This is similar to commit 9644aa for readelf print_attributes. Bail out when the vendor name isn't terminated and add overflow check for subsection_len.
Note that readelf does handle non-gnu attributes, while elflint doesn't. Signed-off-by: Mark Wielaard <[email protected]> --- src/ChangeLog | 2 ++ src/elflint.c | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 93f4aba..089fe93 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -4,6 +4,8 @@ shift too big. (check_verdef): Use Elf64_Word for shdr->sh_info cnt. (check_verneed): Likewise. + (check_attributes): Break when vendor name isn't terminated. + Add overflow check for subsection_len. 2015-05-05 Mark Wielaard <[email protected]> diff --git a/src/elflint.c b/src/elflint.c index 4e53646..df476a1 100644 --- a/src/elflint.c +++ b/src/elflint.c @@ -3423,7 +3423,7 @@ section [%2d] '%s': offset %zu: invalid length in attribute section\n"), ERROR (gettext ("\ section [%2d] '%s': offset %zu: unterminated vendor name string\n"), idx, section_name (ebl, idx), pos (p)); - continue; + break; } ++q; @@ -3466,7 +3466,9 @@ section [%2d] '%s': offset %zu: zero length field in attribute subsection\n"), if (MY_ELFDATA != ehdr->e_ident[EI_DATA]) CONVERT (subsection_len); - if (p - chunk < (ptrdiff_t) subsection_len) + /* Don't overflow, ptrdiff_t might be 32bits, but signed. */ + if (p - chunk < (ptrdiff_t) subsection_len + || subsection_len >= (uint32_t) PTRDIFF_MAX) { ERROR (gettext ("\ section [%2d] '%s': offset %zu: invalid length in attribute subsection\n"), -- 2.1.0
