Correct readelf dynamic section buffer overlow test

	PR binutils/18672
	* readelf.c (get_32bit_dynamic_section): Correct buffer limit test.
	(get_64bit_dynamic_section): Likewise.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 5ae64e5922be1d158e9d7d002292c50fb6e8d370..3565e9494474c7ce61921d794ad12f649a4f6464 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2015-07-16  Alan Modra  <amodra@gmail.com>
+
+       PR binutils/18672
+       * readelf.c (get_32bit_dynamic_section): Correct buffer limit test.
+       (get_64bit_dynamic_section): Likewise.
+
 2015-03-25  Nick Clifton  <nickc@redhat.com>
 
        * coffgrok.c: Remove redundant prototypes.

diff --git a/binutils/readelf.c b/binutils/readelf.c
index 2f8257a061055ec16fa203ab518543633dcd280f..59d3381e7e73697877e2e07471ae1a20d7b3a329 100644 (file)
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -8365,7 +8365,7 @@ get_32bit_dynamic_section (FILE * file)
      might not have the luxury of section headers.  Look for the DT_NULL
      terminator to determine the number of entries.  */
   for (ext = edyn, dynamic_nent = 0;
-       (char *) ext < (char *) edyn + dynamic_size - sizeof (* entry);
+       (char *) (ext + 1) <= (char *) edyn + dynamic_size;
        ext++)
     {
       dynamic_nent++;
@@ -8413,8 +8413,8 @@ get_64bit_dynamic_section (FILE * file)
      might not have the luxury of section headers.  Look for the DT_NULL
      terminator to determine the number of entries.  */
   for (ext = edyn, dynamic_nent = 0;
-       /* PR 17533 file: 033-67080-0.004 - do not read off the end of the buffer.  */
-       (char *) ext < ((char *) edyn) + dynamic_size - sizeof (* ext);
+       /* PR 17533 file: 033-67080-0.004 - do not read past end of buffer.  */
+       (char *) (ext + 1) <= (char *) edyn + dynamic_size;
        ext++)
     {
       dynamic_nent++;