Overflow-proof some more checks.

diff --git a/libelf/elf32_getphdr.c b/libelf/elf32_getphdr.c
index 2a83dd5402f4d1c75e55667531cd4f435f9d971d..95eae578ec688eb9d725daefca27fbfe6202bd22 100644 (file)
--- a/libelf/elf32_getphdr.c
+++ b/libelf/elf32_getphdr.c
@@ -1,5 +1,5 @@
 /* Get ELF program header table.
-   Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2005, 2006 Red Hat, Inc.
+   Copyright (C) 1998-2009 Red Hat, Inc.
    This file is part of Red Hat elfutils.
    Written by Ulrich Drepper <drepper@redhat.com>, 1998.
 
@@ -108,7 +108,7 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
          /* First see whether the information in the ELF header is
             valid and it does not ask for too much.  */
          if (unlikely (ehdr->e_phoff >= elf->maximum_size)
-             || unlikely (ehdr->e_phoff + size > elf->maximum_size))
+             || unlikely (elf->maximum_size - ehdr->e_phoff < size))
            {
              /* Something is wrong.  */
              __libelf_seterrno (ELF_E_INVALID_PHDR);

diff --git a/libelf/elf32_getshdr.c b/libelf/elf32_getshdr.c
index ac1458d518751e230cbae31cd5cd6b69e25a468a..0a1e58cbf0d46212f6afc41996ccfebd7cd479df 100644 (file)
--- a/libelf/elf32_getshdr.c
+++ b/libelf/elf32_getshdr.c
@@ -102,7 +102,7 @@ load_shdr_wrlock (Elf_Scn *scn)
       /* First see whether the information in the ELF header is
         valid and it does not ask for too much.  */
       if (unlikely (ehdr->e_shoff >= elf->maximum_size)
-         || unlikely (ehdr->e_shoff + size > elf->maximum_size))
+         || unlikely (elf->maximum_size - ehdr->e_shoff < size))
        {
          /* Something is wrong.  */
          __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);

diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index 61bc0e05095f2d011f1e4f0df0fafa121458d4f8..4c1b1b8e87eb1f38fab95c75060142df918d494e 100644 (file)
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -1,5 +1,5 @@
 /* Create descriptor for processing file.
-   Copyright (C) 1998-2005, 2006, 2007, 2008 Red Hat, Inc.
+   Copyright (C) 1998-2009 Red Hat, Inc.
    This file is part of Red Hat elfutils.
    Written by Ulrich Drepper <drepper@redhat.com>, 1998.
 
@@ -166,7 +166,7 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
       if (unlikely (result == 0) && ehdr.e32->e_shoff != 0)
        {
          if (unlikely (ehdr.e32->e_shoff >= maxsize)
-             || unlikely (ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize))
+             || unlikely (maxsize - ehdr.e32->e_shoff < sizeof (Elf32_Shdr)))
            /* Cannot read the first section header.  */
            return 0;
 
@@ -331,8 +331,8 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
          elf->state.elf32.ehdr = ehdr;
 
          if (unlikely (ehdr->e_shoff >= maxsize)
-             || unlikely (ehdr->e_shoff
-                          + scncnt * sizeof (Elf32_Shdr) > maxsize))
+             || unlikely (maxsize - ehdr->e_shoff
+                          < scncnt * sizeof (Elf32_Shdr)))
            {
            free_and_out:
              free (elf);
@@ -347,9 +347,8 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
            /* Assign a value only if there really is a program
               header.  Otherwise the value remains NULL.  */
              if (unlikely (ehdr->e_phoff >= maxsize)
-                 || unlikely (ehdr->e_phoff
-                              + ehdr->e_phnum
-                              * sizeof (Elf32_Phdr) > maxsize))
+                 || unlikely (maxsize - ehdr->e_phoff
+                              < ehdr->e_phnum * sizeof (Elf32_Phdr)))
                goto free_and_out;
            elf->state.elf32.phdr
              = (Elf32_Phdr *) ((char *) ehdr + ehdr->e_phoff);

diff --git a/libelf/elf_getshdrstrndx.c b/libelf/elf_getshdrstrndx.c
index d0394eb9dbd0b57f1dd1b1bb7453a1f3a201b0c1..f81f30b96bfcfbe32c7717431711fa256c348d64 100644 (file)
--- a/libelf/elf_getshdrstrndx.c
+++ b/libelf/elf_getshdrstrndx.c
@@ -131,8 +131,8 @@ elf_getshdrstrndx (elf, dst)
                {
                  /* First see whether the information in the ELF header is
                     valid and it does not ask for too much.  */
-                 if (unlikely (offset + sizeof (Elf32_Shdr)
-                               > elf->maximum_size))
+                 if (unlikely (elf->maximum_size - offset
+                               < sizeof (Elf32_Shdr)))
                    {
                      /* Something is wrong.  */
                      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
@@ -140,7 +140,7 @@ elf_getshdrstrndx (elf, dst)
                      goto out;
                    }
 
-               /* We can directly access the memory.  */
+                 /* We can directly access the memory.  */
                  num = ((Elf32_Shdr *) (elf->map_address + elf->start_offset
                                         + offset))->sh_link;
                }
@@ -184,8 +184,8 @@ elf_getshdrstrndx (elf, dst)
                {
                  /* First see whether the information in the ELF header is
                     valid and it does not ask for too much.  */
-                 if (unlikely (offset + sizeof (Elf64_Shdr)
-                               > elf->maximum_size))
+                 if (unlikely (elf->maximum_size - offset
+                               < sizeof (Elf64_Shdr)))
                    {
                      /* Something is wrong.  */
                      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
@@ -193,9 +193,9 @@ elf_getshdrstrndx (elf, dst)
                      goto out;
                    }
 
-               /* We can directly access the memory.  */
-                 num = ((Elf64_Shdr *) (elf->map_address
-                        + elf->start_offset + offset))->sh_link;
+                 /* We can directly access the memory.  */
+                 num = ((Elf64_Shdr *) (elf->map_address + elf->start_offset
+                                        + offset))->sh_link;
                }
              else
                {