Prevent infinite iteration on link_map list clobbered into circularity.

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index 5205bdc9a5a34c75efef099c75d29537985829d3..54ac53faca669635b614292727bfbe3571a60168 100644 (file)
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,8 @@
+2010-04-14  Roland McGrath  <roland@redhat.com>
+
+       * link_map.c (report_r_debug): Limit iterations on the l_next chain to
+       an upper bound on sane possible number of elements.
+
 2010-03-11  Roland McGrath  <roland@redhat.com>
 
        * link_map.c (auxv_format_probe): Fix scanning loop, so we really scan

diff --git a/libdwfl/link_map.c b/libdwfl/link_map.c
index 5991a1128683147a2a02557eb5226eb07c1c01b7..fe7f40cee3fa66ff9c4040223439cc273d790eeb 100644 (file)
--- a/libdwfl/link_map.c
+++ b/libdwfl/link_map.c
@@ -329,7 +329,13 @@ report_r_debug (uint_fast8_t elfclass, uint_fast8_t elfdata,
 
   Dwfl_Module **lastmodp = &dwfl->modulelist;
   int result = 0;
-  while (next != 0)
+
+  /* There can't be more elements in the link_map list than there are
+     segments.  DWFL->lookup_elts is probably twice that number, so it
+     is certainly above the upper bound.  If we iterate too many times,
+     there must be a loop in the pointers due to link_map clobberation.  */
+  size_t iterations = 0;
+  while (next != 0 && ++iterations < dwfl->lookup_elts)
     {
       if (read_addrs (next, 4))
        return release_buffer (-1);
@@ -798,7 +804,7 @@ dwfl_link_map_report (Dwfl *dwfl, const void *auxv, size_t auxv_size,
                           ? elf32_xlatetom : elf64_xlatetom)
                          (&out, &in, elfdata) != NULL))
                {
-                 /* We are looking for PT_DYNAMIC.  */
+                 /* We are looking for DT_DEBUG.  */
                  const union
                  {
                    Elf32_Dyn d32[dyn_filesz / sizeof (Elf32_Dyn)];