From: Mark Wielaard <mjw@redhat.com>
Date: Wed, 22 Apr 2015 09:44:32 +0000 (+0200)
Subject: readelf: Check all offsets used in print_gdb_index_section against d_size.
X-Git-Tag: elfutils-0.162~85
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f333a1c240d4236d6215c00dd5d88d79893cc350;p=thirdparty%2Felfutils.git

readelf: Check all offsets used in print_gdb_index_section against d_size.

https://bugzilla.redhat.com/show_bug.cgi?id=1170810#c29

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---

diff --git a/src/ChangeLog b/src/ChangeLog
index e92f11588..40a0e6f97 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2015-03-22  Mark Wielaard  <mjw@redhat.com>
+
+	* readelf.c (print_gdb_index_section): Check all offsets used
+	against section d_size.
+
 2015-03-17  Mark Wielaard  <mjw@redhat.com>
 
 	* readelf.c (print_debug): Don't return, but always use dummy_dbg.
diff --git a/src/readelf.c b/src/readelf.c
index 7f84edafc..26c7eedb5 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -8015,11 +8015,12 @@ print_gdb_index_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr,
 		< const_off))
     goto invalid_data;
 
-  const unsigned char *const_start = data->d_buf + const_off;
-
   readp = data->d_buf + cu_off;
 
   const unsigned char *nextp = data->d_buf + tu_off;
+  if (tu_off >= data->d_size)
+    goto invalid_data;
+
   size_t cu_nr = (nextp - readp) / 16;
 
   printf (gettext ("\n CU list at offset %#" PRIx32
@@ -8042,6 +8043,9 @@ print_gdb_index_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr,
 
   readp = data->d_buf + tu_off;
   nextp = data->d_buf + addr_off;
+  if (addr_off >= data->d_size)
+    goto invalid_data;
+
   size_t tu_nr = (nextp - readp) / 24;
 
   printf (gettext ("\n TU list at offset %#" PRIx32
@@ -8068,6 +8072,9 @@ print_gdb_index_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr,
 
   readp = data->d_buf + addr_off;
   nextp = data->d_buf + sym_off;
+  if (sym_off >= data->d_size)
+    goto invalid_data;
+
   size_t addr_nr = (nextp - readp) / 20;
 
   printf (gettext ("\n Address list at offset %#" PRIx32
@@ -8095,6 +8102,10 @@ print_gdb_index_section (Dwfl_Module *dwflmod, Ebl *ebl, GElf_Ehdr *ehdr,
       n++;
     }
 
+  const unsigned char *const_start = data->d_buf + const_off;
+  if (const_off >= data->d_size)
+    goto invalid_data;
+
   readp = data->d_buf + sym_off;
   nextp = const_start;
   size_t sym_nr = (nextp - readp) / 8;