elflint: Add sanity checks to check_attributes.

This is similar to commit 9644aa for readelf print_attributes.
Bail out when the vendor name isn't terminated and add overflow check
for subsection_len.

Note that readelf does handle non-gnu attributes, while elflint doesn't.

Signed-off-by: Mark Wielaard <mjw@redhat.com>

diff --git a/src/ChangeLog b/src/ChangeLog
index 93f4aba..089fe93 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -4,6 +4,8 @@
        shift too big.
        (check_verdef): Use Elf64_Word for shdr->sh_info cnt.
        (check_verneed): Likewise.
+       (check_attributes): Break when vendor name isn't terminated.
+       Add overflow check for subsection_len.
 
 2015-05-05  Mark Wielaard  <mjw@redhat.com>
 

diff --git a/src/elflint.c b/src/elflint.c
index 4e53646..df476a1 100644 (file)
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -3423,7 +3423,7 @@ section [%2d] '%s': offset %zu: invalid length in attribute section\n"),
          ERROR (gettext ("\
 section [%2d] '%s': offset %zu: unterminated vendor name string\n"),
                 idx, section_name (ebl, idx), pos (p));
-         continue;
+         break;
        }
       ++q;
 
@@ -3466,7 +3466,9 @@ section [%2d] '%s': offset %zu: zero length field in attribute subsection\n"),
            if (MY_ELFDATA != ehdr->e_ident[EI_DATA])
              CONVERT (subsection_len);
 
-           if (p - chunk < (ptrdiff_t) subsection_len)
+           /* Don't overflow, ptrdiff_t might be 32bits, but signed.  */
+           if (p - chunk < (ptrdiff_t) subsection_len
+               || subsection_len >= (uint32_t) PTRDIFF_MAX)
              {
                ERROR (gettext ("\
 section [%2d] '%s': offset %zu: invalid length in attribute subsection\n"),