readelf: Check length for nexthdr overflow in print_debug_aranges_section.

author Mark Wielaard <mjw@redhat.com>

Sun, 23 Nov 2014 17:26:16 +0000 (18:26 +0100)

committer Mark Wielaard <mjw@redhat.com>

Wed, 26 Nov 2014 19:24:05 +0000 (20:24 +0100)
author Mark Wielaard <mjw@redhat.com>
Sun, 23 Nov 2014 17:26:16 +0000 (18:26 +0100)
committer Mark Wielaard <mjw@redhat.com>
Wed, 26 Nov 2014 19:24:05 +0000 (20:24 +0100)
diff --git a/src/ChangeLog b/src/ChangeLog

index aa16b67cf62a76537e3ed558f969239191391118..19509dc6d8a3c9f17f1f286c784a62f678af3cef 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2014-11-23  Mark Wielaard  <mjw@redhat.com>
+
+       * readelf.c (print_debug_aranges_section): Check length to catch
+       nexthdr overflow.
+
  2014-11-21  Mark Wielaard  <mjw@redhat.com>
  
         * readelf.c (print_attributes): Guard against empty section.
diff --git a/src/readelf.c b/src/readelf.c

index 529af5a4ac27f8251f82a9af9e7057f456203c11..c3ebe7431e1906619c28e2c1102daca1a5e3b46f 100644 (file)
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -4693,7 +4693,7 @@ print_debug_aranges_section (Dwfl_Module *dwflmod __attribute__ ((unused)),
        printf (gettext ("\n Length:        %6" PRIu64 "\n"),
               (uint64_t) length);
  
-      if (nexthdr > readendp)
+      if (unlikely (length > readendp - readp))
         goto invalid_data;
  
        if (length == 0)
author	Mark Wielaard <mjw@redhat.com>
	Sun, 23 Nov 2014 17:26:16 +0000 (18:26 +0100)
committer	Mark Wielaard <mjw@redhat.com>
	Wed, 26 Nov 2014 19:24:05 +0000 (20:24 +0100)
src/ChangeLog		patch \| blob \| blame \| history
src/readelf.c		patch \| blob \| blame \| history