright (C) 2001-2009 Red Hat, Inc.
882 This file is part of Red Hat elfutils.
883 Written by Ulrich Drepper <drepper@redhat.com>, 2001.
884
885@@ -75,8 +75,7 @@ gelf_update_versym (data, ndx, src)
5f1d07b7 886 assert (sizeof (GElf_Versym) == sizeof (Elf64_Versym));
0dcd74c7 887
5f1d07b7
JB		 888 /* Check whether we have to resize the data buffer. */
889- if (unlikely (ndx < 0)
0969077b
PS		 890- || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data_scn->d.d_size))
891+ if (INVALID_NDX (ndx, GElf_Versym, &data_scn->d))
5f1d07b7
JB		 892 {
893 __libelf_seterrno (ELF_E_INVALID_INDEX);
0969077b
PS		 894 return 0;
895--- elfutils/libelf/libelfP.h
896+++ elfutils/libelf/libelfP.h
897@@ -608,4 +608,8 @@ extern uint32_t __libelf_crc32 (uint32_t
5f1d07b7
JB		 898 /* Align offset to 4 bytes as needed for note name and descriptor data. */
899 #define NOTE_ALIGN(n) (((n) + 3) & -4U)
49fd4b14 900
0969077b
PS		 901+/* Convenience macro. */
902+#define INVALID_NDX(ndx, type, data) \
903+ unlikely ((data)->d_size / sizeof (type) <= (unsigned int) (ndx))
5f1d07b7
JB		 904+
905 #endif /* libelfP.h */
0969077b
PS		 906--- elfutils/src/ChangeLog
907+++ elfutils/src/ChangeLog
908@@ -1532,6 +1532,16 @@
909 object symbols or symbols with unknown type.
910 (check_rel): Likewise.
911
912+2005-06-09 Roland McGrath <roland@redhat.com>
913+
914+ * readelf.c (handle_dynamic, handle_symtab): Check for bogus sh_link.
915+ (handle_verneed, handle_verdef, handle_versym, handle_hash): Likewise.
916+ (handle_scngrp): Check for bogus sh_info.
917+
918+ * strip.c (handle_elf): Check for bogus values in sh_link, sh_info,
919+ st_shndx, e_shstrndx, and SHT_GROUP or SHT_SYMTAB_SHNDX data.
920+ Don't use assert on input values, instead bail with "illformed" error.
921+
922 2005-06-08 Roland McGrath <roland@redhat.com>
923
924 * readelf.c (print_ops): Add consts.
925@@ -1577,6 +1587,19 @@
926
927 * readelf.c (dwarf_tag_string): Add new tags.
928
929+2005-05-17 Jakub Jelinek <jakub@redhat.com>
930+
931+ * elflint.c (check_hash): Don't check entries beyond end of section.
932+ (check_note): Don't crash if gelf_rawchunk fails.
933+ (section_name): Return <invalid> if gelf_getshdr returns NULL.
934+
935+2005-05-14 Jakub Jelinek <jakub@redhat.com>
936+
937+ * elflint.c (section_name): Return "<invalid>" instead of
938+ crashing on invalid section name.
939+ (check_symtab, is_rel_dyn, check_rela, check_rel, check_dynamic,
940+ check_symtab_shndx, check_hash, check_versym): Robustify.
941+
942 2005-05-08 Roland McGrath <roland@redhat.com>
943
944 * strip.c (handle_elf): Don't translate hash and versym data formats,
945--- elfutils/src/elflint.c
946+++ elfutils/src/elflint.c
947@@ -131,6 +131,10 @@ static uint32_t shstrndx;
5f1d07b7
JB		 948 /* Array to count references in section groups. */
949 static int *scnref;
0dcd74c7 950
0969077b 951+/* Numbers of sections and program headers. */
5f1d07b7 952+static unsigned int shnum;
0969077b 953+static unsigned int phnum;
5f1d07b7 954+
0dcd74c7 955
5f1d07b7
JB		 956 int
957 main (int argc, char *argv[])
0969077b 958@@ -319,10 +323,19 @@ section_name (Ebl *ebl, int idx)
5f1d07b7
JB		 959 {
960 GElf_Shdr shdr_mem;
961 GElf_Shdr *shdr;
962+ const char *ret;
963+
964+ if ((unsigned int) idx > shnum)
965+ return "<invalid>";
0dcd74c7 966
5f1d07b7
JB		 967 shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);
968+ if (shdr == NULL)
969+ return "<invalid>";
49fd4b14 970
5f1d07b7
JB		 971- return elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
972+ ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
973+ if (ret == NULL)
974+ return "<invalid>";
975+ return ret;
976 }
49fd4b14 977
158e8d12 978
0969077b 979@@ -344,11 +357,6 @@ static const int valid_e_machine[] =
5f1d07b7 980 (sizeof (valid_e_machine) / sizeof (valid_e_machine[0]))
158e8d12 981
158e8d12 982
0969077b 983-/* Numbers of sections and program headers. */
5f1d07b7 984-static unsigned int shnum;
0969077b 985-static unsigned int phnum;
5f1d07b7
JB		 986-
987-
988 static void
989 check_elf_header (Ebl *ebl, GElf_Ehdr *ehdr, size_t size)
990 {
0969077b 991@@ -632,7 +640,8 @@ section [%2d] '%s': symbol table cannot
5f1d07b7
JB		 992 }
993 }
158e8d12 994
5f1d07b7
JB		 995- if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT))
996+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT);
997+ if (shdr->sh_entsize != sh_entsize)
998 ERROR (gettext ("\
999 section [%2u] '%s': entry size is does not match ElfXX_Sym\n"),
1000 idx, section_name (ebl, idx));
0969077b 1001@@ -670,7 +679,7 @@ section [%2d] '%s': XINDEX for zeroth en
5f1d07b7
JB		 1002 xndxscnidx, section_name (ebl, xndxscnidx));
1003 }
158e8d12 1004
5f1d07b7
JB		 1005- for (size_t cnt = 1; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1006+ for (size_t cnt = 1; cnt < shdr->sh_size / sh_entsize; ++cnt)
1007 {
1008 sym = gelf_getsymshndx (data, xndxdata, cnt, &sym_mem, &xndx);
1009 if (sym == NULL)
0969077b 1010@@ -690,7 +699,8 @@ section [%2d] '%s': symbol %zu: invalid
5f1d07b7 1011 else
0dcd74c7 1012 {
5f1d07b7
JB		 1013 name = elf_strptr (ebl->elf, shdr->sh_link, sym->st_name);
1014- assert (name != NULL);
1015+ assert (name != NULL
1016+ || strshdr->sh_type != SHT_STRTAB);
1017 }
0dcd74c7 1018
5f1d07b7 1019 if (sym->st_shndx == SHN_XINDEX)
0969077b 1020@@ -1038,9 +1048,11 @@ is_rel_dyn (Ebl *ebl, const GElf_Ehdr *e
5f1d07b7
JB		 1021 {
1022 GElf_Shdr rcshdr_mem;
1023 const GElf_Shdr *rcshdr = gelf_getshdr (scn, &rcshdr_mem);
1024- assert (rcshdr != NULL);
1025
1026- if (rcshdr->sh_type == SHT_DYNAMIC)
1027+ if (rcshdr == NULL)
1028+ break;
1029+
1030+ if (rcshdr->sh_type == SHT_DYNAMIC && rcshdr->sh_entsize)
0dcd74c7 1031 {
5f1d07b7
JB		 1032 /* Found the dynamic section. Look through it. */
1033 Elf_Data *d = elf_getdata (scn, NULL);
0969077b 1034@@ -1050,7 +1062,9 @@ is_rel_dyn (Ebl *ebl, const GElf_Ehdr *e
5f1d07b7
JB		 1035 {
1036 GElf_Dyn dyn_mem;
1037 GElf_Dyn *dyn = gelf_getdyn (d, cnt, &dyn_mem);
1038- assert (dyn != NULL);
1039+
1040+ if (dyn == NULL)
1041+ break;
0dcd74c7 1042
5f1d07b7
JB		 1043 if (dyn->d_tag == DT_RELCOUNT)
1044 {
0969077b 1045@@ -1064,7 +1078,9 @@ section [%2d] '%s': DT_RELCOUNT used for
5f1d07b7
JB		 1046 /* Does the number specified number of relative
1047 relocations exceed the total number of
1048 relocations? */
1049- if (dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
1050+ if (shdr->sh_entsize != 0
1051+ && dyn->d_un.d_val > (shdr->sh_size
1052+ / shdr->sh_entsize))
1053 ERROR (gettext ("\
1054 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
1055 idx, section_name (ebl, idx),
0969077b 1056@@ -1224,7 +1240,8 @@ section [%2d] '%s': no relocations for m
5f1d07b7
JB		 1057 }
1058 }
1059
1060- if (shdr->sh_entsize != gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT))
1061+ size_t sh_entsize = gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT);
1062+ if (shdr->sh_entsize != sh_entsize)
1063 ERROR (gettext (reltype == ELF_T_RELA ? "\
1064 section [%2d] '%s': section entry size does not match ElfXX_Rela\n" : "\
1065 section [%2d] '%s': section entry size does not match ElfXX_Rel\n"),
0969077b 1066@@ -1447,7 +1464,8 @@ check_rela (Ebl *ebl, GElf_Ehdr *ehdr, G
5f1d07b7
JB		 1067 Elf_Data *symdata = elf_getdata (symscn, NULL);
1068 enum load_state state = state_undecided;
1069
1070- for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1071+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
1072+ for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
49fd4b14 1073 {
5f1d07b7
JB		 1074 GElf_Rela rela_mem;
1075 GElf_Rela *rela = gelf_getrela (data, cnt, &rela_mem);
0969077b 1076@@ -1497,7 +1515,8 @@ check_rel (Ebl *ebl, GElf_Ehdr *ehdr, GE
5f1d07b7
JB		 1077 Elf_Data *symdata = elf_getdata (symscn, NULL);
1078 enum load_state state = state_undecided;
1079
1080- for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1081+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
1082+ for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
49fd4b14 1083 {
5f1d07b7
JB		 1084 GElf_Rel rel_mem;
1085 GElf_Rel *rel = gelf_getrel (data, cnt, &rel_mem);
0969077b 1086@@ -1600,7 +1619,8 @@ section [%2d] '%s': referenced as string
5f1d07b7
JB		 1087 shdr->sh_link, section_name (ebl, shdr->sh_link),
1088 idx, section_name (ebl, idx));
0dcd74c7 1089
5f1d07b7
JB		 1090- if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT))
1091+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
1092+ if (shdr->sh_entsize != sh_entsize)
1093 ERROR (gettext ("\
1094 section [%2d] '%s': section entry size does not match ElfXX_Dyn\n"),
1095 idx, section_name (ebl, idx));
0969077b 1096@@ -1610,7 +1630,7 @@ section [%2d] '%s': section entry size d
5f1d07b7
JB		 1097 idx, section_name (ebl, idx));
1098
1099 bool non_null_warned = false;
1100- for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1101+ for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
0dcd74c7 1102 {
5f1d07b7
JB		 1103 GElf_Dyn dyn_mem;
1104 GElf_Dyn *dyn = gelf_getdyn (data, cnt, &dyn_mem);
0969077b 1105@@ -1891,6 +1911,8 @@ section [%2d] '%s': entry size does not
5f1d07b7
JB		 1106 idx, section_name (ebl, idx));
1107
1108 if (symshdr != NULL
1109+ && shdr->sh_entsize
1110+ && symshdr->sh_entsize
1111 && (shdr->sh_size / shdr->sh_entsize
1112 < symshdr->sh_size / symshdr->sh_entsize))
1113 ERROR (gettext ("\
0969077b 1114@@ -1917,6 +1939,12 @@ section [%2d] '%s': extended section ind
5f1d07b7
JB		 1115 }
1116
1117 Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1118+ if (data == NULL)
1119+ {
1120+ ERROR (gettext ("section [%2d] '%s': cannot get section data\n"),
1121+ idx, section_name (ebl, idx));
1122+ return;
1123+ }
1124
1125 if (*((Elf32_Word *) data->d_buf) != 0)
1126 ERROR (gettext ("symbol 0 should have zero extended section index\n"));
0969077b 1127@@ -1959,7 +1987,7 @@ section [%2d] '%s': hash table section i
5f1d07b7
JB		 1128
1129 size_t maxidx = nchain;
1130
1131- if (symshdr != NULL)
1132+ if (symshdr != NULL && symshdr->sh_entsize != 0)
acd2260d 1133 {
5f1d07b7
JB		 1134 size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
1135
0969077b 1136@@ -1970,18 +1998,28 @@ section [%2d] '%s': hash table section i
5f1d07b7
JB		 1137 maxidx = symsize;
1138 }
1139
1140+ Elf32_Word *buf = (Elf32_Word *) data->d_buf;
1141+ Elf32_Word *end = (Elf32_Word *) ((char *) data->d_buf + shdr->sh_size);
1142 size_t cnt;
1143 for (cnt = 2; cnt < 2 + nbucket; ++cnt)
1144- if (((Elf32_Word *) data->d_buf)[cnt] >= maxidx)
1145+ {
1146+ if (buf + cnt >= end)
1147+ break;
1148+ else if (buf[cnt] >= maxidx)
1149 ERROR (gettext ("\
1150 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
1151 idx, section_name (ebl, idx), cnt - 2);
1152+ }
49fd4b14 1153
5f1d07b7
JB		 1154 for (; cnt < 2 + nbucket + nchain; ++cnt)
1155- if (((Elf32_Word *) data->d_buf)[cnt] >= maxidx)
1156+ {
1157+ if (buf + cnt >= end)
1158+ break;
1159+ else if (buf[cnt] >= maxidx)
1160 ERROR (gettext ("\
1161 section [%2d] '%s': hash chain reference %zu out of bounds\n"),
1162 idx, section_name (ebl, idx), cnt - 2 - nbucket);
1163+ }
1164 }
49fd4b14 1165
49fd4b14 1166
0969077b 1167@@ -2011,18 +2049,28 @@ section [%2d] '%s': hash table section i
5f1d07b7
JB		 1168 maxidx = symsize;
1169 }
1170
1171+ Elf64_Xword *buf = (Elf64_Xword *) data->d_buf;
1172+ Elf64_Xword *end = (Elf64_Xword *) ((char *) data->d_buf + shdr->sh_size);
1173 size_t cnt;
1174 for (cnt = 2; cnt < 2 + nbucket; ++cnt)
1175- if (((Elf64_Xword *) data->d_buf)[cnt] >= maxidx)
1176+ {
1177+ if (buf + cnt >= end)
1178+ break;
1179+ else if (buf[cnt] >= maxidx)
1180 ERROR (gettext ("\
1181 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
1182 idx, section_name (ebl, idx), cnt - 2);
1183+ }
49fd4b14 1184
5f1d07b7
JB		 1185 for (; cnt < 2 + nbucket + nchain; ++cnt)
1186- if (((Elf64_Xword *) data->d_buf)[cnt] >= maxidx)
1187+ {
1188+ if (buf + cnt >= end)
1189+ break;
1190+ else if (buf[cnt] >= maxidx)
1191 ERROR (gettext ("\
1192 section [%2d] '%s': hash chain reference %" PRIu64 " out of bounds\n"),
1193- idx, section_name (ebl, idx), (uint64_t) (cnt - 2 - nbucket));
1194+ idx, section_name (ebl, idx), (uint64_t) cnt - 2 - nbucket);
1195+ }
1196 }
d07e7be6 1197
49fd4b14 1198
0969077b 1199@@ -2047,7 +2095,7 @@ section [%2d] '%s': bitmask size not pow
5f1d07b7 1200 if (shdr->sh_size < (4 + bitmask_words + nbuckets) * sizeof (Elf32_Word))
0dcd74c7 1201 {
5f1d07b7
JB		 1202 ERROR (gettext ("\
1203-section [%2d] '%s': hash table section is too small (is %ld, expected at least%ld)\n"),
1204+section [%2d] '%s': hash table section is too small (is %ld, expected at least %ld)\n"),
1205 idx, section_name (ebl, idx), (long int) shdr->sh_size,
1206 (long int) ((4 + bitmask_words + nbuckets) * sizeof (Elf32_Word)));
1207 return;
0969077b 1208@@ -2719,8 +2767,9 @@ section [%2d] '%s' refers in sh_link to
0dcd74c7 1209
5f1d07b7
JB		 1210 /* The number of elements in the version symbol table must be the
1211 same as the number of symbols. */
1212- if (shdr->sh_size / shdr->sh_entsize
1213- != symshdr->sh_size / symshdr->sh_entsize)
1214+ if (shdr->sh_entsize && symshdr->sh_entsize
1215+ && (shdr->sh_size / shdr->sh_entsize
1216+ != symshdr->sh_size / symshdr->sh_entsize))
1217 ERROR (gettext ("\
1218 section [%2d] '%s' has different number of entries than symbol table [%2d] '%s'\n"),
1219 idx, section_name (ebl, idx),
0969077b
PS		 1220--- elfutils/src/readelf.c
1221+++ elfutils/src/readelf.c
1222@@ -1170,6 +1170,8 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
5f1d07b7 1223 Elf32_Word *grpref = (Elf32_Word *) data->d_buf;
0dcd74c7 1224
5f1d07b7
JB		 1225 GElf_Sym sym_mem;
1226+ GElf_Sym *sym = gelf_getsym (symdata, shdr->sh_info, &sym_mem);
d07e7be6 1227+
5f1d07b7
JB		 1228 printf ((grpref[0] & GRP_COMDAT)
1229 ? ngettext ("\
1230 \nCOMDAT section group [%2zu] '%s' with signature '%s' contains %zu entry:\n",
0969077b 1231@@ -1182,8 +1184,8 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
5f1d07b7
JB		 1232 data->d_size / sizeof (Elf32_Word) - 1),
1233 elf_ndxscn (scn),
1234 elf_strptr (ebl->elf, shstrndx, shdr->sh_name),
1235- elf_strptr (ebl->elf, symshdr->sh_link,
1236- gelf_getsym (symdata, shdr->sh_info, &sym_mem)->st_name)
1237+ (sym == NULL ? NULL
1238+ : elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name))
1239 ?: gettext ("<INVALID SYMBOL>"),
1240 data->d_size / sizeof (Elf32_Word) - 1);
d07e7be6 1241
0969077b 1242@@ -1334,7 +1336,8 @@ static void
5f1d07b7
JB		 1243 handle_dynamic (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
1244 {
1245 int class = gelf_getclass (ebl->elf);
1246- GElf_Shdr glink;
1247+ GElf_Shdr glink_mem;
1248+ GElf_Shdr *glink;
1249 Elf_Data *data;
1250 size_t cnt;
1251 size_t shstrndx;
0969077b 1252@@ -1349,6 +1352,11 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn,
5f1d07b7
JB		 1253 error (EXIT_FAILURE, 0,
1254 gettext ("cannot get section header string table index"));
0dcd74c7 1255
5f1d07b7
JB		 1256+ glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
1257+ if (glink == NULL)
1258+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1259+ elf_ndxscn (scn));
d07e7be6 1260+
5f1d07b7
JB		 1261 printf (ngettext ("\
1262 \nDynamic segment contains %lu entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1263 "\
0969077b 1264@@ -1358,9 +1366,7 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn,
5f1d07b7
JB		 1265 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1266 shdr->sh_offset,
1267 (int) shdr->sh_link,
1268- elf_strptr (ebl->elf, shstrndx,
1269- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1270- &glink)->sh_name));
1271+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1272 fputs_unlocked (gettext (" Type Value\n"), stdout);
1273
1274 for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
0969077b 1275@@ -1943,6 +1949,13 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
5f1d07b7
JB		 1276 error (EXIT_FAILURE, 0,
1277 gettext ("cannot get section header string table index"));
1278
1279+ GElf_Shdr glink_mem;
1280+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1281+ &glink_mem);
1282+ if (glink == NULL)
1283+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1284+ elf_ndxscn (scn));
d07e7be6 1285+
5f1d07b7
JB		 1286 /* Now we can compute the number of entries in the section. */
1287 unsigned int nsyms = data->d_size / (class == ELFCLASS32
1288 ? sizeof (Elf32_Sym)
0969077b 1289@@ -1953,15 +1966,12 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
5f1d07b7
JB		 1290 nsyms),
1291 (unsigned int) elf_ndxscn (scn),
1292 elf_strptr (ebl->elf, shstrndx, shdr->sh_name), nsyms);
1293- GElf_Shdr glink;
1294 printf (ngettext (" %lu local symbol String table: [%2u] '%s'\n",
1295 " %lu local symbols String table: [%2u] '%s'\n",
1296 shdr->sh_info),
1297 (unsigned long int) shdr->sh_info,
1298 (unsigned int) shdr->sh_link,
1299- elf_strptr (ebl->elf, shstrndx,
1300- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1301- &glink)->sh_name));
1302+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
a8ca41f5 1303
5f1d07b7
JB		 1304 fputs_unlocked (class == ELFCLASS32
1305 ? gettext ("\
0969077b 1306@@ -2197,7 +2207,13 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn,
5f1d07b7
JB		 1307 error (EXIT_FAILURE, 0,
1308 gettext ("cannot get section header string table index"));
0dcd74c7 1309
5f1d07b7
JB		 1310- GElf_Shdr glink;
1311+ GElf_Shdr glink_mem;
1312+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1313+ &glink_mem);
1314+ if (glink == NULL)
1315+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1316+ elf_ndxscn (scn));
1317+
1318 printf (ngettext ("\
1319 \nVersion needs section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1320 "\
0969077b 1321@@ -2208,9 +2224,7 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn,
5f1d07b7
JB		 1322 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1323 shdr->sh_offset,
1324 (unsigned int) shdr->sh_link,
1325- elf_strptr (ebl->elf, shstrndx,
1326- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1327- &glink)->sh_name));
1328+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
d07e7be6 1329
5f1d07b7
JB		 1330 unsigned int offset = 0;
1331 for (int cnt = shdr->sh_info; --cnt >= 0; )
0969077b 1332@@ -2263,8 +2277,14 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
5f1d07b7
JB		 1333 error (EXIT_FAILURE, 0,
1334 gettext ("cannot get section header string table index"));
1335
1336+ GElf_Shdr glink_mem;
1337+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1338+ &glink_mem);
1339+ if (glink == NULL)
1340+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1341+ elf_ndxscn (scn));
d07e7be6 1342+
5f1d07b7
JB		 1343 int class = gelf_getclass (ebl->elf);
1344- GElf_Shdr glink;
1345 printf (ngettext ("\
1346 \nVersion definition section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1347 "\
0969077b 1348@@ -2276,9 +2296,7 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
5f1d07b7
JB		 1349 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1350 shdr->sh_offset,
1351 (unsigned int) shdr->sh_link,
1352- elf_strptr (ebl->elf, shstrndx,
1353- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1354- &glink)->sh_name));
1355+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1356
1357 unsigned int offset = 0;
1358 for (int cnt = shdr->sh_info; --cnt >= 0; )
0969077b 1359@@ -2540,8 +2558,14 @@ handle_versym (Ebl *ebl, Elf_Scn *scn, G
5f1d07b7
JB		 1360 filename = NULL;
1361 }
1362
1363+ GElf_Shdr glink_mem;
1364+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1365+ &glink_mem);
1366+ if (glink == NULL)
1367+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1368+ elf_ndxscn (scn));
d07e7be6 1369+
5f1d07b7
JB		 1370 /* Print the header. */
1371- GElf_Shdr glink;
1372 printf (ngettext ("\
1373 \nVersion symbols section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'",
1374 "\
0969077b 1375@@ -2553,9 +2577,7 @@ handle_versym (Ebl *ebl, Elf_Scn *scn, G
5f1d07b7
JB		 1376 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1377 shdr->sh_offset,
1378 (unsigned int) shdr->sh_link,
1379- elf_strptr (ebl->elf, shstrndx,
1380- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1381- &glink)->sh_name));
1382+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
0dcd74c7 1383
5f1d07b7
JB		 1384 /* Now we can finally look at the actual contents of this section. */
1385 for (unsigned int cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
0969077b 1386@@ -2607,7 +2629,17 @@ print_hash_info (Ebl *ebl, Elf_Scn *scn,
5f1d07b7
JB		 1387 for (Elf32_Word cnt = 0; cnt < nbucket; ++cnt)
1388 ++counts[lengths[cnt]];
0dcd74c7 1389
5f1d07b7
JB		 1390- GElf_Shdr glink;
1391+ GElf_Shdr glink_mem;
1392+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf,
1393+ shdr->sh_link),
1394+ &glink_mem);
1395+ if (glink == NULL)
1396+ {
1397+ error (0, 0, gettext ("invalid sh_link value in section %Zu"),
1398+ elf_ndxscn (scn));
1399+ return;
1400+ }
1401+
1402 printf (ngettext ("\
1403 \nHistogram for bucket list length in section [%2u] '%s' (total of %d bucket):\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1404 "\
0969077b 1405@@ -2620,9 +2652,7 @@ print_hash_info (Ebl *ebl, Elf_Scn *scn,
5f1d07b7
JB		 1406 shdr->sh_addr,
1407 shdr->sh_offset,
1408 (unsigned int) shdr->sh_link,
1409- elf_strptr (ebl->elf, shstrndx,
1410- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1411- &glink)->sh_name));
1412+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
d07e7be6 1413
5f1d07b7
JB		 1414 if (extrastr != NULL)
1415 fputs (extrastr, stdout);
0969077b 1416@@ -4263,6 +4293,16 @@ print_debug_aranges_section (Dwfl_Module
5f1d07b7
JB		 1417 return;
1418 }
1419
1420+ GElf_Shdr glink_mem;
1421+ GElf_Shdr *glink;
1422+ glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
1423+ if (glink == NULL)
1424+ {
1425+ error (0, 0, gettext ("invalid sh_link value in section %Zu"),
1426+ elf_ndxscn (scn));
1427+ return;
1428+ }
1429+
1430 printf (ngettext ("\
0969077b 1431 \nDWARF section [%2zu] '%s' at offset %#" PRIx64 " contains %zu entry:\n",
5f1d07b7 1432 "\
0969077b
PS		 1433--- elfutils/src/strip.c
1434+++ elfutils/src/strip.c
1435@@ -545,6 +545,11 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1436 goto fail_close;
1437 }
0dcd74c7 1438
5f1d07b7
JB		 1439+ if (shstrndx >= shnum)
1440+ goto illformed;
1441+
1442+#define elf_assert(test) do { if (!(test)) goto illformed; } while (0)
1443+
1444 /* Storage for section information. We leave room for two more
1445 entries since we unconditionally create a section header string
1446 table. Maybe some weird tool created an ELF file without one.
0969077b 1447@@ -566,7 +571,7 @@ handle_elf (int fd, Elf *elf, const char
a8ca41f5 1448 {
5f1d07b7
JB		 1449 /* This should always be true (i.e., there should not be any
1450 holes in the numbering). */
1451- assert (elf_ndxscn (scn) == cnt);
1452+ elf_assert (elf_ndxscn (scn) == cnt);
0dcd74c7 1453
5f1d07b7 1454 shdr_info[cnt].scn = scn;
0dcd74c7 1455
0969077b 1456@@ -579,6 +584,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1457 shdr_info[cnt].shdr.sh_name);
1458 if (shdr_info[cnt].name == NULL)
a8ca41f5 1459 {
5f1d07b7
JB		 1460+ illformed:
1461 error (0, 0, gettext ("illformed file '%s'"), fname);
1462 goto fail_close;
1463 }
0969077b 1464@@ -588,6 +594,8 @@ handle_elf (int fd, Elf *elf, const char
0dcd74c7 1465
5f1d07b7
JB		 1466 /* Remember the shdr.sh_link value. */
1467 shdr_info[cnt].old_sh_link = shdr_info[cnt].shdr.sh_link;
1468+ if (shdr_info[cnt].old_sh_link >= shnum)
1469+ goto illformed;
d07e7be6 1470
5f1d07b7
JB		 1471 /* Sections in files other than relocatable object files which
1472 are not loaded can be freely moved by us. In relocatable
0969077b 1473@@ -600,7 +608,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1474 appropriate reference. */
1475 if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB_SHNDX))
1476 {
1477- assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
1478+ elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
1479 shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx = cnt;
d07e7be6 1480 }
5f1d07b7 1481 else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GROUP))
0969077b 1482@@ -617,7 +625,12 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1483 for (inner = 1;
1484 inner < shdr_info[cnt].data->d_size / sizeof (Elf32_Word);
1485 ++inner)
1486+ {
1487+ if (grpref[inner] < shnum)
1488 shdr_info[grpref[inner]].group_idx = cnt;
1489+ else
1490+ goto illformed;
1491+ }
0dcd74c7 1492
5f1d07b7
JB		 1493 if (inner == 1 || (inner == 2 && (grpref[0] & GRP_COMDAT) == 0))
1494 /* If the section group contains only one element and this
0969077b 1495@@ -628,7 +641,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1496 }
1497 else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GNU_versym))
d07e7be6 1498 {
5f1d07b7
JB		 1499- assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
1500+ elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
1501 shdr_info[shdr_info[cnt].shdr.sh_link].version_idx = cnt;
1502 }
0dcd74c7 1503
0969077b 1504@@ -636,7 +649,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1505 discarded right away. */
1506 if ((shdr_info[cnt].shdr.sh_flags & SHF_GROUP) != 0)
d07e7be6 1507 {
5f1d07b7
JB		 1508- assert (shdr_info[cnt].group_idx != 0);
1509+ elf_assert (shdr_info[cnt].group_idx != 0);
d07e7be6 1510
5f1d07b7
JB		 1511 if (shdr_info[shdr_info[cnt].group_idx].idx == 0)
1512 {
0969077b 1513@@ -711,11 +724,15 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1514 {
1515 /* If a relocation section is marked as being removed make
1516 sure the section it is relocating is removed, too. */
1517- if ((shdr_info[cnt].shdr.sh_type == SHT_REL
1518+ if (shdr_info[cnt].shdr.sh_type == SHT_REL
1519 || shdr_info[cnt].shdr.sh_type == SHT_RELA)
1520- && shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
1521+ {
1522+ if (shdr_info[cnt].shdr.sh_info >= shnum)
1523+ goto illformed;
1524+ else if (shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
1525 shdr_info[cnt].idx = 1;
1526 }
1527+ }
d07e7be6 1528
5f1d07b7
JB		 1529 if (shdr_info[cnt].idx == 1)
1530 {
0969077b 1531@@ -742,7 +759,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1532 if (shdr_info[cnt].symtab_idx != 0
1533 && shdr_info[shdr_info[cnt].symtab_idx].data == NULL)
1534 {
1535- assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
1536+ elf_assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
1537
1538 shdr_info[shdr_info[cnt].symtab_idx].data
1539 = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
0969077b 1540@@ -782,6 +799,9 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1541 else if (scnidx == SHN_XINDEX)
1542 scnidx = xndx;
1543
1544+ if (scnidx >= shnum)
1545+ goto illformed;
1546+
1547 if (shdr_info[scnidx].idx == 0)
1548 /* This symbol table has a real symbol in
1549 a discarded section. So preserve the
0969077b 1550@@ -812,12 +832,16 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1551 }
1552
1553 /* Handle references through sh_info. */
1554- if (SH_INFO_LINK_P (&shdr_info[cnt].shdr)
1555- && shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
1556+ if (SH_INFO_LINK_P (&shdr_info[cnt].shdr))
1557+ {
1558+ if (shdr_info[cnt].shdr.sh_info >= shnum)
1559+ goto illformed;
1560+ else if ( shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
1561 {
1562 shdr_info[shdr_info[cnt].shdr.sh_info].idx = 1;
1563 changes |= shdr_info[cnt].shdr.sh_info < cnt;
1564 }
1565+ }
1566
1567 /* Mark the section as investigated. */
1568 shdr_info[cnt].idx = 2;
0969077b 1569@@ -956,7 +980,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1570 error (EXIT_FAILURE, 0, gettext ("while generating output file: %s"),
1571 elf_errmsg (-1));
1572
1573- assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1574+ elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1575
1576 /* Add this name to the section header string table. */
1577 shdr_info[cnt].se = ebl_strtabadd (shst, shdr_info[cnt].name, 0);
0969077b 1578@@ -993,7 +1017,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1579 error (EXIT_FAILURE, 0,
1580 gettext ("while create section header section: %s"),
1581 elf_errmsg (-1));
1582- assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1583+ elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1584
1585 shdr_info[cnt].data = elf_newdata (shdr_info[cnt].newscn);
1586 if (shdr_info[cnt].data == NULL)
0969077b 1587@@ -1049,7 +1073,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1588 error (EXIT_FAILURE, 0,
1589 gettext ("while create section header section: %s"),
1590 elf_errmsg (-1));
1591- assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
1592+ elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
1593
1594 /* Finalize the string table and fill in the correct indices in the
1595 section headers. */
0969077b 1596@@ -1139,20 +1163,20 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1597 shndxdata = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
1598 NULL);
d07e7be6 1599
5f1d07b7
JB		 1600- assert ((versiondata->d_size / sizeof (Elf32_Word))
1601+ elf_assert ((versiondata->d_size / sizeof (Elf32_Word))
1602 >= shdr_info[cnt].data->d_size / elsize);
1603 }
d07e7be6 1604
5f1d07b7
JB		 1605 if (shdr_info[cnt].version_idx != 0)
1606 {
1607- assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
1608+ elf_assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
1609 /* This section has associated version
1610 information. We have to modify that
1611 information, too. */
1612 versiondata = elf_getdata (shdr_info[shdr_info[cnt].version_idx].scn,
1613 NULL);
d07e7be6 1614
5f1d07b7
JB		 1615- assert ((versiondata->d_size / sizeof (GElf_Versym))
1616+ elf_assert ((versiondata->d_size / sizeof (GElf_Versym))
1617 >= shdr_info[cnt].data->d_size / elsize);
1618 }
0dcd74c7 1619
0969077b 1620@@ -1207,7 +1231,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1621 sec = shdr_info[sym->st_shndx].idx;
1622 else
1623 {
1624- assert (shndxdata != NULL);
1625+ elf_assert (shndxdata != NULL);
d07e7be6 1626
5f1d07b7
JB		 1627 sec = shdr_info[xshndx].idx;
1628 }
0969077b 1629@@ -1228,7 +1252,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1630 nxshndx = sec;
1631 }
d07e7be6 1632
5f1d07b7
JB		 1633- assert (sec < SHN_LORESERVE || shndxdata != NULL);
1634+ elf_assert (sec < SHN_LORESERVE || shndxdata != NULL);
d07e7be6 1635
5f1d07b7
JB		 1636 if ((inner != destidx || nshndx != sym->st_shndx
1637 || (shndxdata != NULL && nxshndx != xshndx))
0969077b 1638@@ -1252,7 +1276,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1639 || shdr_info[cnt].debug_data == NULL)
1640 /* This is a section symbol for a section which has
1641 been removed. */
1642- assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION);
1643+ elf_assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION);
1644 }
d07e7be6 1645
5f1d07b7 1646 if (destidx != inner)
0969077b 1647@@ -1439,11 +1463,11 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1648 {
1649 GElf_Sym sym_mem;
1650 GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
1651- assert (sym != NULL);
1652+ elf_assert (sym != NULL);
0dcd74c7 1653
5f1d07b7
JB		 1654 const char *name = elf_strptr (elf, strshndx,
1655 sym->st_name);
1656- assert (name != NULL);
1657+ elf_assert (name != NULL);
1658 size_t hidx = elf_hash (name) % nbucket;
0dcd74c7 1659
5f1d07b7 1660 if (bucket[hidx] == 0)
0969077b 1661@@ -1462,7 +1486,7 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1662 else
1663 {
1664 /* Alpha and S390 64-bit use 64-bit SHT_HASH entries. */
1665- assert (shdr_info[cnt].shdr.sh_entsize
1666+ elf_assert (shdr_info[cnt].shdr.sh_entsize
1667 == sizeof (Elf64_Xword));
0dcd74c7 1668
5f1d07b7 1669 Elf64_Xword *bucket = (Elf64_Xword *) hashd->d_buf;
0969077b 1670@@ -1493,11 +1517,11 @@ handle_elf (int fd, Elf *elf, const char
5f1d07b7
JB		 1671 {
1672 GElf_Sym sym_mem;
1673 GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
1674- assert (sym != NULL);
1675+ elf_assert (sym != NULL);
0dcd74c7 1676
5f1d07b7
JB		 1677 const char *name = elf_strptr (elf, strshndx,
1678 sym->st_name);
1679- assert (name != NULL);
1680+ elf_assert (name != NULL);
1681 size_t hidx = elf_hash (name) % nbucket;
1682
1683 if (bucket[hidx] == 0)
A collection of utilities and DSOs to handle compiled objects
This page took 1.282772 seconds and 4 git commands to generate.