From 4bb122a87608a1e0f7c27341fe1b3cd05c1462be Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Tue, 16 Dec 2014 19:43:21 +0100
Subject: [PATCH] libelf: Check index_size doesn't overflow in elf_getarsym.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libelf/ChangeLog      | 4 ++++
 libelf/elf_getarsym.c | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 7406509..fe210ab 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,5 +1,9 @@
 2014-12-15  Mark Wielaard  <mjw@redhat.com>
 
+	* elf_getarsym.c (elf_getarsym): Check index_size doesn't overflow.
+
+2014-12-15  Mark Wielaard  <mjw@redhat.com>
+
 	* elf_begin.c (read_long_names): Clear any garbage left in the
 	name table.
 
diff --git a/libelf/elf_getarsym.c b/libelf/elf_getarsym.c
index ba88aa0..40633aa 100644
--- a/libelf/elf_getarsym.c
+++ b/libelf/elf_getarsym.c
@@ -182,7 +182,8 @@ elf_getarsym (elf, ptr)
       tmpbuf[10] = '\0';
       size_t index_size = atol (tmpbuf);
 
-      if (SARMAG + sizeof (struct ar_hdr) + index_size > elf->maximum_size
+      if (index_size > elf->maximum_size
+	  || elf->maximum_size - index_size < SARMAG + sizeof (struct ar_hdr)
 #if SIZE_MAX <= 4294967295U
 	  || n >= SIZE_MAX / sizeof (Elf_Arsym)
 #endif
-- 
2.7.4