summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/elfutils/elfutils-0.155/redhat-robustify.diff
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/elfutils/elfutils-0.155/redhat-robustify.diff')
-rw-r--r--meta/recipes-devtools/elfutils/elfutils-0.155/redhat-robustify.diff1824
1 files changed, 1824 insertions, 0 deletions
diff --git a/meta/recipes-devtools/elfutils/elfutils-0.155/redhat-robustify.diff b/meta/recipes-devtools/elfutils/elfutils-0.155/redhat-robustify.diff
new file mode 100644
index 0000000..8636998
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/elfutils-0.155/redhat-robustify.diff
@@ -0,0 +1,1824 @@
1Upstream-Status: Backport
2
3Index: elfutils-0.155/libelf/ChangeLog
4===================================================================
5--- elfutils-0.155.orig/libdwfl/ChangeLog
6+++ elfutils-0.155/libdwfl/ChangeLog
7@@ -52,6 +52,11 @@
8 * dwfl_module_getdwarf.c (open_elf): Clear errno before CBFAIL.
9 Reported by Kurt Roeckx <kurt@roeckx.be>.
10
11+2011-03-23 Petr Machata <pmachata@redhat.com>
12+
13+ * relocate.c (relocate_section): Use gelf_fsize instead of relying
14+ on shdr->sh_entsize.
15+
16 2011-02-11 Roland McGrath <roland@redhat.com>
17
18 * linux-kernel-modules.c (try_kernel_name): Try .gz, .bz2, .xz
19--- elfutils/libdwfl/relocate.c
20+++ elfutils/libdwfl/relocate.c
21@@ -1,5 +1,5 @@
22 /* Relocate debug information.
23- Copyright (C) 2005-2010 Red Hat, Inc.
24+ Copyright (C) 2005-2011 Red Hat, Inc.
25 This file is part of elfutils.
26
27 This file is free software; you can redistribute it and/or modify
28@@ -457,7 +457,10 @@ relocate_section (Dwfl_Module *mod, Elf
29 }
30 }
31
32- size_t nrels = shdr->sh_size / shdr->sh_entsize;
33+ size_t sh_entsize
34+ = gelf_fsize (relocated, shdr->sh_type == SHT_REL ? ELF_T_REL : ELF_T_RELA,
35+ 1, EV_CURRENT);
36+ size_t nrels = shdr->sh_size / sh_entsize;
37 size_t complete = 0;
38 if (shdr->sh_type == SHT_REL)
39 for (size_t relidx = 0; !result && relidx < nrels; ++relidx)
40@@ -559,7 +562,7 @@ relocate_section (Dwfl_Module *mod, Elf
41 nrels = next;
42 }
43
44- shdr->sh_size = reldata->d_size = nrels * shdr->sh_entsize;
45+ shdr->sh_size = reldata->d_size = nrels * sh_entsize;
46 gelf_update_shdr (scn, shdr);
47 }
48
49Index: elfutils-0.155/libelf/ChangeLog
50===================================================================
51--- elfutils-0.155.orig/libelf/ChangeLog 2010-07-03 13:07:10.000000000 +0000
52+++ elfutils-0.155/libelf/ChangeLog 2010-07-03 13:07:11.000000000 +0000
53@@ -703,10 +703,53 @@
54 If section content hasn't been read yet, do it before looking for the
55 block size. If no section data present, infer size of section header.
56
57+2005-05-14 Jakub Jelinek <jakub@redhat.com>
58+
59+ * libelfP.h (INVALID_NDX): Define.
60+ * gelf_getdyn.c (gelf_getdyn): Use it. Remove ndx < 0 test if any.
61+ * gelf_getlib.c (gelf_getlib): Likewise.
62+ * gelf_getmove.c (gelf_getmove): Likewise.
63+ * gelf_getrel.c (gelf_getrel): Likewise.
64+ * gelf_getrela.c (gelf_getrela): Likewise.
65+ * gelf_getsym.c (gelf_getsym): Likewise.
66+ * gelf_getsyminfo.c (gelf_getsyminfo): Likewise.
67+ * gelf_getsymshndx.c (gelf_getsymshndx): Likewise.
68+ * gelf_getversym.c (gelf_getversym): Likewise.
69+ * gelf_update_dyn.c (gelf_update_dyn): Likewise.
70+ * gelf_update_lib.c (gelf_update_lib): Likewise.
71+ * gelf_update_move.c (gelf_update_move): Likewise.
72+ * gelf_update_rel.c (gelf_update_rel): Likewise.
73+ * gelf_update_rela.c (gelf_update_rela): Likewise.
74+ * gelf_update_sym.c (gelf_update_sym): Likewise.
75+ * gelf_update_syminfo.c (gelf_update_syminfo): Likewise.
76+ * gelf_update_symshndx.c (gelf_update_symshndx): Likewise.
77+ * gelf_update_versym.c (gelf_update_versym): Likewise.
78+ * elf_newscn.c (elf_newscn): Check for overflow.
79+ * elf32_updatefile.c (__elfw2(LIBELFBITS,updatemmap)): Likewise.
80+ (__elfw2(LIBELFBITS,updatefile)): Likewise.
81+ * elf_begin.c (file_read_elf): Likewise.
82+ * elf32_newphdr.c (elfw2(LIBELFBITS,newphdr)): Likewise.
83+ * elf_getarsym.c (elf_getarsym): Likewise.
84+ * elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)): Likewise.
85 2005-05-11 Ulrich Drepper <drepper@redhat.com>
86
87 * elf.h: Update again.
88
89+2005-05-17 Jakub Jelinek <jakub@redhat.com>
90+
91+ * elf32_getphdr.c (elfw2(LIBELFBITS,getphdr)): Check if program header
92+ table fits into object's bounds.
93+ * elf_getshstrndx.c (elf_getshstrndx): Add elf->start_offset to
94+ elf->map_address. Check if first section header fits into object's
95+ bounds.
96+ * elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)):
97+ Check if section header table fits into object's bounds.
98+ * elf_begin.c (get_shnum): Ensure section headers fits into
99+ object's bounds.
100+ (file_read_elf): Make sure scncnt is small enough to allocate both
101+ ElfXX_Shdr and Elf_Scn array. Make sure section and program header
102+ tables fit into object's bounds. Avoid memory leak on failure.
103+
104 2005-05-09 Ulrich Drepper <drepper@redhat.com>
105
106 * elf.h: Update from glibc.
107Index: elfutils-0.155/libelf/elf32_getphdr.c
108===================================================================
109--- elfutils-0.155.orig/libelf/elf32_getphdr.c 2010-04-21 14:26:40.000000000 +0000
110+++ elfutils-0.155/libelf/elf32_getphdr.c 2010-07-03 13:07:11.000000000 +0000
111@@ -93,6 +93,16 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)
112
113 if (elf->map_address != NULL)
114 {
115+ /* First see whether the information in the ELF header is
116+ valid and it does not ask for too much. */
117+ if (unlikely (ehdr->e_phoff >= elf->maximum_size)
118+ || unlikely (elf->maximum_size - ehdr->e_phoff < size))
119+ {
120+ /* Something is wrong. */
121+ __libelf_seterrno (ELF_E_INVALID_PHDR);
122+ goto out;
123+ }
124+
125 /* All the data is already mapped. Use it. */
126 void *file_phdr = ((char *) elf->map_address
127 + elf->start_offset + ehdr->e_phoff);
128Index: elfutils-0.155/libelf/elf32_getshdr.c
129===================================================================
130--- elfutils-0.155.orig/libelf/elf32_getshdr.c 2009-06-13 22:41:42.000000000 +0000
131+++ elfutils-0.155/libelf/elf32_getshdr.c 2010-07-03 13:07:11.000000000 +0000
132@@ -60,7 +60,8 @@ load_shdr_wrlock (Elf_Scn *scn)
133 goto out;
134
135 size_t shnum;
136- if (__elf_getshdrnum_rdlock (elf, &shnum) != 0)
137+ if (__elf_getshdrnum_rdlock (elf, &shnum) != 0
138+ || shnum > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Shdr)))
139 goto out;
140 size_t size = shnum * sizeof (ElfW2(LIBELFBITS,Shdr));
141
142@@ -77,6 +78,16 @@ load_shdr_wrlock (Elf_Scn *scn)
143
144 if (elf->map_address != NULL)
145 {
146+ /* First see whether the information in the ELF header is
147+ valid and it does not ask for too much. */
148+ if (unlikely (ehdr->e_shoff >= elf->maximum_size)
149+ || unlikely (elf->maximum_size - ehdr->e_shoff < size))
150+ {
151+ /* Something is wrong. */
152+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
153+ goto free_and_out;
154+ }
155+
156 ElfW2(LIBELFBITS,Shdr) *notcvt;
157
158 /* All the data is already mapped. If we could use it
159Index: elfutils-0.155/libelf/elf32_newphdr.c
160===================================================================
161--- elfutils-0.155.orig/libelf/elf32_newphdr.c 2010-01-12 16:57:54.000000000 +0000
162+++ elfutils-0.155/libelf/elf32_newphdr.c 2010-07-03 13:07:11.000000000 +0000
163@@ -114,6 +114,12 @@ elfw2(LIBELFBITS,newphdr) (elf, count)
164 || count == PN_XNUM
165 || elf->state.ELFW(elf,LIBELFBITS).phdr == NULL)
166 {
167+ if (unlikely (count > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Phdr))))
168+ {
169+ result = NULL;
170+ goto out;
171+ }
172+
173 /* Allocate a new program header with the appropriate number of
174 elements. */
175 result = (ElfW2(LIBELFBITS,Phdr) *)
176Index: elfutils-0.155/libelf/elf32_updatefile.c
177===================================================================
178--- elfutils-0.155.orig/libelf/elf32_updatefile.c 2010-01-12 16:57:54.000000000 +0000
179+++ elfutils-0.155/libelf/elf32_updatefile.c 2010-07-03 13:07:11.000000000 +0000
180@@ -202,6 +202,9 @@ __elfw2(LIBELFBITS,updatemmap) (Elf *elf
181 /* Write all the sections. Well, only those which are modified. */
182 if (shnum > 0)
183 {
184+ if (unlikely (shnum > SIZE_MAX / sizeof (Elf_Scn *)))
185+ return 1;
186+
187 Elf_ScnList *list = &elf->state.ELFW(elf,LIBELFBITS).scns;
188 Elf_Scn **scns = (Elf_Scn **) alloca (shnum * sizeof (Elf_Scn *));
189 char *const shdr_start = ((char *) elf->map_address + elf->start_offset
190@@ -624,6 +627,10 @@ __elfw2(LIBELFBITS,updatefile) (Elf *elf
191 /* Write all the sections. Well, only those which are modified. */
192 if (shnum > 0)
193 {
194+ if (unlikely (shnum > SIZE_MAX / (sizeof (Elf_Scn *)
195+ + sizeof (ElfW2(LIBELFBITS,Shdr)))))
196+ return 1;
197+
198 off_t shdr_offset = elf->start_offset + ehdr->e_shoff;
199 #if EV_NUM != 2
200 xfct_t shdr_fctp = __elf_xfctstom[__libelf_version - 1][EV_CURRENT - 1][ELFW(ELFCLASS, LIBELFBITS) - 1][ELF_T_SHDR];
201Index: elfutils-0.155/libelf/elf_begin.c
202===================================================================
203--- elfutils-0.155.orig/libelf/elf_begin.c 2010-04-21 14:26:40.000000000 +0000
204+++ elfutils-0.155/libelf/elf_begin.c 2010-07-03 13:07:11.000000000 +0000
205@@ -144,7 +144,8 @@ get_shnum (void *map_address, unsigned c
206
207 if (unlikely (result == 0) && ehdr.e32->e_shoff != 0)
208 {
209- if (ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize)
210+ if (unlikely (ehdr.e32->e_shoff >= maxsize)
211+ || unlikely (maxsize - ehdr.e32->e_shoff < sizeof (Elf32_Shdr)))
212 /* Cannot read the first section header. */
213 return 0;
214
215@@ -192,7 +193,8 @@ get_shnum (void *map_address, unsigned c
216
217 if (unlikely (result == 0) && ehdr.e64->e_shoff != 0)
218 {
219- if (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize)
220+ if (unlikely (ehdr.e64->e_shoff >= maxsize)
221+ || unlikely (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize))
222 /* Cannot read the first section header. */
223 return 0;
224
225@@ -264,6 +266,15 @@ file_read_elf (int fildes, void *map_add
226 /* Could not determine the number of sections. */
227 return NULL;
228
229+ /* Check for too many sections. */
230+ if (e_ident[EI_CLASS] == ELFCLASS32)
231+ {
232+ if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf32_Shdr)))
233+ return NULL;
234+ }
235+ else if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf64_Shdr)))
236+ return NULL;
237+
238 /* We can now allocate the memory. Even if there are no section headers,
239 we allocate space for a zeroth section in case we need it later. */
240 const size_t scnmax = (scncnt ?: (cmd == ELF_C_RDWR || cmd == ELF_C_RDWR_MMAP)
241@@ -303,6 +314,16 @@ file_read_elf (int fildes, void *map_add
242 {
243 /* We can use the mmapped memory. */
244 elf->state.elf32.ehdr = ehdr;
245+
246+ if (unlikely (ehdr->e_shoff >= maxsize)
247+ || unlikely (maxsize - ehdr->e_shoff
248+ < scncnt * sizeof (Elf32_Shdr)))
249+ {
250+ free_and_out:
251+ free (elf);
252+ __libelf_seterrno (ELF_E_INVALID_FILE);
253+ return NULL;
254+ }
255 elf->state.elf32.shdr
256 = (Elf32_Shdr *) ((char *) ehdr + ehdr->e_shoff);
257
258@@ -389,6 +410,11 @@ file_read_elf (int fildes, void *map_add
259 {
260 /* We can use the mmapped memory. */
261 elf->state.elf64.ehdr = ehdr;
262+
263+ if (unlikely (ehdr->e_shoff >= maxsize)
264+ || unlikely (ehdr->e_shoff
265+ + scncnt * sizeof (Elf32_Shdr) > maxsize))
266+ goto free_and_out;
267 elf->state.elf64.shdr
268 = (Elf64_Shdr *) ((char *) ehdr + ehdr->e_shoff);
269
270Index: elfutils-0.155/libelf/elf_getarsym.c
271===================================================================
272--- elfutils-0.155.orig/libelf/elf_getarsym.c 2009-01-08 20:56:37.000000000 +0000
273+++ elfutils-0.155/libelf/elf_getarsym.c 2010-07-03 13:07:11.000000000 +0000
274@@ -181,6 +181,9 @@ elf_getarsym (elf, ptr)
275 size_t index_size = atol (tmpbuf);
276
277 if (SARMAG + sizeof (struct ar_hdr) + index_size > elf->maximum_size
278+#if SIZE_MAX <= 4294967295U
279+ || n >= SIZE_MAX / sizeof (Elf_Arsym)
280+#endif
281 || n * w > index_size)
282 {
283 /* This index table cannot be right since it does not fit into
284Index: elfutils-0.155/libelf/elf_getshdrstrndx.c
285===================================================================
286--- elfutils-0.155.orig/libelf/elf_getshdrstrndx.c 2009-06-13 22:31:35.000000000 +0000
287+++ elfutils-0.155/libelf/elf_getshdrstrndx.c 2010-07-03 13:07:11.000000000 +0000
288@@ -104,10 +104,25 @@ elf_getshdrstrndx (elf, dst)
289 if (elf->map_address != NULL
290 && elf->state.elf32.ehdr->e_ident[EI_DATA] == MY_ELFDATA
291 && (ALLOW_UNALIGNED
292- || (((size_t) ((char *) elf->map_address + offset))
293+ || (((size_t) ((char *) elf->map_address
294+ + elf->start_offset + offset))
295 & (__alignof__ (Elf32_Shdr) - 1)) == 0))
296- /* We can directly access the memory. */
297- num = ((Elf32_Shdr *) (elf->map_address + offset))->sh_link;
298+ {
299+ /* First see whether the information in the ELF header is
300+ valid and it does not ask for too much. */
301+ if (unlikely (elf->maximum_size - offset
302+ < sizeof (Elf32_Shdr)))
303+ {
304+ /* Something is wrong. */
305+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
306+ result = -1;
307+ goto out;
308+ }
309+
310+ /* We can directly access the memory. */
311+ num = ((Elf32_Shdr *) (elf->map_address + elf->start_offset
312+ + offset))->sh_link;
313+ }
314 else
315 {
316 /* We avoid reading in all the section headers. Just read
317@@ -142,10 +157,25 @@ elf_getshdrstrndx (elf, dst)
318 if (elf->map_address != NULL
319 && elf->state.elf64.ehdr->e_ident[EI_DATA] == MY_ELFDATA
320 && (ALLOW_UNALIGNED
321- || (((size_t) ((char *) elf->map_address + offset))
322+ || (((size_t) ((char *) elf->map_address
323+ + elf->start_offset + offset))
324 & (__alignof__ (Elf64_Shdr) - 1)) == 0))
325- /* We can directly access the memory. */
326- num = ((Elf64_Shdr *) (elf->map_address + offset))->sh_link;
327+ {
328+ /* First see whether the information in the ELF header is
329+ valid and it does not ask for too much. */
330+ if (unlikely (elf->maximum_size - offset
331+ < sizeof (Elf64_Shdr)))
332+ {
333+ /* Something is wrong. */
334+ __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
335+ result = -1;
336+ goto out;
337+ }
338+
339+ /* We can directly access the memory. */
340+ num = ((Elf64_Shdr *) (elf->map_address + elf->start_offset
341+ + offset))->sh_link;
342+ }
343 else
344 {
345 /* We avoid reading in all the section headers. Just read
346Index: elfutils-0.155/libelf/elf_newscn.c
347===================================================================
348--- elfutils-0.155.orig/libelf/elf_newscn.c 2009-01-08 20:56:37.000000000 +0000
349+++ elfutils-0.155/libelf/elf_newscn.c 2010-07-03 13:07:11.000000000 +0000
350@@ -83,10 +83,18 @@ elf_newscn (elf)
351 else
352 {
353 /* We must allocate a new element. */
354- Elf_ScnList *newp;
355+ Elf_ScnList *newp = NULL;
356
357 assert (elf->state.elf.scnincr > 0);
358
359+ if (
360+#if SIZE_MAX <= 4294967295U
361+ likely (elf->state.elf.scnincr
362+ < SIZE_MAX / 2 / sizeof (Elf_Scn) - sizeof (Elf_ScnList))
363+#else
364+ 1
365+#endif
366+ )
367 newp = (Elf_ScnList *) calloc (sizeof (Elf_ScnList)
368 + ((elf->state.elf.scnincr *= 2)
369 * sizeof (Elf_Scn)), 1);
370Index: elfutils-0.155/libelf/gelf_getdyn.c
371===================================================================
372--- elfutils-0.155.orig/libelf/gelf_getdyn.c 2009-01-08 20:56:37.000000000 +0000
373+++ elfutils-0.155/libelf/gelf_getdyn.c 2010-07-03 13:07:11.000000000 +0000
374@@ -1,5 +1,5 @@
375 /* Get information from dynamic table at the given index.
376- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
377+ Copyright (C) 2000-2009 Red Hat, Inc.
378 This file is part of elfutils.
379 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
380
381@@ -72,7 +72,7 @@ gelf_getdyn (data, ndx, dst)
382 table entries has to be adopted. The user better has provided
383 a buffer where we can store the information. While copying the
384 data we are converting the format. */
385- if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
386+ if (INVALID_NDX (ndx, Elf32_Dyn, &data_scn->d))
387 {
388 __libelf_seterrno (ELF_E_INVALID_INDEX);
389 goto out;
390@@ -93,7 +93,7 @@ gelf_getdyn (data, ndx, dst)
391
392 /* The data is already in the correct form. Just make sure the
393 index is OK. */
394- if (unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))
395+ if (INVALID_NDX (ndx, GElf_Dyn, &data_scn->d))
396 {
397 __libelf_seterrno (ELF_E_INVALID_INDEX);
398 goto out;
399Index: elfutils-0.155/libelf/gelf_getlib.c
400===================================================================
401--- elfutils-0.155.orig/libelf/gelf_getlib.c 2009-01-08 20:56:37.000000000 +0000
402+++ elfutils-0.155/libelf/gelf_getlib.c 2010-07-03 13:07:11.000000000 +0000
403@@ -1,5 +1,5 @@
404 /* Get library from table at the given index.
405- Copyright (C) 2004 Red Hat, Inc.
406+ Copyright (C) 2004-2009 Red Hat, Inc.
407 This file is part of elfutils.
408 Written by Ulrich Drepper <drepper@redhat.com>, 2004.
409
410@@ -65,7 +65,7 @@ gelf_getlib (data, ndx, dst)
411 /* The data is already in the correct form. Just make sure the
412 index is OK. */
413 GElf_Lib *result = NULL;
414- if (unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))
415+ if (INVALID_NDX (ndx, GElf_Lib, data))
416 __libelf_seterrno (ELF_E_INVALID_INDEX);
417 else
418 {
419Index: elfutils-0.155/libelf/gelf_getmove.c
420===================================================================
421--- elfutils-0.155.orig/libelf/gelf_getmove.c 2009-01-08 20:56:37.000000000 +0000
422+++ elfutils-0.155/libelf/gelf_getmove.c 2010-07-03 13:07:11.000000000 +0000
423@@ -1,5 +1,5 @@
424 /* Get move structure at the given index.
425- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
426+ Copyright (C) 2000-2009 Red Hat, Inc.
427 This file is part of elfutils.
428 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
429
430@@ -62,7 +62,7 @@ gelf_getmove (data, ndx, dst)
431
432 /* The data is already in the correct form. Just make sure the
433 index is OK. */
434- if (unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))
435+ if (INVALID_NDX (ndx, GElf_Move, data))
436 {
437 __libelf_seterrno (ELF_E_INVALID_INDEX);
438 goto out;
439Index: elfutils-0.155/libelf/gelf_getrela.c
440===================================================================
441--- elfutils-0.155.orig/libelf/gelf_getrela.c 2009-01-08 20:56:37.000000000 +0000
442+++ elfutils-0.155/libelf/gelf_getrela.c 2010-07-03 13:07:11.000000000 +0000
443@@ -1,5 +1,5 @@
444 /* Get RELA relocation information at given index.
445- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
446+ Copyright (C) 2000-2009 Red Hat, Inc.
447 This file is part of elfutils.
448 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
449
450@@ -50,12 +50,6 @@ gelf_getrela (data, ndx, dst)
451 if (data_scn == NULL)
452 return NULL;
453
454- if (unlikely (ndx < 0))
455- {
456- __libelf_seterrno (ELF_E_INVALID_INDEX);
457- return NULL;
458- }
459-
460 if (unlikely (data_scn->d.d_type != ELF_T_RELA))
461 {
462 __libelf_seterrno (ELF_E_INVALID_HANDLE);
463@@ -72,7 +66,7 @@ gelf_getrela (data, ndx, dst)
464 if (scn->elf->class == ELFCLASS32)
465 {
466 /* We have to convert the data. */
467- if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
468+ if (INVALID_NDX (ndx, Elf32_Rela, &data_scn->d))
469 {
470 __libelf_seterrno (ELF_E_INVALID_INDEX);
471 result = NULL;
472@@ -93,7 +87,7 @@ gelf_getrela (data, ndx, dst)
473 {
474 /* Simply copy the data after we made sure we are actually getting
475 correct data. */
476- if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
477+ if (INVALID_NDX (ndx, Elf64_Rela, &data_scn->d))
478 {
479 __libelf_seterrno (ELF_E_INVALID_INDEX);
480 result = NULL;
481Index: elfutils-0.155/libelf/gelf_getrel.c
482===================================================================
483--- elfutils-0.155.orig/libelf/gelf_getrel.c 2009-01-08 20:56:37.000000000 +0000
484+++ elfutils-0.155/libelf/gelf_getrel.c 2010-07-03 13:07:11.000000000 +0000
485@@ -1,5 +1,5 @@
486 /* Get REL relocation information at given index.
487- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
488+ Copyright (C) 2000-2009 Red Hat, Inc.
489 This file is part of elfutils.
490 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
491
492@@ -50,12 +50,6 @@ gelf_getrel (data, ndx, dst)
493 if (data_scn == NULL)
494 return NULL;
495
496- if (unlikely (ndx < 0))
497- {
498- __libelf_seterrno (ELF_E_INVALID_INDEX);
499- return NULL;
500- }
501-
502 if (unlikely (data_scn->d.d_type != ELF_T_REL))
503 {
504 __libelf_seterrno (ELF_E_INVALID_HANDLE);
505@@ -72,7 +66,7 @@ gelf_getrel (data, ndx, dst)
506 if (scn->elf->class == ELFCLASS32)
507 {
508 /* We have to convert the data. */
509- if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
510+ if (INVALID_NDX (ndx, Elf32_Rel, &data_scn->d))
511 {
512 __libelf_seterrno (ELF_E_INVALID_INDEX);
513 result = NULL;
514@@ -92,7 +86,7 @@ gelf_getrel (data, ndx, dst)
515 {
516 /* Simply copy the data after we made sure we are actually getting
517 correct data. */
518- if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
519+ if (INVALID_NDX (ndx, Elf64_Rel, &data_scn->d))
520 {
521 __libelf_seterrno (ELF_E_INVALID_INDEX);
522 result = NULL;
523Index: elfutils-0.155/libelf/gelf_getsym.c
524===================================================================
525--- elfutils-0.155.orig/libelf/gelf_getsym.c 2009-01-08 20:56:37.000000000 +0000
526+++ elfutils-0.155/libelf/gelf_getsym.c 2010-07-03 13:07:11.000000000 +0000
527@@ -1,5 +1,5 @@
528 /* Get symbol information from symbol table at the given index.
529- Copyright (C) 1999, 2000, 2001, 2002 Red Hat, Inc.
530+ Copyright (C) 1999-2009 Red Hat, Inc.
531 This file is part of elfutils.
532 Written by Ulrich Drepper <drepper@redhat.com>, 1999.
533
534@@ -69,7 +69,7 @@ gelf_getsym (data, ndx, dst)
535 table entries has to be adopted. The user better has provided
536 a buffer where we can store the information. While copying the
537 data we are converting the format. */
538- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))
539+ if (INVALID_NDX (ndx, Elf32_Sym, data))
540 {
541 __libelf_seterrno (ELF_E_INVALID_INDEX);
542 goto out;
543@@ -98,7 +98,7 @@ gelf_getsym (data, ndx, dst)
544
545 /* The data is already in the correct form. Just make sure the
546 index is OK. */
547- if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))
548+ if (INVALID_NDX (ndx, GElf_Sym, data))
549 {
550 __libelf_seterrno (ELF_E_INVALID_INDEX);
551 goto out;
552Index: elfutils-0.155/libelf/gelf_getsyminfo.c
553===================================================================
554--- elfutils-0.155.orig/libelf/gelf_getsyminfo.c 2009-01-08 20:56:37.000000000 +0000
555+++ elfutils-0.155/libelf/gelf_getsyminfo.c 2010-07-03 13:07:11.000000000 +0000
556@@ -1,5 +1,5 @@
557 /* Get additional symbol information from symbol table at the given index.
558- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
559+ Copyright (C) 2000-2009 Red Hat, Inc.
560 This file is part of elfutils.
561 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
562
563@@ -63,7 +63,7 @@ gelf_getsyminfo (data, ndx, dst)
564
565 /* The data is already in the correct form. Just make sure the
566 index is OK. */
567- if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))
568+ if (INVALID_NDX (ndx, GElf_Syminfo, data))
569 {
570 __libelf_seterrno (ELF_E_INVALID_INDEX);
571 goto out;
572Index: elfutils-0.155/libelf/gelf_getsymshndx.c
573===================================================================
574--- elfutils-0.155.orig/libelf/gelf_getsymshndx.c 2009-01-08 20:56:37.000000000 +0000
575+++ elfutils-0.155/libelf/gelf_getsymshndx.c 2010-07-03 13:07:11.000000000 +0000
576@@ -1,6 +1,6 @@
577 /* Get symbol information and separate section index from symbol table
578 at the given index.
579- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
580+ Copyright (C) 2000-2009 Red Hat, Inc.
581 This file is part of elfutils.
582 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
583
584@@ -69,7 +69,7 @@ gelf_getsymshndx (symdata, shndxdata, nd
585 section index table. */
586 if (likely (shndxdata_scn != NULL))
587 {
588- if (unlikely ((ndx + 1) * sizeof (Elf32_Word) > shndxdata_scn->d.d_size))
589+ if (INVALID_NDX (ndx, Elf32_Word, &shndxdata_scn->d))
590 {
591 __libelf_seterrno (ELF_E_INVALID_INDEX);
592 goto out;
593@@ -89,7 +89,7 @@ gelf_getsymshndx (symdata, shndxdata, nd
594 table entries has to be adopted. The user better has provided
595 a buffer where we can store the information. While copying the
596 data we are converting the format. */
597- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))
598+ if (INVALID_NDX (ndx, Elf32_Sym, symdata))
599 {
600 __libelf_seterrno (ELF_E_INVALID_INDEX);
601 goto out;
602@@ -118,7 +118,7 @@ gelf_getsymshndx (symdata, shndxdata, nd
603
604 /* The data is already in the correct form. Just make sure the
605 index is OK. */
606- if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))
607+ if (INVALID_NDX (ndx, GElf_Sym, symdata))
608 {
609 __libelf_seterrno (ELF_E_INVALID_INDEX);
610 goto out;
611Index: elfutils-0.155/libelf/gelf_getversym.c
612===================================================================
613--- elfutils-0.155.orig/libelf/gelf_getversym.c 2009-01-08 20:56:37.000000000 +0000
614+++ elfutils-0.155/libelf/gelf_getversym.c 2010-07-03 13:07:11.000000000 +0000
615@@ -1,5 +1,5 @@
616 /* Get symbol version information at the given index.
617- Copyright (C) 1999, 2000, 2001, 2002 Red Hat, Inc.
618+ Copyright (C) 1999-2009 Red Hat, Inc.
619 This file is part of elfutils.
620 Written by Ulrich Drepper <drepper@redhat.com>, 1999.
621
622@@ -71,7 +71,7 @@ gelf_getversym (data, ndx, dst)
623
624 /* The data is already in the correct form. Just make sure the
625 index is OK. */
626- if (unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))
627+ if (INVALID_NDX (ndx, GElf_Versym, data))
628 {
629 __libelf_seterrno (ELF_E_INVALID_INDEX);
630 result = NULL;
631Index: elfutils-0.155/libelf/gelf_update_dyn.c
632===================================================================
633--- elfutils-0.155.orig/libelf/gelf_update_dyn.c 2009-01-08 20:56:37.000000000 +0000
634+++ elfutils-0.155/libelf/gelf_update_dyn.c 2010-07-03 13:07:11.000000000 +0000
635@@ -1,5 +1,5 @@
636 /* Update information in dynamic table at the given index.
637- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
638+ Copyright (C) 2000-2009 Red Hat, Inc.
639 This file is part of elfutils.
640 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
641
642@@ -50,12 +50,6 @@ gelf_update_dyn (data, ndx, src)
643 if (data == NULL)
644 return 0;
645
646- if (unlikely (ndx < 0))
647- {
648- __libelf_seterrno (ELF_E_INVALID_INDEX);
649- return 0;
650- }
651-
652 if (unlikely (data_scn->d.d_type != ELF_T_DYN))
653 {
654 /* The type of the data better should match. */
655@@ -81,7 +75,7 @@ gelf_update_dyn (data, ndx, src)
656 }
657
658 /* Check whether we have to resize the data buffer. */
659- if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
660+ if (INVALID_NDX (ndx, Elf32_Dyn, &data_scn->d))
661 {
662 __libelf_seterrno (ELF_E_INVALID_INDEX);
663 goto out;
664@@ -95,7 +89,7 @@ gelf_update_dyn (data, ndx, src)
665 else
666 {
667 /* Check whether we have to resize the data buffer. */
668- if (unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))
669+ if (INVALID_NDX (ndx, Elf64_Dyn, &data_scn->d))
670 {
671 __libelf_seterrno (ELF_E_INVALID_INDEX);
672 goto out;
673Index: elfutils-0.155/libelf/gelf_update_lib.c
674===================================================================
675--- elfutils-0.155.orig/libelf/gelf_update_lib.c 2009-01-08 20:56:37.000000000 +0000
676+++ elfutils-0.155/libelf/gelf_update_lib.c 2010-07-03 13:07:11.000000000 +0000
677@@ -1,5 +1,5 @@
678 /* Update library in table at the given index.
679- Copyright (C) 2004 Red Hat, Inc.
680+ Copyright (C) 2004-2009 Red Hat, Inc.
681 This file is part of elfutils.
682 Written by Ulrich Drepper <drepper@redhat.com>, 2004.
683
684@@ -47,12 +47,6 @@ gelf_update_lib (data, ndx, src)
685 if (data == NULL)
686 return 0;
687
688- if (unlikely (ndx < 0))
689- {
690- __libelf_seterrno (ELF_E_INVALID_INDEX);
691- return 0;
692- }
693-
694 Elf_Data_Scn *data_scn = (Elf_Data_Scn *) data;
695 if (unlikely (data_scn->d.d_type != ELF_T_LIB))
696 {
697@@ -66,7 +60,7 @@ gelf_update_lib (data, ndx, src)
698
699 /* Check whether we have to resize the data buffer. */
700 int result = 0;
701- if (unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))
702+ if (INVALID_NDX (ndx, Elf64_Lib, &data_scn->d))
703 __libelf_seterrno (ELF_E_INVALID_INDEX);
704 else
705 {
706Index: elfutils-0.155/libelf/gelf_update_move.c
707===================================================================
708--- elfutils-0.155.orig/libelf/gelf_update_move.c 2009-01-08 20:56:37.000000000 +0000
709+++ elfutils-0.155/libelf/gelf_update_move.c 2010-07-03 13:07:11.000000000 +0000
710@@ -1,5 +1,5 @@
711 /* Update move structure at the given index.
712- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
713+ Copyright (C) 2000-2009 Red Hat, Inc.
714 This file is part of elfutils.
715 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
716
717@@ -54,8 +54,7 @@ gelf_update_move (data, ndx, src)
718 assert (sizeof (GElf_Move) == sizeof (Elf64_Move));
719
720 /* Check whether we have to resize the data buffer. */
721- if (unlikely (ndx < 0)
722- || unlikely ((ndx + 1) * sizeof (GElf_Move) > data_scn->d.d_size))
723+ if (INVALID_NDX (ndx, GElf_Move, &data_scn->d))
724 {
725 __libelf_seterrno (ELF_E_INVALID_INDEX);
726 return 0;
727Index: elfutils-0.155/libelf/gelf_update_rela.c
728===================================================================
729--- elfutils-0.155.orig/libelf/gelf_update_rela.c 2009-01-08 20:56:37.000000000 +0000
730+++ elfutils-0.155/libelf/gelf_update_rela.c 2010-07-03 13:07:11.000000000 +0000
731@@ -1,5 +1,5 @@
732 /* Update RELA relocation information at given index.
733- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
734+ Copyright (C) 2000-2009 Red Hat, Inc.
735 This file is part of elfutils.
736 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
737
738@@ -47,12 +47,6 @@ gelf_update_rela (Elf_Data *dst, int ndx
739 if (dst == NULL)
740 return 0;
741
742- if (unlikely (ndx < 0))
743- {
744- __libelf_seterrno (ELF_E_INVALID_INDEX);
745- return 0;
746- }
747-
748 if (unlikely (data_scn->d.d_type != ELF_T_RELA))
749 {
750 /* The type of the data better should match. */
751@@ -80,7 +74,7 @@ gelf_update_rela (Elf_Data *dst, int ndx
752 }
753
754 /* Check whether we have to resize the data buffer. */
755- if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
756+ if (INVALID_NDX (ndx, Elf32_Rela, &data_scn->d))
757 {
758 __libelf_seterrno (ELF_E_INVALID_INDEX);
759 goto out;
760@@ -96,7 +90,7 @@ gelf_update_rela (Elf_Data *dst, int ndx
761 else
762 {
763 /* Check whether we have to resize the data buffer. */
764- if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
765+ if (INVALID_NDX (ndx, Elf64_Rela, &data_scn->d))
766 {
767 __libelf_seterrno (ELF_E_INVALID_INDEX);
768 goto out;
769Index: elfutils-0.155/libelf/gelf_update_rel.c
770===================================================================
771--- elfutils-0.155.orig/libelf/gelf_update_rel.c 2009-01-08 20:56:37.000000000 +0000
772+++ elfutils-0.155/libelf/gelf_update_rel.c 2010-07-03 13:07:11.000000000 +0000
773@@ -1,5 +1,5 @@
774 /* Update REL relocation information at given index.
775- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
776+ Copyright (C) 2000-2009 Red Hat, Inc.
777 This file is part of elfutils.
778 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
779
780@@ -47,12 +47,6 @@ gelf_update_rel (Elf_Data *dst, int ndx,
781 if (dst == NULL)
782 return 0;
783
784- if (unlikely (ndx < 0))
785- {
786- __libelf_seterrno (ELF_E_INVALID_INDEX);
787- return 0;
788- }
789-
790 if (unlikely (data_scn->d.d_type != ELF_T_REL))
791 {
792 /* The type of the data better should match. */
793@@ -78,7 +72,7 @@ gelf_update_rel (Elf_Data *dst, int ndx,
794 }
795
796 /* Check whether we have to resize the data buffer. */
797- if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
798+ if (INVALID_NDX (ndx, Elf32_Rel, &data_scn->d))
799 {
800 __libelf_seterrno (ELF_E_INVALID_INDEX);
801 goto out;
802@@ -93,7 +87,7 @@ gelf_update_rel (Elf_Data *dst, int ndx,
803 else
804 {
805 /* Check whether we have to resize the data buffer. */
806- if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
807+ if (INVALID_NDX (ndx, Elf64_Rel, &data_scn->d))
808 {
809 __libelf_seterrno (ELF_E_INVALID_INDEX);
810 goto out;
811Index: elfutils-0.155/libelf/gelf_update_sym.c
812===================================================================
813--- elfutils-0.155.orig/libelf/gelf_update_sym.c 2009-01-08 20:56:37.000000000 +0000
814+++ elfutils-0.155/libelf/gelf_update_sym.c 2010-07-03 13:07:11.000000000 +0000
815@@ -1,5 +1,5 @@
816 /* Update symbol information in symbol table at the given index.
817- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
818+ Copyright (C) 2000-2009 Red Hat, Inc.
819 This file is part of elfutils.
820 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
821
822@@ -51,12 +51,6 @@ gelf_update_sym (data, ndx, src)
823 if (data == NULL)
824 return 0;
825
826- if (unlikely (ndx < 0))
827- {
828- __libelf_seterrno (ELF_E_INVALID_INDEX);
829- return 0;
830- }
831-
832 if (unlikely (data_scn->d.d_type != ELF_T_SYM))
833 {
834 /* The type of the data better should match. */
835@@ -81,7 +75,7 @@ gelf_update_sym (data, ndx, src)
836 }
837
838 /* Check whether we have to resize the data buffer. */
839- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))
840+ if (INVALID_NDX (ndx, Elf32_Sym, &data_scn->d))
841 {
842 __libelf_seterrno (ELF_E_INVALID_INDEX);
843 goto out;
844@@ -104,7 +98,7 @@ gelf_update_sym (data, ndx, src)
845 else
846 {
847 /* Check whether we have to resize the data buffer. */
848- if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))
849+ if (INVALID_NDX (ndx, Elf64_Sym, &data_scn->d))
850 {
851 __libelf_seterrno (ELF_E_INVALID_INDEX);
852 goto out;
853Index: elfutils-0.155/libelf/gelf_update_syminfo.c
854===================================================================
855--- elfutils-0.155.orig/libelf/gelf_update_syminfo.c 2009-01-08 20:56:37.000000000 +0000
856+++ elfutils-0.155/libelf/gelf_update_syminfo.c 2010-07-03 13:07:11.000000000 +0000
857@@ -1,5 +1,5 @@
858 /* Update additional symbol information in symbol table at the given index.
859- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
860+ Copyright (C) 2000-2009 Red Hat, Inc.
861 This file is part of elfutils.
862 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
863
864@@ -51,12 +51,6 @@ gelf_update_syminfo (data, ndx, src)
865 if (data == NULL)
866 return 0;
867
868- if (unlikely (ndx < 0))
869- {
870- __libelf_seterrno (ELF_E_INVALID_INDEX);
871- return 0;
872- }
873-
874 if (unlikely (data_scn->d.d_type != ELF_T_SYMINFO))
875 {
876 /* The type of the data better should match. */
877@@ -72,7 +66,7 @@ gelf_update_syminfo (data, ndx, src)
878 rwlock_wrlock (scn->elf->lock);
879
880 /* Check whether we have to resize the data buffer. */
881- if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))
882+ if (INVALID_NDX (ndx, GElf_Syminfo, &data_scn->d))
883 {
884 __libelf_seterrno (ELF_E_INVALID_INDEX);
885 goto out;
886Index: elfutils-0.155/libelf/gelf_update_symshndx.c
887===================================================================
888--- elfutils-0.155.orig/libelf/gelf_update_symshndx.c 2009-01-08 20:56:37.000000000 +0000
889+++ elfutils-0.155/libelf/gelf_update_symshndx.c 2010-07-03 13:07:11.000000000 +0000
890@@ -1,6 +1,6 @@
891 /* Update symbol information and section index in symbol table at the
892 given index.
893- Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
894+ Copyright (C) 2000-2009 Red Hat, Inc.
895 This file is part of elfutils.
896 Written by Ulrich Drepper <drepper@redhat.com>, 2000.
897
898@@ -56,12 +56,6 @@ gelf_update_symshndx (symdata, shndxdata
899 if (symdata == NULL)
900 return 0;
901
902- if (unlikely (ndx < 0))
903- {
904- __libelf_seterrno (ELF_E_INVALID_INDEX);
905- return 0;
906- }
907-
908 if (unlikely (symdata_scn->d.d_type != ELF_T_SYM))
909 {
910 /* The type of the data better should match. */
911@@ -107,7 +101,7 @@ gelf_update_symshndx (symdata, shndxdata
912 }
913
914 /* Check whether we have to resize the data buffer. */
915- if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))
916+ if (INVALID_NDX (ndx, Elf32_Sym, &symdata_scn->d))
917 {
918 __libelf_seterrno (ELF_E_INVALID_INDEX);
919 goto out;
920@@ -130,7 +124,7 @@ gelf_update_symshndx (symdata, shndxdata
921 else
922 {
923 /* Check whether we have to resize the data buffer. */
924- if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))
925+ if (INVALID_NDX (ndx, Elf64_Sym, &symdata_scn->d))
926 {
927 __libelf_seterrno (ELF_E_INVALID_INDEX);
928 goto out;
929Index: elfutils-0.155/libelf/gelf_update_versym.c
930===================================================================
931--- elfutils-0.155.orig/libelf/gelf_update_versym.c 2009-01-08 20:56:37.000000000 +0000
932+++ elfutils-0.155/libelf/gelf_update_versym.c 2010-07-03 13:07:11.000000000 +0000
933@@ -1,5 +1,5 @@
934 /* Update symbol version information.
935- Copyright (C) 2001, 2002 Red Hat, Inc.
936+ Copyright (C) 2001-2009 Red Hat, Inc.
937 This file is part of elfutils.
938 Written by Ulrich Drepper <drepper@redhat.com>, 2001.
939
940@@ -54,8 +54,7 @@ gelf_update_versym (data, ndx, src)
941 assert (sizeof (GElf_Versym) == sizeof (Elf64_Versym));
942
943 /* Check whether we have to resize the data buffer. */
944- if (unlikely (ndx < 0)
945- || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data_scn->d.d_size))
946+ if (INVALID_NDX (ndx, GElf_Versym, &data_scn->d))
947 {
948 __libelf_seterrno (ELF_E_INVALID_INDEX);
949 return 0;
950Index: elfutils-0.155/libelf/libelfP.h
951===================================================================
952--- elfutils-0.155.orig/libelf/libelfP.h 2010-01-12 16:57:54.000000000 +0000
953+++ elfutils-0.155/libelf/libelfP.h 2010-07-03 13:07:11.000000000 +0000
954@@ -608,4 +608,8 @@
955 /* Align offset to 4 bytes as needed for note name and descriptor data. */
956 #define NOTE_ALIGN(n) (((n) + 3) & -4U)
957
958+/* Convenience macro. */
959+#define INVALID_NDX(ndx, type, data) \
960+ unlikely ((data)->d_size / sizeof (type) <= (unsigned int) (ndx))
961+
962 #endif /* libelfP.h */
963Index: elfutils-0.155/src/ChangeLog
964===================================================================
965--- elfutils-0.155.orig/src/ChangeLog 2010-07-03 13:07:10.000000000 +0000
966+++ elfutils-0.155/src/ChangeLog 2010-07-03 13:07:11.000000000 +0000
967@@ -344,6 +344,12 @@
968
969 * readelf.c (dwarf_attr_string): Grok DW_AT_GNU_odr_signature.
970
971+2011-03-23 Petr Machata <pmachata@redhat.com>
972+
973+ * readelf.c (handle_dynamic, handle_relocs_rel)
974+ (handle_relocs_rela, handle_versym, print_liblist):
975+ Use gelf_fsize instead of relying on shdr->sh_entsize.
976+
977 2011-02-11 Roland McGrath <roland@redhat.com>
978
979 * elfcmp.c (verbose): New variable.
980@@ -2056,6 +2062,16 @@
981 object symbols or symbols with unknown type.
982 (check_rel): Likewise.
983
984+2005-06-09 Roland McGrath <roland@redhat.com>
985+
986+ * readelf.c (handle_dynamic, handle_symtab): Check for bogus sh_link.
987+ (handle_verneed, handle_verdef, handle_versym, handle_hash): Likewise.
988+ (handle_scngrp): Check for bogus sh_info.
989+
990+ * strip.c (handle_elf): Check for bogus values in sh_link, sh_info,
991+ st_shndx, e_shstrndx, and SHT_GROUP or SHT_SYMTAB_SHNDX data.
992+ Don't use assert on input values, instead bail with "illformed" error.
993+
994 2005-06-08 Roland McGrath <roland@redhat.com>
995
996 * readelf.c (print_ops): Add consts.
997@@ -2101,6 +2117,19 @@
998
999 * readelf.c (dwarf_tag_string): Add new tags.
1000
1001+2005-05-17 Jakub Jelinek <jakub@redhat.com>
1002+
1003+ * elflint.c (check_hash): Don't check entries beyond end of section.
1004+ (check_note): Don't crash if gelf_rawchunk fails.
1005+ (section_name): Return <invalid> if gelf_getshdr returns NULL.
1006+
1007+2005-05-14 Jakub Jelinek <jakub@redhat.com>
1008+
1009+ * elflint.c (section_name): Return "<invalid>" instead of
1010+ crashing on invalid section name.
1011+ (check_symtab, is_rel_dyn, check_rela, check_rel, check_dynamic,
1012+ check_symtab_shndx, check_hash, check_versym): Robustify.
1013+
1014 2005-05-08 Roland McGrath <roland@redhat.com>
1015
1016 * strip.c (handle_elf): Don't translate hash and versym data formats,
1017Index: elfutils-0.155/src/elflint.c
1018===================================================================
1019--- elfutils-0.155.orig/src/elflint.c 2010-04-13 20:08:02.000000000 +0000
1020+++ elfutils-0.155/src/elflint.c 2010-07-03 13:07:11.000000000 +0000
1021@@ -123,6 +123,10 @@ static uint32_t shstrndx;
1022 /* Array to count references in section groups. */
1023 static int *scnref;
1024
1025+/* Numbers of sections and program headers. */
1026+static unsigned int shnum;
1027+static unsigned int phnum;
1028+
1029
1030 int
1031 main (int argc, char *argv[])
1032@@ -311,10 +315,19 @@ section_name (Ebl *ebl, int idx)
1033 {
1034 GElf_Shdr shdr_mem;
1035 GElf_Shdr *shdr;
1036+ const char *ret;
1037+
1038+ if ((unsigned int) idx > shnum)
1039+ return "<invalid>";
1040
1041 shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);
1042+ if (shdr == NULL)
1043+ return "<invalid>";
1044
1045- return elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
1046+ ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
1047+ if (ret == NULL)
1048+ return "<invalid>";
1049+ return ret;
1050 }
1051
1052
1053@@ -337,11 +350,6 @@ static const int valid_e_machine[] =
1054 (sizeof (valid_e_machine) / sizeof (valid_e_machine[0]))
1055
1056
1057-/* Numbers of sections and program headers. */
1058-static unsigned int shnum;
1059-static unsigned int phnum;
1060-
1061-
1062 static void
1063 check_elf_header (Ebl *ebl, GElf_Ehdr *ehdr, size_t size)
1064 {
1065@@ -625,7 +633,8 @@ section [%2d] '%s': symbol table cannot
1066 }
1067 }
1068
1069- if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT))
1070+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT);
1071+ if (shdr->sh_entsize != sh_entsize)
1072 ERROR (gettext ("\
1073 section [%2u] '%s': entry size is does not match ElfXX_Sym\n"),
1074 idx, section_name (ebl, idx));
1075@@ -663,7 +672,7 @@ section [%2d] '%s': XINDEX for zeroth en
1076 xndxscnidx, section_name (ebl, xndxscnidx));
1077 }
1078
1079- for (size_t cnt = 1; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1080+ for (size_t cnt = 1; cnt < shdr->sh_size / sh_entsize; ++cnt)
1081 {
1082 sym = gelf_getsymshndx (data, xndxdata, cnt, &sym_mem, &xndx);
1083 if (sym == NULL)
1084@@ -683,7 +692,8 @@ section [%2d] '%s': symbol %zu: invalid
1085 else
1086 {
1087 name = elf_strptr (ebl->elf, shdr->sh_link, sym->st_name);
1088- assert (name != NULL);
1089+ assert (name != NULL
1090+ || strshdr->sh_type != SHT_STRTAB);
1091 }
1092
1093 if (sym->st_shndx == SHN_XINDEX)
1094@@ -1032,9 +1042,11 @@ is_rel_dyn (Ebl *ebl, const GElf_Ehdr *e
1095 {
1096 GElf_Shdr rcshdr_mem;
1097 const GElf_Shdr *rcshdr = gelf_getshdr (scn, &rcshdr_mem);
1098- assert (rcshdr != NULL);
1099
1100- if (rcshdr->sh_type == SHT_DYNAMIC)
1101+ if (rcshdr == NULL)
1102+ break;
1103+
1104+ if (rcshdr->sh_type == SHT_DYNAMIC && rcshdr->sh_entsize)
1105 {
1106 /* Found the dynamic section. Look through it. */
1107 Elf_Data *d = elf_getdata (scn, NULL);
1108@@ -1044,7 +1056,9 @@ is_rel_dyn (Ebl *ebl, const GElf_Ehdr *e
1109 {
1110 GElf_Dyn dyn_mem;
1111 GElf_Dyn *dyn = gelf_getdyn (d, cnt, &dyn_mem);
1112- assert (dyn != NULL);
1113+
1114+ if (dyn == NULL)
1115+ break;
1116
1117 if (dyn->d_tag == DT_RELCOUNT)
1118 {
1119@@ -1058,7 +1072,9 @@ section [%2d] '%s': DT_RELCOUNT used for
1120 /* Does the number specified number of relative
1121 relocations exceed the total number of
1122 relocations? */
1123- if (dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
1124+ if (shdr->sh_entsize != 0
1125+ && dyn->d_un.d_val > (shdr->sh_size
1126+ / shdr->sh_entsize))
1127 ERROR (gettext ("\
1128 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
1129 idx, section_name (ebl, idx),
1130@@ -1218,7 +1234,8 @@ section [%2d] '%s': no relocations for m
1131 }
1132 }
1133
1134- if (shdr->sh_entsize != gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT))
1135+ size_t sh_entsize = gelf_fsize (ebl->elf, reltype, 1, EV_CURRENT);
1136+ if (shdr->sh_entsize != sh_entsize)
1137 ERROR (gettext (reltype == ELF_T_RELA ? "\
1138 section [%2d] '%s': section entry size does not match ElfXX_Rela\n" : "\
1139 section [%2d] '%s': section entry size does not match ElfXX_Rel\n"),
1140@@ -1441,7 +1458,8 @@ check_rela (Ebl *ebl, GElf_Ehdr *ehdr, G
1141 Elf_Data *symdata = elf_getdata (symscn, NULL);
1142 enum load_state state = state_undecided;
1143
1144- for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1145+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
1146+ for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1147 {
1148 GElf_Rela rela_mem;
1149 GElf_Rela *rela = gelf_getrela (data, cnt, &rela_mem);
1150@@ -1491,7 +1509,8 @@ check_rel (Ebl *ebl, GElf_Ehdr *ehdr, GE
1151 Elf_Data *symdata = elf_getdata (symscn, NULL);
1152 enum load_state state = state_undecided;
1153
1154- for (size_t cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1155+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
1156+ for (size_t cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1157 {
1158 GElf_Rel rel_mem;
1159 GElf_Rel *rel = gelf_getrel (data, cnt, &rel_mem);
1160@@ -1590,7 +1609,8 @@ section [%2d] '%s': referenced as string
1161 shdr->sh_link, section_name (ebl, shdr->sh_link),
1162 idx, section_name (ebl, idx));
1163
1164- if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT))
1165+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
1166+ if (shdr->sh_entsize != sh_entsize)
1167 ERROR (gettext ("\
1168 section [%2d] '%s': section entry size does not match ElfXX_Dyn\n"),
1169 idx, section_name (ebl, idx));
1170@@ -1600,7 +1620,7 @@ section [%2d] '%s': section entry size d
1171 idx, section_name (ebl, idx));
1172
1173 bool non_null_warned = false;
1174- for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1175+ for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1176 {
1177 GElf_Dyn dyn_mem;
1178 GElf_Dyn *dyn = gelf_getdyn (data, cnt, &dyn_mem);
1179@@ -1872,6 +1892,8 @@ section [%2d] '%s': entry size does not
1180 idx, section_name (ebl, idx));
1181
1182 if (symshdr != NULL
1183+ && shdr->sh_entsize
1184+ && symshdr->sh_entsize
1185 && (shdr->sh_size / shdr->sh_entsize
1186 < symshdr->sh_size / symshdr->sh_entsize))
1187 ERROR (gettext ("\
1188@@ -1898,6 +1920,12 @@ section [%2d] '%s': extended section ind
1189 }
1190
1191 Elf_Data *data = elf_getdata (elf_getscn (ebl->elf, idx), NULL);
1192+ if (data == NULL)
1193+ {
1194+ ERROR (gettext ("section [%2d] '%s': cannot get section data\n"),
1195+ idx, section_name (ebl, idx));
1196+ return;
1197+ }
1198
1199 if (*((Elf32_Word *) data->d_buf) != 0)
1200 ERROR (gettext ("symbol 0 should have zero extended section index\n"));
1201@@ -1940,7 +1968,7 @@ section [%2d] '%s': hash table section i
1202
1203 size_t maxidx = nchain;
1204
1205- if (symshdr != NULL)
1206+ if (symshdr != NULL && symshdr->sh_entsize != 0)
1207 {
1208 size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
1209
1210@@ -1951,18 +1979,28 @@ section [%2d] '%s': hash table section i
1211 maxidx = symsize;
1212 }
1213
1214+ Elf32_Word *buf = (Elf32_Word *) data->d_buf;
1215+ Elf32_Word *end = (Elf32_Word *) ((char *) data->d_buf + shdr->sh_size);
1216 size_t cnt;
1217 for (cnt = 2; cnt < 2 + nbucket; ++cnt)
1218- if (((Elf32_Word *) data->d_buf)[cnt] >= maxidx)
1219+ {
1220+ if (buf + cnt >= end)
1221+ break;
1222+ else if (buf[cnt] >= maxidx)
1223 ERROR (gettext ("\
1224 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
1225 idx, section_name (ebl, idx), cnt - 2);
1226+ }
1227
1228 for (; cnt < 2 + nbucket + nchain; ++cnt)
1229- if (((Elf32_Word *) data->d_buf)[cnt] >= maxidx)
1230+ {
1231+ if (buf + cnt >= end)
1232+ break;
1233+ else if (buf[cnt] >= maxidx)
1234 ERROR (gettext ("\
1235 section [%2d] '%s': hash chain reference %zu out of bounds\n"),
1236 idx, section_name (ebl, idx), cnt - 2 - nbucket);
1237+ }
1238 }
1239
1240
1241@@ -1992,18 +2030,28 @@ section [%2d] '%s': hash table section i
1242 maxidx = symsize;
1243 }
1244
1245+ Elf64_Xword *buf = (Elf64_Xword *) data->d_buf;
1246+ Elf64_Xword *end = (Elf64_Xword *) ((char *) data->d_buf + shdr->sh_size);
1247 size_t cnt;
1248 for (cnt = 2; cnt < 2 + nbucket; ++cnt)
1249- if (((Elf64_Xword *) data->d_buf)[cnt] >= maxidx)
1250+ {
1251+ if (buf + cnt >= end)
1252+ break;
1253+ else if (buf[cnt] >= maxidx)
1254 ERROR (gettext ("\
1255 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
1256 idx, section_name (ebl, idx), cnt - 2);
1257+ }
1258
1259 for (; cnt < 2 + nbucket + nchain; ++cnt)
1260- if (((Elf64_Xword *) data->d_buf)[cnt] >= maxidx)
1261+ {
1262+ if (buf + cnt >= end)
1263+ break;
1264+ else if (buf[cnt] >= maxidx)
1265 ERROR (gettext ("\
1266 section [%2d] '%s': hash chain reference %" PRIu64 " out of bounds\n"),
1267- idx, section_name (ebl, idx), (uint64_t) (cnt - 2 - nbucket));
1268+ idx, section_name (ebl, idx), (uint64_t) cnt - 2 - nbucket);
1269+ }
1270 }
1271
1272
1273@@ -2028,7 +2076,7 @@ section [%2d] '%s': bitmask size not pow
1274 if (shdr->sh_size < (4 + bitmask_words + nbuckets) * sizeof (Elf32_Word))
1275 {
1276 ERROR (gettext ("\
1277-section [%2d] '%s': hash table section is too small (is %ld, expected at least%ld)\n"),
1278+section [%2d] '%s': hash table section is too small (is %ld, expected at least %ld)\n"),
1279 idx, section_name (ebl, idx), (long int) shdr->sh_size,
1280 (long int) ((4 + bitmask_words + nbuckets) * sizeof (Elf32_Word)));
1281 return;
1282@@ -2700,8 +2748,9 @@ section [%2d] '%s' refers in sh_link to
1283
1284 /* The number of elements in the version symbol table must be the
1285 same as the number of symbols. */
1286- if (shdr->sh_size / shdr->sh_entsize
1287- != symshdr->sh_size / symshdr->sh_entsize)
1288+ if (shdr->sh_entsize && symshdr->sh_entsize
1289+ && (shdr->sh_size / shdr->sh_entsize
1290+ != symshdr->sh_size / symshdr->sh_entsize))
1291 ERROR (gettext ("\
1292 section [%2d] '%s' has different number of entries than symbol table [%2d] '%s'\n"),
1293 idx, section_name (ebl, idx),
1294Index: elfutils-0.155/src/readelf.c
1295===================================================================
1296--- elfutils-0.155.orig/src/readelf.c 2010-07-03 13:07:10.000000000 +0000
1297+++ elfutils-0.155/src/readelf.c 2010-07-03 13:07:11.000000000 +0000
1298@@ -1189,6 +1189,8 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
1299 Elf32_Word *grpref = (Elf32_Word *) data->d_buf;
1300
1301 GElf_Sym sym_mem;
1302+ GElf_Sym *sym = gelf_getsym (symdata, shdr->sh_info, &sym_mem);
1303+
1304 printf ((grpref[0] & GRP_COMDAT)
1305 ? ngettext ("\
1306 \nCOMDAT section group [%2zu] '%s' with signature '%s' contains %zu entry:\n",
1307@@ -1201,8 +1203,8 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
1308 data->d_size / sizeof (Elf32_Word) - 1),
1309 elf_ndxscn (scn),
1310 elf_strptr (ebl->elf, shstrndx, shdr->sh_name),
1311- elf_strptr (ebl->elf, symshdr->sh_link,
1312- gelf_getsym (symdata, shdr->sh_info, &sym_mem)->st_name)
1313+ (sym == NULL ? NULL
1314+ : elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name))
1315 ?: gettext ("<INVALID SYMBOL>"),
1316 data->d_size / sizeof (Elf32_Word) - 1);
1317
1318@@ -1353,10 +1355,12 @@ static void
1319 handle_dynamic (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
1320 {
1321 int class = gelf_getclass (ebl->elf);
1322- GElf_Shdr glink;
1323+ GElf_Shdr glink_mem;
1324+ GElf_Shdr *glink;
1325 Elf_Data *data;
1326 size_t cnt;
1327 size_t shstrndx;
1328+ size_t sh_entsize;
1329
1330 /* Get the data of the section. */
1331 data = elf_getdata (scn, NULL);
1332@@ -1368,21 +1372,26 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn,
1333 error (EXIT_FAILURE, 0,
1334 gettext ("cannot get section header string table index"));
1335
1336+ sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
1337+
1338+ glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
1339+ if (glink == NULL)
1340+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1341+ elf_ndxscn (scn));
1342+
1343 printf (ngettext ("\
1344 \nDynamic segment contains %lu entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1345 "\
1346 \nDynamic segment contains %lu entries:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1347- shdr->sh_size / shdr->sh_entsize),
1348- (unsigned long int) (shdr->sh_size / shdr->sh_entsize),
1349+ shdr->sh_size / sh_entsize),
1350+ (unsigned long int) (shdr->sh_size / sh_entsize),
1351 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1352 shdr->sh_offset,
1353 (int) shdr->sh_link,
1354- elf_strptr (ebl->elf, shstrndx,
1355- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1356- &glink)->sh_name));
1357+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1358 fputs_unlocked (gettext (" Type Value\n"), stdout);
1359
1360- for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1361+ for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1362 {
1363 GElf_Dyn dynmem;
1364 GElf_Dyn *dyn = gelf_getdyn (data, cnt, &dynmem);
1365@@ -1531,7 +1540,8 @@ static void
1366 handle_relocs_rel (Ebl *ebl, GElf_Ehdr *ehdr, Elf_Scn *scn, GElf_Shdr *shdr)
1367 {
1368 int class = gelf_getclass (ebl->elf);
1369- int nentries = shdr->sh_size / shdr->sh_entsize;
1370+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
1371+ int nentries = shdr->sh_size / sh_entsize;
1372
1373 /* Get the data of the section. */
1374 Elf_Data *data = elf_getdata (scn, NULL);
1375@@ -1717,7 +1727,8 @@ static void
1376 handle_relocs_rela (Ebl *ebl, GElf_Ehdr *ehdr, Elf_Scn *scn, GElf_Shdr *shdr)
1377 {
1378 int class = gelf_getclass (ebl->elf);
1379- int nentries = shdr->sh_size / shdr->sh_entsize;
1380+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
1381+ int nentries = shdr->sh_size / sh_entsize;
1382
1383 /* Get the data of the section. */
1384 Elf_Data *data = elf_getdata (scn, NULL);
1385@@ -1964,6 +1975,13 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
1386 error (EXIT_FAILURE, 0,
1387 gettext ("cannot get section header string table index"));
1388
1389+ GElf_Shdr glink_mem;
1390+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1391+ &glink_mem);
1392+ if (glink == NULL)
1393+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1394+ elf_ndxscn (scn));
1395+
1396 /* Now we can compute the number of entries in the section. */
1397 unsigned int nsyms = data->d_size / (class == ELFCLASS32
1398 ? sizeof (Elf32_Sym)
1399@@ -1974,15 +1992,12 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
1400 nsyms),
1401 (unsigned int) elf_ndxscn (scn),
1402 elf_strptr (ebl->elf, shstrndx, shdr->sh_name), nsyms);
1403- GElf_Shdr glink;
1404 printf (ngettext (" %lu local symbol String table: [%2u] '%s'\n",
1405 " %lu local symbols String table: [%2u] '%s'\n",
1406 shdr->sh_info),
1407 (unsigned long int) shdr->sh_info,
1408 (unsigned int) shdr->sh_link,
1409- elf_strptr (ebl->elf, shstrndx,
1410- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1411- &glink)->sh_name));
1412+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1413
1414 fputs_unlocked (class == ELFCLASS32
1415 ? gettext ("\
1416@@ -2218,7 +2233,13 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn,
1417 error (EXIT_FAILURE, 0,
1418 gettext ("cannot get section header string table index"));
1419
1420- GElf_Shdr glink;
1421+ GElf_Shdr glink_mem;
1422+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1423+ &glink_mem);
1424+ if (glink == NULL)
1425+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1426+ elf_ndxscn (scn));
1427+
1428 printf (ngettext ("\
1429 \nVersion needs section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1430 "\
1431@@ -2229,9 +2250,7 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn,
1432 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1433 shdr->sh_offset,
1434 (unsigned int) shdr->sh_link,
1435- elf_strptr (ebl->elf, shstrndx,
1436- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1437- &glink)->sh_name));
1438+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1439
1440 unsigned int offset = 0;
1441 for (int cnt = shdr->sh_info; --cnt >= 0; )
1442@@ -2284,8 +2303,14 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
1443 error (EXIT_FAILURE, 0,
1444 gettext ("cannot get section header string table index"));
1445
1446+ GElf_Shdr glink_mem;
1447+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1448+ &glink_mem);
1449+ if (glink == NULL)
1450+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1451+ elf_ndxscn (scn));
1452+
1453 int class = gelf_getclass (ebl->elf);
1454- GElf_Shdr glink;
1455 printf (ngettext ("\
1456 \nVersion definition section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1457 "\
1458@@ -2297,9 +2322,7 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
1459 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1460 shdr->sh_offset,
1461 (unsigned int) shdr->sh_link,
1462- elf_strptr (ebl->elf, shstrndx,
1463- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1464- &glink)->sh_name));
1465+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1466
1467 unsigned int offset = 0;
1468 for (int cnt = shdr->sh_info; --cnt >= 0; )
1469@@ -2561,25 +2584,30 @@ handle_versym (Ebl *ebl, Elf_Scn *scn, G
1470 filename = NULL;
1471 }
1472
1473+ GElf_Shdr glink_mem;
1474+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1475+ &glink_mem);
1476+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_HALF, 1, EV_CURRENT);
1477+ if (glink == NULL)
1478+ error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
1479+ elf_ndxscn (scn));
1480+
1481 /* Print the header. */
1482- GElf_Shdr glink;
1483 printf (ngettext ("\
1484 \nVersion symbols section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'",
1485 "\
1486 \nVersion symbols section [%2u] '%s' contains %d entries:\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'",
1487- shdr->sh_size / shdr->sh_entsize),
1488+ shdr->sh_size / sh_entsize),
1489 (unsigned int) elf_ndxscn (scn),
1490 elf_strptr (ebl->elf, shstrndx, shdr->sh_name),
1491- (int) (shdr->sh_size / shdr->sh_entsize),
1492+ (int) (shdr->sh_size / sh_entsize),
1493 class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
1494 shdr->sh_offset,
1495 (unsigned int) shdr->sh_link,
1496- elf_strptr (ebl->elf, shstrndx,
1497- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1498- &glink)->sh_name));
1499+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1500
1501 /* Now we can finally look at the actual contents of this section. */
1502- for (unsigned int cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
1503+ for (unsigned int cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
1504 {
1505 if (cnt % 2 == 0)
1506 printf ("\n %4d:", cnt);
1507@@ -2628,7 +2656,17 @@ print_hash_info (Ebl *ebl, Elf_Scn *scn,
1508 for (Elf32_Word cnt = 0; cnt < nbucket; ++cnt)
1509 ++counts[lengths[cnt]];
1510
1511- GElf_Shdr glink;
1512+ GElf_Shdr glink_mem;
1513+ GElf_Shdr *glink = gelf_getshdr (elf_getscn (ebl->elf,
1514+ shdr->sh_link),
1515+ &glink_mem);
1516+ if (glink == NULL)
1517+ {
1518+ error (0, 0, gettext ("invalid sh_link value in section %Zu"),
1519+ elf_ndxscn (scn));
1520+ return;
1521+ }
1522+
1523 printf (ngettext ("\
1524 \nHistogram for bucket list length in section [%2u] '%s' (total of %d bucket):\n Addr: %#0*" PRIx64 " Offset: %#08" PRIx64 " Link to section: [%2u] '%s'\n",
1525 "\
1526@@ -2641,9 +2679,7 @@ print_hash_info (Ebl *ebl, Elf_Scn *scn,
1527 shdr->sh_addr,
1528 shdr->sh_offset,
1529 (unsigned int) shdr->sh_link,
1530- elf_strptr (ebl->elf, shstrndx,
1531- gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
1532- &glink)->sh_name));
1533+ elf_strptr (ebl->elf, shstrndx, glink->sh_name));
1534
1535 if (extrastr != NULL)
1536 fputs (extrastr, stdout);
1537@@ -2903,7 +2939,8 @@ print_liblist (Ebl *ebl)
1538
1539 if (shdr != NULL && shdr->sh_type == SHT_GNU_LIBLIST)
1540 {
1541- int nentries = shdr->sh_size / shdr->sh_entsize;
1542+ size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_LIB, 1, EV_CURRENT);
1543+ int nentries = shdr->sh_size / sh_entsize;
1544 printf (ngettext ("\
1545 \nLibrary list section [%2zu] '%s' at offset %#0" PRIx64 " contains %d entry:\n",
1546 "\
1547@@ -4164,6 +4201,16 @@ print_debug_aranges_section (Dwfl_Module
1548 return;
1549 }
1550
1551+ GElf_Shdr glink_mem;
1552+ GElf_Shdr *glink;
1553+ glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
1554+ if (glink == NULL)
1555+ {
1556+ error (0, 0, gettext ("invalid sh_link value in section %Zu"),
1557+ elf_ndxscn (scn));
1558+ return;
1559+ }
1560+
1561 printf (ngettext ("\
1562 \nDWARF section [%2zu] '%s' at offset %#" PRIx64 " contains %zu entry:\n",
1563 "\
1564Index: elfutils-0.155/src/strip.c
1565===================================================================
1566--- elfutils-0.155.orig/src/strip.c 2010-07-03 13:07:10.000000000 +0000
1567+++ elfutils-0.155/src/strip.c 2010-07-03 13:07:11.000000000 +0000
1568@@ -564,6 +564,11 @@ handle_elf (int fd, Elf *elf, const char
1569 goto fail_close;
1570 }
1571
1572+ if (shstrndx >= shnum)
1573+ goto illformed;
1574+
1575+#define elf_assert(test) do { if (!(test)) goto illformed; } while (0)
1576+
1577 /* Storage for section information. We leave room for two more
1578 entries since we unconditionally create a section header string
1579 table. Maybe some weird tool created an ELF file without one.
1580@@ -585,7 +590,7 @@ handle_elf (int fd, Elf *elf, const char
1581 {
1582 /* This should always be true (i.e., there should not be any
1583 holes in the numbering). */
1584- assert (elf_ndxscn (scn) == cnt);
1585+ elf_assert (elf_ndxscn (scn) == cnt);
1586
1587 shdr_info[cnt].scn = scn;
1588
1589@@ -598,6 +603,7 @@ handle_elf (int fd, Elf *elf, const char
1590 shdr_info[cnt].shdr.sh_name);
1591 if (shdr_info[cnt].name == NULL)
1592 {
1593+ illformed:
1594 error (0, 0, gettext ("illformed file '%s'"), fname);
1595 goto fail_close;
1596 }
1597@@ -607,6 +613,8 @@ handle_elf (int fd, Elf *elf, const char
1598
1599 /* Remember the shdr.sh_link value. */
1600 shdr_info[cnt].old_sh_link = shdr_info[cnt].shdr.sh_link;
1601+ if (shdr_info[cnt].old_sh_link >= shnum)
1602+ goto illformed;
1603
1604 /* Sections in files other than relocatable object files which
1605 are not loaded can be freely moved by us. In relocatable
1606@@ -619,7 +627,7 @@ handle_elf (int fd, Elf *elf, const char
1607 appropriate reference. */
1608 if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB_SHNDX))
1609 {
1610- assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
1611+ elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
1612 shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx = cnt;
1613 }
1614 else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GROUP))
1615@@ -636,7 +644,12 @@ handle_elf (int fd, Elf *elf, const char
1616 for (inner = 1;
1617 inner < shdr_info[cnt].data->d_size / sizeof (Elf32_Word);
1618 ++inner)
1619+ {
1620+ if (grpref[inner] < shnum)
1621 shdr_info[grpref[inner]].group_idx = cnt;
1622+ else
1623+ goto illformed;
1624+ }
1625
1626 if (inner == 1 || (inner == 2 && (grpref[0] & GRP_COMDAT) == 0))
1627 /* If the section group contains only one element and this
1628@@ -647,7 +660,7 @@ handle_elf (int fd, Elf *elf, const char
1629 }
1630 else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GNU_versym))
1631 {
1632- assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
1633+ elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
1634 shdr_info[shdr_info[cnt].shdr.sh_link].version_idx = cnt;
1635 }
1636
1637@@ -655,7 +668,7 @@ handle_elf (int fd, Elf *elf, const char
1638 discarded right away. */
1639 if ((shdr_info[cnt].shdr.sh_flags & SHF_GROUP) != 0)
1640 {
1641- assert (shdr_info[cnt].group_idx != 0);
1642+ elf_assert (shdr_info[cnt].group_idx != 0);
1643
1644 if (shdr_info[shdr_info[cnt].group_idx].idx == 0)
1645 {
1646@@ -731,10 +744,14 @@ handle_elf (int fd, Elf *elf, const char
1647 {
1648 /* If a relocation section is marked as being removed make
1649 sure the section it is relocating is removed, too. */
1650- if ((shdr_info[cnt].shdr.sh_type == SHT_REL
1651+ if (shdr_info[cnt].shdr.sh_type == SHT_REL
1652 || shdr_info[cnt].shdr.sh_type == SHT_RELA)
1653- && shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
1654- shdr_info[cnt].idx = 1;
1655+ {
1656+ if (shdr_info[cnt].shdr.sh_info >= shnum)
1657+ goto illformed;
1658+ else if (shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
1659+ shdr_info[cnt].idx = 1;
1660+ }
1661
1662 /* If a group section is marked as being removed make
1663 sure all the sections it contains are being removed, too. */
1664@@ -778,7 +795,7 @@ handle_elf (int fd, Elf *elf, const char
1665 if (shdr_info[cnt].symtab_idx != 0
1666 && shdr_info[shdr_info[cnt].symtab_idx].data == NULL)
1667 {
1668- assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
1669+ elf_assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
1670
1671 shdr_info[shdr_info[cnt].symtab_idx].data
1672 = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
1673@@ -818,6 +835,9 @@ handle_elf (int fd, Elf *elf, const char
1674 else if (scnidx == SHN_XINDEX)
1675 scnidx = xndx;
1676
1677+ if (scnidx >= shnum)
1678+ goto illformed;
1679+
1680 if (shdr_info[scnidx].idx == 0)
1681 /* This symbol table has a real symbol in
1682 a discarded section. So preserve the
1683@@ -848,12 +868,16 @@ handle_elf (int fd, Elf *elf, const char
1684 }
1685
1686 /* Handle references through sh_info. */
1687- if (SH_INFO_LINK_P (&shdr_info[cnt].shdr)
1688- && shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
1689+ if (SH_INFO_LINK_P (&shdr_info[cnt].shdr))
1690+ {
1691+ if (shdr_info[cnt].shdr.sh_info >= shnum)
1692+ goto illformed;
1693+ else if ( shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
1694 {
1695 shdr_info[shdr_info[cnt].shdr.sh_info].idx = 1;
1696 changes |= shdr_info[cnt].shdr.sh_info < cnt;
1697 }
1698+ }
1699
1700 /* Mark the section as investigated. */
1701 shdr_info[cnt].idx = 2;
1702@@ -994,7 +1018,7 @@ handle_elf (int fd, Elf *elf, const char
1703 error (EXIT_FAILURE, 0, gettext ("while generating output file: %s"),
1704 elf_errmsg (-1));
1705
1706- assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1707+ elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1708
1709 /* Add this name to the section header string table. */
1710 shdr_info[cnt].se = ebl_strtabadd (shst, shdr_info[cnt].name, 0);
1711@@ -1031,7 +1055,7 @@ handle_elf (int fd, Elf *elf, const char
1712 error (EXIT_FAILURE, 0,
1713 gettext ("while create section header section: %s"),
1714 elf_errmsg (-1));
1715- assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1716+ elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
1717
1718 shdr_info[cnt].data = elf_newdata (shdr_info[cnt].newscn);
1719 if (shdr_info[cnt].data == NULL)
1720@@ -1087,7 +1111,7 @@ handle_elf (int fd, Elf *elf, const char
1721 error (EXIT_FAILURE, 0,
1722 gettext ("while create section header section: %s"),
1723 elf_errmsg (-1));
1724- assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
1725+ elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
1726
1727 /* Finalize the string table and fill in the correct indices in the
1728 section headers. */
1729@@ -1177,20 +1201,20 @@ handle_elf (int fd, Elf *elf, const char
1730 shndxdata = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
1731 NULL);
1732
1733- assert ((versiondata->d_size / sizeof (Elf32_Word))
1734+ elf_assert ((versiondata->d_size / sizeof (Elf32_Word))
1735 >= shdr_info[cnt].data->d_size / elsize);
1736 }
1737
1738 if (shdr_info[cnt].version_idx != 0)
1739 {
1740- assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
1741+ elf_assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
1742 /* This section has associated version
1743 information. We have to modify that
1744 information, too. */
1745 versiondata = elf_getdata (shdr_info[shdr_info[cnt].version_idx].scn,
1746 NULL);
1747
1748- assert ((versiondata->d_size / sizeof (GElf_Versym))
1749+ elf_assert ((versiondata->d_size / sizeof (GElf_Versym))
1750 >= shdr_info[cnt].data->d_size / elsize);
1751 }
1752
1753@@ -1245,7 +1269,7 @@ handle_elf (int fd, Elf *elf, const char
1754 sec = shdr_info[sym->st_shndx].idx;
1755 else
1756 {
1757- assert (shndxdata != NULL);
1758+ elf_assert (shndxdata != NULL);
1759
1760 sec = shdr_info[xshndx].idx;
1761 }
1762@@ -1266,7 +1290,7 @@ handle_elf (int fd, Elf *elf, const char
1763 nxshndx = sec;
1764 }
1765
1766- assert (sec < SHN_LORESERVE || shndxdata != NULL);
1767+ elf_assert (sec < SHN_LORESERVE || shndxdata != NULL);
1768
1769 if ((inner != destidx || nshndx != sym->st_shndx
1770 || (shndxdata != NULL && nxshndx != xshndx))
1771@@ -1293,9 +1317,11 @@ handle_elf (int fd, Elf *elf, const char
1772 {
1773 size_t sidx = (sym->st_shndx != SHN_XINDEX
1774 ? sym->st_shndx : xshndx);
1775- assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION
1776- || (shdr_info[sidx].shdr.sh_type == SHT_GROUP
1777- && shdr_info[sidx].shdr.sh_info == inner));
1778+ elf_assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION
1779+ || ((shdr_info[sidx].shdr.sh_type
1780+ == SHT_GROUP)
1781+ && (shdr_info[sidx].shdr.sh_info
1782+ == inner)));
1783 }
1784 }
1785
1786@@ -1483,11 +1509,11 @@ handle_elf (int fd, Elf *elf, const char
1787 {
1788 GElf_Sym sym_mem;
1789 GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
1790- assert (sym != NULL);
1791+ elf_assert (sym != NULL);
1792
1793 const char *name = elf_strptr (elf, strshndx,
1794 sym->st_name);
1795- assert (name != NULL);
1796+ elf_assert (name != NULL);
1797 size_t hidx = elf_hash (name) % nbucket;
1798
1799 if (bucket[hidx] == 0)
1800@@ -1506,8 +1532,8 @@ handle_elf (int fd, Elf *elf, const char
1801 else
1802 {
1803 /* Alpha and S390 64-bit use 64-bit SHT_HASH entries. */
1804- assert (shdr_info[cnt].shdr.sh_entsize
1805- == sizeof (Elf64_Xword));
1806+ elf_assert (shdr_info[cnt].shdr.sh_entsize
1807+ == sizeof (Elf64_Xword));
1808
1809 Elf64_Xword *bucket = (Elf64_Xword *) hashd->d_buf;
1810
1811@@ -1537,11 +1563,11 @@ handle_elf (int fd, Elf *elf, const char
1812 {
1813 GElf_Sym sym_mem;
1814 GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
1815- assert (sym != NULL);
1816+ elf_assert (sym != NULL);
1817
1818 const char *name = elf_strptr (elf, strshndx,
1819 sym->st_name);
1820- assert (name != NULL);
1821+ elf_assert (name != NULL);
1822 size_t hidx = elf_hash (name) % nbucket;
1823
1824 if (bucket[hidx] == 0)