Work around integer overflows when readelf is checking for corrupt ELF notes when run on a 32-bit host.

PR 22384 * readelf.c (print_gnu_property_note): Improve overflow checks so that they will work on a 32-bit host.
2025-06-28 07:08:01 +08:00 · 2017-11-02 17:01:08 +00:00
parent f26ae15b47
commit 6ab2c4ed51
2 changed files with 23 additions and 16 deletions
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@ -1,3 +1,9 @@
 2017-11-02  Mingi Cho  <mgcho.minic@gmail.com>
 	PR 22384
 	* readelf.c (print_gnu_property_note): Improve overflow checks so
 	that they will work on a 32-bit host.
 2017-11-01  James Bowman  <james.bowman@ftdichip.com>
 	* readelf.c (is_16bit_abs_reloc): Add entry for FT32.
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@ -16519,15 +16519,24 @@ print_gnu_property_note (Elf_Internal_Note * pnote)
      return;
    }
-  while (1)
+  while (ptr < ptr_end)
    {
      unsigned int j;
-      unsigned int type = byte_get (ptr, 4);
+      unsigned int type;
-      unsigned int datasz = byte_get (ptr + 4, 4);
+      unsigned int datasz;
      if ((size_t) (ptr_end - ptr) < 8)
 	{
 	  printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
 	  break;
 	}
      type = byte_get (ptr, 4);
      datasz = byte_get (ptr + 4, 4);
      ptr += 8;
-      if ((ptr + datasz) > ptr_end)
+      if (datasz > (size_t) (ptr_end - ptr))
 	{
 	  printf (_("<corrupt type (%#x) datasz: %#x>\n"),
 		  type, datasz);
@ -16608,19 +16617,11 @@ next:
      ptr += ((datasz + (size - 1)) & ~ (size - 1));
      if (ptr == ptr_end)
 	break;
      else
 	{
 	  if (do_wide)
 	    printf (", ");
 	  else
 	    printf ("\n\t");
 	}
-      if (ptr > (ptr_end - 8))
+      if (do_wide)
-	{
+	printf (", ");
-	  printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
+      else
-	  break;
+	printf ("\n\t");
 	}
    }
  printf ("\n");