From: Mark Wielaard <mark@klomp.org>
Date: Fri, 24 Mar 2017 11:15:02 +0000 (+0100)
Subject: readelf: Fix off by one sanity check in handle_gnu_hash.
X-Git-Tag: elfutils-0.169~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d84fdd78705d7a1b9947a9f4ca77fbccdd76d4a;p=thirdparty%2Felfutils.git

readelf: Fix off by one sanity check in handle_gnu_hash.

We sanity check to make sure we don't index outside the chain array
by testing inner > max_nsyms. But inner is a zero-based index, while
max_nsyms is the maximum number. Change the check to inner >= max_nsyms.

https://sourceware.org/bugzilla/show_bug.cgi?id=21299

Signed-off-by: Mark Wielaard <mark@klomp.org>
---

diff --git a/src/ChangeLog b/src/ChangeLog
index 0601198c5..9dd76c00a 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2017-03-24  Mark Wielaard  <mjw@redhat.com>
+
+	* readelf.c (handle_gnu_hash): Check inner < max_nsyms before
+	indexing into chain array.
+
 2017-02-16  Ulf Hermann  <ulf.hermann@qt.io>
 
 	* addr2line.c: Include printversion.h
diff --git a/src/readelf.c b/src/readelf.c
index 8d96ba3f0..490b6d592 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -3263,7 +3263,7 @@ handle_gnu_hash (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr, size_t shstrndx)
 	    ++nsyms;
 	    if (maxlength < ++lengths[cnt])
 	      ++maxlength;
-	    if (inner > max_nsyms)
+	    if (inner >= max_nsyms)
 	      goto invalid_data;
 	  }
 	while ((chain[inner++] & 1) == 0);