Work around integer overflows when readelf is checking for corrupt ELF notes when...

	PR 22384
	* readelf.c (print_gnu_property_note): Improve overflow checks so
	that they will work on a 32-bit host.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 231fc84..19f9261 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2017-11-02  Mingi Cho  <mgcho.minic@gmail.com>
+
+       PR 22384
+       * readelf.c (print_gnu_property_note): Improve overflow checks so
+       that they will work on a 32-bit host.
+
 2017-11-01  James Bowman  <james.bowman@ftdichip.com>
 
        * readelf.c (is_16bit_abs_reloc): Add entry for FT32.

diff --git a/binutils/readelf.c b/binutils/readelf.c
index 9af5d42..cfd37eb 100644 (file)
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -16519,15 +16519,24 @@ print_gnu_property_note (Elf_Internal_Note * pnote)
       return;
     }
 
-  while (1)
+  while (ptr < ptr_end)
     {
       unsigned int j;
-      unsigned int type = byte_get (ptr, 4);
-      unsigned int datasz = byte_get (ptr + 4, 4);
+      unsigned int type;
+      unsigned int datasz;
+
+      if ((size_t) (ptr_end - ptr) < 8)
+       {
+         printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
+         break;
+       }
+
+      type = byte_get (ptr, 4);
+      datasz = byte_get (ptr + 4, 4);
 
       ptr += 8;
 
-      if ((ptr + datasz) > ptr_end)
+      if (datasz > (size_t) (ptr_end - ptr))
        {
          printf (_("<corrupt type (%#x) datasz: %#x>\n"),
                  type, datasz);
@@ -16608,19 +16617,11 @@ next:
       ptr += ((datasz + (size - 1)) & ~ (size - 1));
       if (ptr == ptr_end)
        break;
-      else
-       {
-         if (do_wide)
-           printf (", ");
-         else
-           printf ("\n\t");
-       }
 
-      if (ptr > (ptr_end - 8))
-       {
-         printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
-         break;
-       }
+      if (do_wide)
+       printf (", ");
+      else
+       printf ("\n\t");
     }
 
   printf ("\n");