From: Roland McGrath <roland@redhat.com>
Date: Sun, 9 Aug 2009 21:27:33 +0000 (-0700)
Subject: Overflow-proof some more checks.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=108f0d519b746907392456764d5e46f80fdd21f6;p=thirdparty%2Felfutils.git

Overflow-proof some more checks.
---

diff --git a/libelf/elf32_getphdr.c b/libelf/elf32_getphdr.c
index 2a83dd540..95eae578e 100644
--- a/libelf/elf32_getphdr.c
+++ b/libelf/elf32_getphdr.c
@@ -1,5 +1,5 @@
 /* Get ELF program header table.
-   Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2005, 2006 Red Hat, Inc.
+   Copyright (C) 1998-2009 Red Hat, Inc.
    This file is part of Red Hat elfutils.
    Written by Ulrich Drepper <drepper@redhat.com>, 1998.
 
@@ -108,7 +108,7 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
 	  /* First see whether the information in the ELF header is
 	     valid and it does not ask for too much.  */
 	  if (unlikely (ehdr->e_phoff >= elf->maximum_size)
-	      || unlikely (ehdr->e_phoff + size > elf->maximum_size))
+	      || unlikely (elf->maximum_size - ehdr->e_phoff < size))
 	    {
 	      /* Something is wrong.  */
 	      __libelf_seterrno (ELF_E_INVALID_PHDR);
diff --git a/libelf/elf32_getshdr.c b/libelf/elf32_getshdr.c
index ac1458d51..0a1e58cbf 100644
--- a/libelf/elf32_getshdr.c
+++ b/libelf/elf32_getshdr.c
@@ -102,7 +102,7 @@ load_shdr_wrlock (Elf_Scn *scn)
       /* First see whether the information in the ELF header is
 	 valid and it does not ask for too much.  */
       if (unlikely (ehdr->e_shoff >= elf->maximum_size)
-	  || unlikely (ehdr->e_shoff + size > elf->maximum_size))
+	  || unlikely (elf->maximum_size - ehdr->e_shoff < size))
 	{
 	  /* Something is wrong.  */
 	  __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
diff --git a/libelf/elf_begin.c b/libelf/elf_begin.c
index 61bc0e050..4c1b1b8e8 100644
--- a/libelf/elf_begin.c
+++ b/libelf/elf_begin.c
@@ -1,5 +1,5 @@
 /* Create descriptor for processing file.
-   Copyright (C) 1998-2005, 2006, 2007, 2008 Red Hat, Inc.
+   Copyright (C) 1998-2009 Red Hat, Inc.
    This file is part of Red Hat elfutils.
    Written by Ulrich Drepper <drepper@redhat.com>, 1998.
 
@@ -166,7 +166,7 @@ get_shnum (void *map_address, unsigned char *e_ident, int fildes, off_t offset,
       if (unlikely (result == 0) && ehdr.e32->e_shoff != 0)
 	{
 	  if (unlikely (ehdr.e32->e_shoff >= maxsize)
-	      || unlikely (ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize))
+	      || unlikely (maxsize - ehdr.e32->e_shoff < sizeof (Elf32_Shdr)))
 	    /* Cannot read the first section header.  */
 	    return 0;
 
@@ -331,8 +331,8 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
 	  elf->state.elf32.ehdr = ehdr;
 
 	  if (unlikely (ehdr->e_shoff >= maxsize)
-	      || unlikely (ehdr->e_shoff
-			   + scncnt * sizeof (Elf32_Shdr) > maxsize))
+	      || unlikely (maxsize - ehdr->e_shoff
+			   < scncnt * sizeof (Elf32_Shdr)))
 	    {
 	    free_and_out:
 	      free (elf);
@@ -347,9 +347,8 @@ file_read_elf (int fildes, void *map_address, unsigned char *e_ident,
 	    /* Assign a value only if there really is a program
 	       header.  Otherwise the value remains NULL.  */
 	      if (unlikely (ehdr->e_phoff >= maxsize)
-		  || unlikely (ehdr->e_phoff
-			       + ehdr->e_phnum
-			       * sizeof (Elf32_Phdr) > maxsize))
+		  || unlikely (maxsize - ehdr->e_phoff
+			       < ehdr->e_phnum * sizeof (Elf32_Phdr)))
 		goto free_and_out;
 	    elf->state.elf32.phdr
 	      = (Elf32_Phdr *) ((char *) ehdr + ehdr->e_phoff);
diff --git a/libelf/elf_getshdrstrndx.c b/libelf/elf_getshdrstrndx.c
index d0394eb9d..f81f30b96 100644
--- a/libelf/elf_getshdrstrndx.c
+++ b/libelf/elf_getshdrstrndx.c
@@ -131,8 +131,8 @@ elf_getshdrstrndx (elf, dst)
 		{
 		  /* First see whether the information in the ELF header is
 		     valid and it does not ask for too much.  */
-		  if (unlikely (offset + sizeof (Elf32_Shdr)
-				> elf->maximum_size))
+		  if (unlikely (elf->maximum_size - offset
+				< sizeof (Elf32_Shdr)))
 		    {
 		      /* Something is wrong.  */
 		      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
@@ -140,7 +140,7 @@ elf_getshdrstrndx (elf, dst)
 		      goto out;
 		    }
 
-		/* We can directly access the memory.  */
+		  /* We can directly access the memory.  */
 		  num = ((Elf32_Shdr *) (elf->map_address + elf->start_offset
 					 + offset))->sh_link;
 		}
@@ -184,8 +184,8 @@ elf_getshdrstrndx (elf, dst)
 		{
 		  /* First see whether the information in the ELF header is
 		     valid and it does not ask for too much.  */
-		  if (unlikely (offset + sizeof (Elf64_Shdr)
-				> elf->maximum_size))
+		  if (unlikely (elf->maximum_size - offset
+				< sizeof (Elf64_Shdr)))
 		    {
 		      /* Something is wrong.  */
 		      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
@@ -193,9 +193,9 @@ elf_getshdrstrndx (elf, dst)
 		      goto out;
 		    }
 
-		/* We can directly access the memory.  */
-		  num = ((Elf64_Shdr *) (elf->map_address
-			 + elf->start_offset + offset))->sh_link;
+		  /* We can directly access the memory.  */
+		  num = ((Elf64_Shdr *) (elf->map_address + elf->start_offset
+					 + offset))->sh_link;
 		}
 	      else
 		{