libsframe: fix checks in flip_fde

Adjust the sanity checks for flip_fde workflow and optional trailing
section padding to account for the case of ihp->sfh_fdeoff != 0 or
ihp->sfh_freoff != total FDEs size.

Reviewed-by: Jens Remus <jremus@linux.ibm.com>
libsframe/
        * sframe.c (flip_sframe): Fix checks in flip_fde to accommodate
	cases when sfh_fdeoff != 0 or when SFrame FREs are placed after
	a gap from SFrame FDEs.

diff --git a/libsframe/sframe.c b/libsframe/sframe.c
index d8ea1d67b940c183a3bcd0ff2fb31fad5a16e495..ba95b4ad471cfad30001dacb5bd5752fb8e63e26 100644 (file)
--- a/libsframe/sframe.c
+++ b/libsframe/sframe.c
@@ -603,7 +603,8 @@ flip_sframe (char *frame_buf, size_t buf_size, uint32_t to_foreign)
   size_t hdrsz = 0;
   int err = 0;
   /* For error checking.  */
-  size_t bytes_flipped = 0;
+  size_t fde_bytes_flipped = 0;
+  size_t fre_bytes_flipped = 0;
 
   /* Header must be in host endianness at this time.  */
   ihp = (sframe_header *)frame_buf;
@@ -635,7 +636,7 @@ flip_sframe (char *frame_buf, size_t buf_size, uint32_t to_foreign)
       if (flip_fde (fdes, buf_end - fdes, ver, &fsz))
        goto bad;
 
-      bytes_flipped += fsz;
+      fde_bytes_flipped += fsz;
 
       if (!to_foreign && sframe_decode_fde (fdes, fdes - buf_end, ver,
                                            &num_fres, &fre_type, &fre_offset,
@@ -647,7 +648,7 @@ flip_sframe (char *frame_buf, size_t buf_size, uint32_t to_foreign)
        {
          if (flip_fre (fp, fre_type, &esz))
            goto bad;
-         bytes_flipped += esz;
+         fre_bytes_flipped += esz;
 
          if (esz == 0 || esz > buf_size)
            goto bad;
@@ -655,11 +656,18 @@ flip_sframe (char *frame_buf, size_t buf_size, uint32_t to_foreign)
        }
       prev_frep_index = j;
     }
-  /* All FDEs and FREs must have been endian flipped by now.  */
-  if ((j != ihp->sfh_num_fres) || (bytes_flipped > (buf_size - hdrsz)))
+
+  /* All FDEs must have been endian flipped by now.  */
+  if (i != num_fdes || fde_bytes_flipped > ihp->sfh_freoff - ihp->sfh_fdeoff)
+    goto bad;
+
+  /* All FREs must have been endian flipped by now.  */
+  if (j != ihp->sfh_num_fres || fre_bytes_flipped > ihp->sfh_fre_len)
     goto bad;
+
   /* Optional trailing section padding.  */
-  for (fp = frame_buf + hdrsz + bytes_flipped; fp < frame_buf + buf_size; fp++)
+  size_t frame_size = hdrsz + ihp->sfh_freoff + fre_bytes_flipped;
+  for (fp = frame_buf + frame_size; fp < frame_buf + buf_size; fp++)
     if (*fp != '\0')
       goto bad;