--- elfutils/libelf/ChangeLog

+++ elfutils/libelf/ChangeLog

@@ -521,6 +521,49 @@

 	If section content hasn't been read yet, do it before looking for the

 	block size.  If no section data present, infer size of section header.

+2005-05-17  Jakub Jelinek  <jakub@redhat.com>

+

+	* elf32_getphdr.c (elfw2(LIBELFBITS,getphdr)): Check if program header

+	table fits into object's bounds.

+	* elf_getshstrndx.c (elf_getshstrndx): Add elf->start_offset to

+	elf->map_address.  Check if first section header fits into object's

+	bounds.

+	* elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)):

+	Check if section header table fits into object's bounds.

+	* elf_begin.c (get_shnum): Ensure section headers fits into

+	object's bounds.

+	(file_read_elf): Make sure scncnt is small enough to allocate both

+	ElfXX_Shdr and Elf_Scn array.  Make sure section and program header

+	tables fit into object's bounds.  Avoid memory leak on failure.

+

+2005-05-14  Jakub Jelinek  <jakub@redhat.com>

+

+	* libelfP.h (INVALID_NDX): Define.

+	* gelf_getdyn.c (gelf_getdyn): Use it.  Remove ndx < 0 test if any.

+	* gelf_getlib.c (gelf_getlib): Likewise.

+	* gelf_getmove.c (gelf_getmove): Likewise.

+	* gelf_getrel.c (gelf_getrel): Likewise.

+	* gelf_getrela.c (gelf_getrela): Likewise.

+	* gelf_getsym.c (gelf_getsym): Likewise.

+	* gelf_getsyminfo.c (gelf_getsyminfo): Likewise.

+	* gelf_getsymshndx.c (gelf_getsymshndx): Likewise.

+	* gelf_getversym.c (gelf_getversym): Likewise.

+	* gelf_update_dyn.c (gelf_update_dyn): Likewise.

+	* gelf_update_lib.c (gelf_update_lib): Likewise.

+	* gelf_update_move.c (gelf_update_move): Likewise.

+	* gelf_update_rel.c (gelf_update_rel): Likewise.

+	* gelf_update_rela.c (gelf_update_rela): Likewise.

+	* gelf_update_sym.c (gelf_update_sym): Likewise.

+	* gelf_update_syminfo.c (gelf_update_syminfo): Likewise.

+	* gelf_update_symshndx.c (gelf_update_symshndx): Likewise.

+	* gelf_update_versym.c (gelf_update_versym): Likewise.

+	* elf_newscn.c (elf_newscn): Check for overflow.

+	* elf32_updatefile.c (__elfw2(LIBELFBITS,updatemmap)): Likewise.

+	(__elfw2(LIBELFBITS,updatefile)): Likewise.

+	* elf_begin.c (file_read_elf): Likewise.

+	* elf32_newphdr.c (elfw2(LIBELFBITS,newphdr)): Likewise.

+	* elf_getarsym.c (elf_getarsym): Likewise.

+	* elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)): Likewise.

 2005-05-11  Ulrich Drepper  <drepper@redhat.com>

 	* elf.h: Update again.

--- elfutils/libelf/elf32_getphdr.c

+++ elfutils/libelf/elf32_getphdr.c

@@ -105,6 +105,16 @@ __elfw2(LIBELFBITS,getphdr_wrlock) (elf)

       if (elf->map_address != NULL)

 	{

+	  /* First see whether the information in the ELF header is

+	     valid and it does not ask for too much.  */

+	  if (unlikely (ehdr->e_phoff >= elf->maximum_size)

+	      || unlikely (ehdr->e_phoff + size > elf->maximum_size))

+	    {

+	      /* Something is wrong.  */

+	      __libelf_seterrno (ELF_E_INVALID_PHDR);

+	      goto out;

+	    }

+

 	  /* All the data is already mapped.  Use it.  */

 	  void *file_phdr = ((char *) elf->map_address

 			     + elf->start_offset + ehdr->e_phoff);

--- elfutils/libelf/elf32_getshdr.c

+++ elfutils/libelf/elf32_getshdr.c

@@ -1,5 +1,5 @@

 /* Return section header.

-   Copyright (C) 1998, 1999, 2000, 2001, 2002, 2005, 2007 Red Hat, Inc.

+   Copyright (C) 1998, 1999, 2000, 2001, 2002, 2005, 2007, 2008 Red Hat, Inc.

    This file is part of Red Hat elfutils.

    Written by Ulrich Drepper <drepper@redhat.com>, 1998.

@@ -81,7 +81,8 @@ load_shdr_wrlock (Elf_Scn *scn)

     goto out;

   size_t shnum;

-  if (__elf_getshnum_rdlock (elf, &shnum) != 0)

+  if (__elf_getshnum_rdlock (elf, &shnum) != 0

+      || shnum > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Shdr)))

     goto out;

   size_t size = shnum * sizeof (ElfW2(LIBELFBITS,Shdr));

@@ -98,6 +99,16 @@ load_shdr_wrlock (Elf_Scn *scn)

   if (elf->map_address != NULL)

     {

+      /* First see whether the information in the ELF header is

+	 valid and it does not ask for too much.  */

+      if (unlikely (ehdr->e_shoff >= elf->maximum_size)

+	  || unlikely (ehdr->e_shoff + size > elf->maximum_size))

+	{

+	  /* Something is wrong.  */

+	  __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);

+	  goto free_and_out;

+	}

+

       ElfW2(LIBELFBITS,Shdr) *notcvt;

       /* All the data is already mapped.  If we could use it

--- elfutils/libelf/elf32_newphdr.c

+++ elfutils/libelf/elf32_newphdr.c

@@ -124,6 +124,12 @@ elfw2(LIBELFBITS,newphdr) (elf, count)

   else if (elf->state.ELFW(elf,LIBELFBITS).ehdr->e_phnum != count

 	   || elf->state.ELFW(elf,LIBELFBITS).phdr == NULL)

     {

+      if (unlikely (count > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Phdr))))

+	{

+	  result = NULL;

+	  goto out;

+	}

+

       /* Allocate a new program header with the appropriate number of

 	 elements.  */

       result = (ElfW2(LIBELFBITS,Phdr) *)

--- elfutils/libelf/elf32_updatefile.c

+++ elfutils/libelf/elf32_updatefile.c

@@ -220,6 +220,9 @@ __elfw2(LIBELFBITS,updatemmap) (Elf *elf

   /* Write all the sections.  Well, only those which are modified.  */

   if (shnum > 0)

     {

+      if (unlikely (shnum > SIZE_MAX / sizeof (Elf_Scn *)))

+ 	return 1;

+

       Elf_ScnList *list = &elf->state.ELFW(elf,LIBELFBITS).scns;

       Elf_Scn **scns = (Elf_Scn **) alloca (shnum * sizeof (Elf_Scn *));

       char *const shdr_start = ((char *) elf->map_address + elf->start_offset

@@ -633,6 +636,10 @@ __elfw2(LIBELFBITS,updatefile) (Elf *elf

   /* Write all the sections.  Well, only those which are modified.  */

   if (shnum > 0)

     {

+      if (unlikely (shnum > SIZE_MAX / (sizeof (Elf_Scn *)

+					+ sizeof (ElfW2(LIBELFBITS,Shdr)))))

+	return 1;

+

       off_t shdr_offset = elf->start_offset + ehdr->e_shoff;

 #if EV_NUM != 2

       xfct_t shdr_fctp = __elf_xfctstom[__libelf_version - 1][EV_CURRENT - 1][ELFW(ELFCLASS, LIBELFBITS) - 1][ELF_T_SHDR];

--- elfutils/libelf/elf_begin.c

+++ elfutils/libelf/elf_begin.c

@@ -165,7 +165,8 @@ get_shnum (void *map_address, unsigned c

       if (unlikely (result == 0) && ehdr.e32->e_shoff != 0)

 	{

-	  if (ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize)

+	  if (unlikely (ehdr.e32->e_shoff >= maxsize)

+	      || unlikely (ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize))

 	    /* Cannot read the first section header.  */

 	    return 0;

@@ -213,7 +214,8 @@ get_shnum (void *map_address, unsigned c

       if (unlikely (result == 0) && ehdr.e64->e_shoff != 0)

 	{

-	  if (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize)

+	  if (unlikely (ehdr.e64->e_shoff >= maxsize)

+	      || unlikely (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize))

 	    /* Cannot read the first section header.  */

 	    return 0;

@@ -285,6 +287,15 @@ file_read_elf (int fildes, void *map_add

     /* Could not determine the number of sections.  */

     return NULL;

+  /* Check for too many sections.  */

+  if (e_ident[EI_CLASS] == ELFCLASS32)

+    {

+      if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf32_Shdr)))

+	return NULL;

+    }

+  else if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf64_Shdr)))

+    return NULL;

+

   /* We can now allocate the memory.  */

   Elf *elf = allocate_elf (fildes, map_address, offset, maxsize, cmd, parent,

 			   ELF_K_ELF, scncnt * sizeof (Elf_Scn));

@@ -318,13 +329,31 @@ file_read_elf (int fildes, void *map_add

 	{

 	  /* We can use the mmapped memory.  */

 	  elf->state.elf32.ehdr = ehdr;

+

+	  if (unlikely (ehdr->e_shoff >= maxsize)

+	      || unlikely (ehdr->e_shoff

+			   + scncnt * sizeof (Elf32_Shdr) > maxsize))

+	    {

+	    free_and_out:

+	      free (elf);

+	      __libelf_seterrno (ELF_E_INVALID_FILE);

+	      return NULL;

+	    }

 	  elf->state.elf32.shdr

 	    = (Elf32_Shdr *) ((char *) ehdr + ehdr->e_shoff);

+

 	  if (ehdr->e_phnum > 0)

+	    {

 	    /* Assign a value only if there really is a program

 	       header.  Otherwise the value remains NULL.  */

+	      if (unlikely (ehdr->e_phoff >= maxsize)

+		  || unlikely (ehdr->e_phoff

+			       + ehdr->e_phnum

+			       * sizeof (Elf32_Phdr) > maxsize))

+		goto free_and_out;

 	    elf->state.elf32.phdr

 	      = (Elf32_Phdr *) ((char *) ehdr + ehdr->e_phoff);

+	    }

 	  for (size_t cnt = 0; cnt < scncnt; ++cnt)

 	    {

@@ -406,13 +435,26 @@ file_read_elf (int fildes, void *map_add

 	{

 	  /* We can use the mmapped memory.  */

 	  elf->state.elf64.ehdr = ehdr;

+

+	  if (unlikely (ehdr->e_shoff >= maxsize)

+	      || unlikely (ehdr->e_shoff

+			   + scncnt * sizeof (Elf32_Shdr) > maxsize))

+	    goto free_and_out;

 	  elf->state.elf64.shdr

 	    = (Elf64_Shdr *) ((char *) ehdr + ehdr->e_shoff);

+

 	  if (ehdr->e_phnum > 0)

+	    {

 	    /* Assign a value only if there really is a program

 	       header.  Otherwise the value remains NULL.  */

+	      if (unlikely (ehdr->e_phoff >= maxsize)

+		  || unlikely (ehdr->e_phoff

+			       + ehdr->e_phnum

+			       * sizeof (Elf32_Phdr) > maxsize))

+		goto free_and_out;

 	    elf->state.elf64.phdr

 	      = (Elf64_Phdr *) ((char *) ehdr + ehdr->e_phoff);

+	    }

 	  for (size_t cnt = 0; cnt < scncnt; ++cnt)

 	    {

--- elfutils/libelf/elf_getarsym.c

+++ elfutils/libelf/elf_getarsym.c

@@ -179,6 +179,9 @@ elf_getarsym (elf, ptr)

       size_t index_size = atol (tmpbuf);

       if (SARMAG + sizeof (struct ar_hdr) + index_size > elf->maximum_size

+#if SIZE_MAX <= 4294967295U

+	  || n >= SIZE_MAX / sizeof (Elf_Arsym)

+#endif

 	  || n * sizeof (uint32_t) > index_size)

 	{

 	  /* This index table cannot be right since it does not fit into

--- elfutils/libelf/elf_getshstrndx.c

+++ elfutils/libelf/elf_getshstrndx.c

@@ -125,10 +125,25 @@ elf_getshstrndx (elf, dst)

 	      if (elf->map_address != NULL

 		  && elf->state.elf32.ehdr->e_ident[EI_DATA] == MY_ELFDATA

 		  && (ALLOW_UNALIGNED

-		      || (((size_t) ((char *) elf->map_address + offset))

+		      || (((size_t) ((char *) elf->map_address

+			   + elf->start_offset + offset))

 			  & (__alignof__ (Elf32_Shdr) - 1)) == 0))

+		{

+		  /* First see whether the information in the ELF header is

+		     valid and it does not ask for too much.  */

+		  if (unlikely (offset + sizeof (Elf32_Shdr)

+				> elf->maximum_size))

+		    {

+		      /* Something is wrong.  */

+		      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);

+		      result = -1;

+		      goto out;

+		    }

+

 		/* We can directly access the memory.  */

-		num = ((Elf32_Shdr *) (elf->map_address + offset))->sh_link;

+		  num = ((Elf32_Shdr *) (elf->map_address + elf->start_offset

+					 + offset))->sh_link;

+		}

 	      else

 		{

 		  /* We avoid reading in all the section headers.  Just read

@@ -163,10 +178,25 @@ elf_getshstrndx (elf, dst)

 	      if (elf->map_address != NULL

 		  && elf->state.elf64.ehdr->e_ident[EI_DATA] == MY_ELFDATA

 		  && (ALLOW_UNALIGNED

-		      || (((size_t) ((char *) elf->map_address + offset))

+		      || (((size_t) ((char *) elf->map_address

+			   + elf->start_offset + offset))

 			  & (__alignof__ (Elf64_Shdr) - 1)) == 0))

+		{

+		  /* First see whether the information in the ELF header is

+		     valid and it does not ask for too much.  */

+		  if (unlikely (offset + sizeof (Elf64_Shdr)

+				> elf->maximum_size))

+		    {

+		      /* Something is wrong.  */

+		      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);

+		      result = -1;

+		      goto out;

+		    }

+

 		/* We can directly access the memory.  */

-		num = ((Elf64_Shdr *) (elf->map_address + offset))->sh_link;

+		  num = ((Elf64_Shdr *) (elf->map_address

+			 + elf->start_offset + offset))->sh_link;

+		}

 	      else

 		{

 		  /* We avoid reading in all the section headers.  Just read

--- elfutils/libelf/elf_newscn.c

+++ elfutils/libelf/elf_newscn.c

@@ -104,10 +104,18 @@ elf_newscn (elf)

   else

     {

       /* We must allocate a new element.  */

-      Elf_ScnList *newp;

+      Elf_ScnList *newp = NULL;

       assert (elf->state.elf.scnincr > 0);

+      if (

+#if SIZE_MAX <= 4294967295U

+	  likely (elf->state.elf.scnincr

+		  < SIZE_MAX / 2 / sizeof (Elf_Scn) - sizeof (Elf_ScnList))

+#else

+	  1

+#endif

+	  )

       newp = (Elf_ScnList *) calloc (sizeof (Elf_ScnList)

 				     + ((elf->state.elf.scnincr *= 2)

 					* sizeof (Elf_Scn)), 1);

--- elfutils/libelf/gelf_getdyn.c

+++ elfutils/libelf/gelf_getdyn.c

@@ -93,7 +93,8 @@ gelf_getdyn (data, ndx, dst)

 	 table entries has to be adopted.  The user better has provided

 	 a buffer where we can store the information.  While copying the

 	 data we are converting the format.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf32_Dyn)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

@@ -114,7 +115,8 @@ gelf_getdyn (data, ndx, dst)

       /* The data is already in the correct form.  Just make sure the

 	 index is OK.  */

-      if (unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, GElf_Dyn)

+	  || unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

--- elfutils/libelf/gelf_getlib.c

+++ elfutils/libelf/gelf_getlib.c

@@ -86,7 +86,8 @@ gelf_getlib (data, ndx, dst)

   /* The data is already in the correct form.  Just make sure the

      index is OK.  */

   GElf_Lib *result = NULL;

-  if (unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))

+  if (INVALID_NDX (ndx, GElf_Lib)

+      || unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))

     __libelf_seterrno (ELF_E_INVALID_INDEX);

   else

     {

--- elfutils/libelf/gelf_getmove.c

+++ elfutils/libelf/gelf_getmove.c

@@ -83,7 +83,8 @@ gelf_getmove (data, ndx, dst)

   /* The data is already in the correct form.  Just make sure the

      index is OK.  */

-  if (unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))

+  if (INVALID_NDX (ndx, GElf_Move)

+      || unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))

     {

       __libelf_seterrno (ELF_E_INVALID_INDEX);

       goto out;

--- elfutils/libelf/gelf_getrela.c

+++ elfutils/libelf/gelf_getrela.c

@@ -71,12 +71,6 @@ gelf_getrela (data, ndx, dst)

   if (data_scn == NULL)

     return NULL;

-  if (unlikely (ndx < 0))

-    {

-      __libelf_seterrno (ELF_E_INVALID_INDEX);

-      return NULL;

-    }

-

   if (unlikely (data_scn->d.d_type != ELF_T_RELA))

     {

       __libelf_seterrno (ELF_E_INVALID_HANDLE);

@@ -93,7 +87,8 @@ gelf_getrela (data, ndx, dst)

   if (scn->elf->class == ELFCLASS32)

     {

       /* We have to convert the data.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf32_Rela)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  result = NULL;

@@ -114,7 +109,8 @@ gelf_getrela (data, ndx, dst)

     {

       /* Simply copy the data after we made sure we are actually getting

 	 correct data.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf64_Rela)

+	  || unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  result = NULL;

--- elfutils/libelf/gelf_getrel.c

+++ elfutils/libelf/gelf_getrel.c

@@ -71,12 +71,6 @@ gelf_getrel (data, ndx, dst)

   if (data_scn == NULL)

     return NULL;

-  if (unlikely (ndx < 0))

-    {

-      __libelf_seterrno (ELF_E_INVALID_INDEX);

-      return NULL;

-    }

-

   if (unlikely (data_scn->d.d_type != ELF_T_REL))

     {

       __libelf_seterrno (ELF_E_INVALID_HANDLE);

@@ -93,7 +87,8 @@ gelf_getrel (data, ndx, dst)

   if (scn->elf->class == ELFCLASS32)

     {

       /* We have to convert the data.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf32_Rel)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  result = NULL;

@@ -113,7 +108,8 @@ gelf_getrel (data, ndx, dst)

     {

       /* Simply copy the data after we made sure we are actually getting

 	 correct data.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf64_Rel)

+	  || unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  result = NULL;

--- elfutils/libelf/gelf_getsym.c

+++ elfutils/libelf/gelf_getsym.c

@@ -90,7 +90,8 @@ gelf_getsym (data, ndx, dst)

 	 table entries has to be adopted.  The user better has provided

 	 a buffer where we can store the information.  While copying the

 	 data we are converting the format.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))

+      if (INVALID_NDX (ndx, Elf32_Sym)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

@@ -119,7 +120,8 @@ gelf_getsym (data, ndx, dst)

       /* The data is already in the correct form.  Just make sure the

 	 index is OK.  */

-      if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))

+      if (INVALID_NDX (ndx, GElf_Sym)

+	  || unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

--- elfutils/libelf/gelf_getsyminfo.c

+++ elfutils/libelf/gelf_getsyminfo.c

@@ -84,7 +84,8 @@ gelf_getsyminfo (data, ndx, dst)

   /* The data is already in the correct form.  Just make sure the

      index is OK.  */

-  if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))

+  if (INVALID_NDX (ndx, GElf_Syminfo)

+      || unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))

     {

       __libelf_seterrno (ELF_E_INVALID_INDEX);

       goto out;

--- elfutils/libelf/gelf_getsymshndx.c

+++ elfutils/libelf/gelf_getsymshndx.c

@@ -90,7 +90,9 @@ gelf_getsymshndx (symdata, shndxdata, nd

      section index table.  */

   if (likely (shndxdata_scn != NULL))

     {

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Word) > shndxdata_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf32_Word)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Word)

+		       > shndxdata_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

@@ -110,7 +112,8 @@ gelf_getsymshndx (symdata, shndxdata, nd

 	 table entries has to be adopted.  The user better has provided

 	 a buffer where we can store the information.  While copying the

 	 data we are converting the format.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))

+      if (INVALID_NDX (ndx, Elf32_Sym)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

@@ -139,7 +142,8 @@ gelf_getsymshndx (symdata, shndxdata, nd

       /* The data is already in the correct form.  Just make sure the

 	 index is OK.  */

-      if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))

+      if (INVALID_NDX (ndx, GElf_Sym)

+	  || unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

--- elfutils/libelf/gelf_getversym.c

+++ elfutils/libelf/gelf_getversym.c

@@ -92,7 +92,8 @@ gelf_getversym (data, ndx, dst)

   /* The data is already in the correct form.  Just make sure the

      index is OK.  */

-  if (unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))

+  if (INVALID_NDX (ndx, GElf_Versym)

+      || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))

     {

       __libelf_seterrno (ELF_E_INVALID_INDEX);

       result = NULL;

--- elfutils/libelf/gelf_update_dyn.c

+++ elfutils/libelf/gelf_update_dyn.c

@@ -71,12 +71,6 @@ gelf_update_dyn (data, ndx, src)

   if (data == NULL)

     return 0;

-  if (unlikely (ndx < 0))

-    {

-      __libelf_seterrno (ELF_E_INVALID_INDEX);

-      return 0;

-    }

-

   if (unlikely (data_scn->d.d_type != ELF_T_DYN))

     {

       /* The type of the data better should match.  */

@@ -102,7 +96,8 @@ gelf_update_dyn (data, ndx, src)

 	}

       /* Check whether we have to resize the data buffer.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf32_Dyn)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

@@ -116,7 +111,8 @@ gelf_update_dyn (data, ndx, src)

   else

     {

       /* Check whether we have to resize the data buffer.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf64_Dyn)

+	  || unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

--- elfutils/libelf/gelf_update_lib.c

+++ elfutils/libelf/gelf_update_lib.c

@@ -68,12 +68,6 @@ gelf_update_lib (data, ndx, src)

   if (data == NULL)

     return 0;

-  if (unlikely (ndx < 0))

-    {

-      __libelf_seterrno (ELF_E_INVALID_INDEX);

-      return 0;

-    }

-

   Elf_Data_Scn *data_scn = (Elf_Data_Scn *) data;

   if (unlikely (data_scn->d.d_type != ELF_T_LIB))

     {

@@ -87,7 +81,8 @@ gelf_update_lib (data, ndx, src)

   /* Check whether we have to resize the data buffer.  */

   int result = 0;

-  if (unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))

+  if (INVALID_NDX (ndx, Elf64_Lib)

+      || unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))

     __libelf_seterrno (ELF_E_INVALID_INDEX);

   else

     {

--- elfutils/libelf/gelf_update_move.c

+++ elfutils/libelf/gelf_update_move.c

@@ -75,7 +75,7 @@ gelf_update_move (data, ndx, src)

   assert (sizeof (GElf_Move) == sizeof (Elf64_Move));

   /* Check whether we have to resize the data buffer.  */

-  if (unlikely (ndx < 0)

+  if (INVALID_NDX (ndx, GElf_Move)

       || unlikely ((ndx + 1) * sizeof (GElf_Move) > data_scn->d.d_size))

     {

       __libelf_seterrno (ELF_E_INVALID_INDEX);

--- elfutils/libelf/gelf_update_rela.c

+++ elfutils/libelf/gelf_update_rela.c

@@ -68,12 +68,6 @@ gelf_update_rela (Elf_Data *dst, int ndx

   if (dst == NULL)

     return 0;

-  if (unlikely (ndx < 0))

-    {

-      __libelf_seterrno (ELF_E_INVALID_INDEX);

-      return 0;

-    }

-

   if (unlikely (data_scn->d.d_type != ELF_T_RELA))

     {

       /* The type of the data better should match.  */

@@ -101,7 +95,8 @@ gelf_update_rela (Elf_Data *dst, int ndx

 	}

       /* Check whether we have to resize the data buffer.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf32_Rela)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

@@ -117,7 +112,8 @@ gelf_update_rela (Elf_Data *dst, int ndx

   else

     {

       /* Check whether we have to resize the data buffer.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf64_Rela)

+	  || unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

--- elfutils/libelf/gelf_update_rel.c

+++ elfutils/libelf/gelf_update_rel.c

@@ -68,12 +68,6 @@ gelf_update_rel (Elf_Data *dst, int ndx,

   if (dst == NULL)

     return 0;

-  if (unlikely (ndx < 0))

-    {

-      __libelf_seterrno (ELF_E_INVALID_INDEX);

-      return 0;

-    }

-

   if (unlikely (data_scn->d.d_type != ELF_T_REL))

     {

       /* The type of the data better should match.  */

@@ -99,7 +93,8 @@ gelf_update_rel (Elf_Data *dst, int ndx,

 	}

       /* Check whether we have to resize the data buffer.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf32_Rel)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

@@ -114,7 +109,8 @@ gelf_update_rel (Elf_Data *dst, int ndx,

   else

     {

       /* Check whether we have to resize the data buffer.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf64_Rel)

+	  || unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

--- elfutils/libelf/gelf_update_sym.c

+++ elfutils/libelf/gelf_update_sym.c

@@ -72,12 +72,6 @@ gelf_update_sym (data, ndx, src)

   if (data == NULL)

     return 0;

-  if (unlikely (ndx < 0))

-    {

-      __libelf_seterrno (ELF_E_INVALID_INDEX);

-      return 0;

-    }

-

   if (unlikely (data_scn->d.d_type != ELF_T_SYM))

     {

       /* The type of the data better should match.  */

@@ -102,7 +96,8 @@ gelf_update_sym (data, ndx, src)

 	}

       /* Check whether we have to resize the data buffer.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf32_Sym)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

@@ -125,7 +120,8 @@ gelf_update_sym (data, ndx, src)

   else

     {

       /* Check whether we have to resize the data buffer.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf64_Sym)

+	  || unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

--- elfutils/libelf/gelf_update_syminfo.c

+++ elfutils/libelf/gelf_update_syminfo.c

@@ -72,12 +72,6 @@ gelf_update_syminfo (data, ndx, src)

   if (data == NULL)

     return 0;

-  if (unlikely (ndx < 0))

-    {

-      __libelf_seterrno (ELF_E_INVALID_INDEX);

-      return 0;

-    }

-

   if (unlikely (data_scn->d.d_type != ELF_T_SYMINFO))

     {

       /* The type of the data better should match.  */

@@ -93,7 +87,8 @@ gelf_update_syminfo (data, ndx, src)

   rwlock_wrlock (scn->elf->lock);

   /* Check whether we have to resize the data buffer.  */

-  if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))

+  if (INVALID_NDX (ndx, GElf_Syminfo)

+      || unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))

     {

       __libelf_seterrno (ELF_E_INVALID_INDEX);

       goto out;

--- elfutils/libelf/gelf_update_symshndx.c

+++ elfutils/libelf/gelf_update_symshndx.c

@@ -77,12 +77,6 @@ gelf_update_symshndx (symdata, shndxdata

   if (symdata == NULL)

     return 0;

-  if (unlikely (ndx < 0))

-    {

-      __libelf_seterrno (ELF_E_INVALID_INDEX);

-      return 0;

-    }

-

   if (unlikely (symdata_scn->d.d_type != ELF_T_SYM))

     {

       /* The type of the data better should match.  */

@@ -128,7 +122,8 @@ gelf_update_symshndx (symdata, shndxdata

 	}

       /* Check whether we have to resize the data buffer.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf32_Sym)

+	  || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

@@ -151,7 +146,8 @@ gelf_update_symshndx (symdata, shndxdata

   else

     {

       /* Check whether we have to resize the data buffer.  */

-      if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))

+      if (INVALID_NDX (ndx, Elf64_Sym)

+	  || unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))

 	{

 	  __libelf_seterrno (ELF_E_INVALID_INDEX);

 	  goto out;

--- elfutils/libelf/gelf_update_versym.c

+++ elfutils/libelf/gelf_update_versym.c

@@ -75,7 +75,7 @@ gelf_update_versym (data, ndx, src)

   assert (sizeof (GElf_Versym) == sizeof (Elf64_Versym));

   /* Check whether we have to resize the data buffer.  */

-  if (unlikely (ndx < 0)

+  if (INVALID_NDX (ndx, GElf_Versym)

       || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data_scn->d.d_size))

     {

       __libelf_seterrno (ELF_E_INVALID_INDEX);

--- elfutils/libelf/libelfP.h

+++ elfutils/libelf/libelfP.h

@@ -611,4 +611,13 @@ extern uint32_t __libelf_crc32 (uint32_t

 /* Align offset to 4 bytes as needed for note name and descriptor data.  */

 #define NOTE_ALIGN(n)	(((n) + 3) & -4U)

+/* Convenience macro.  Assumes int NDX and TYPE with size at least

+   2 bytes.  */

+#if SIZE_MAX > 4294967295U

+# define INVALID_NDX(ndx, type) unlikely (ndx < 0)

+#else

+# define INVALID_NDX(ndx, type) \

+  unlikely ((unsigned int) (ndx) >= SIZE_MAX / sizeof (type))

+#endif

+

 #endif  /* libelfP.h */

--- elfutils/src/ChangeLog

+++ elfutils/src/ChangeLog

@@ -1347,6 +1347,16 @@

 	object symbols or symbols with unknown type.

 	(check_rel): Likewise.

+2005-06-09  Roland McGrath  <roland@redhat.com>

+

+	* readelf.c (handle_dynamic, handle_symtab): Check for bogus sh_link.

+	(handle_verneed, handle_verdef, handle_versym, handle_hash): Likewise.

+	(handle_scngrp): Check for bogus sh_info.

+

+	* strip.c (handle_elf): Check for bogus values in sh_link, sh_info,

+	st_shndx, e_shstrndx, and SHT_GROUP or SHT_SYMTAB_SHNDX data.

+	Don't use assert on input values, instead bail with "illformed" error.

+

 2005-06-08  Roland McGrath  <roland@redhat.com>

 	* readelf.c (print_ops): Add consts.

@@ -1392,6 +1402,19 @@

 	* readelf.c (dwarf_tag_string): Add new tags.

+2005-05-17  Jakub Jelinek  <jakub@redhat.com>

+

+	* elflint.c (check_hash): Don't check entries beyond end of section.

+	(check_note): Don't crash if gelf_rawchunk fails.

+	(section_name): Return <invalid> if gelf_getshdr returns NULL.

+

+2005-05-14  Jakub Jelinek  <jakub@redhat.com>

+

+	* elflint.c (section_name): Return "<invalid>" instead of

+	crashing on invalid section name.

+	(check_symtab, is_rel_dyn, check_rela, check_rel, check_dynamic,

+	check_symtab_shndx, check_hash, check_versym): Robustify.

+

 2005-05-08  Roland McGrath  <roland@redhat.com>

 	* strip.c (handle_elf): Don't translate hash and versym data formats,

--- elfutils/src/elflint.c

+++ elfutils/src/elflint.c

@@ -130,6 +130,9 @@ static uint32_t shstrndx;

 /* Array to count references in section groups.  */

 static int *scnref;

+/* Number of sections.  */

+static unsigned int shnum;

+

 int

 main (int argc, char *argv[])

@@ -318,10 +321,19 @@ section_name (Ebl *ebl, int idx)

 {

   GElf_Shdr shdr_mem;

   GElf_Shdr *shdr;

+  const char *ret;

+

+  if ((unsigned int) idx > shnum)

+    return "<invalid>";

   shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);

+  if (shdr == NULL)

+    return "<invalid>";

-  return elf_strptr (ebl->elf, shstrndx, shdr->sh_name);

+  ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);

+  if (ret == NULL)

+    return "<invalid>";

+  return ret;

 }

@@ -343,10 +355,6 @@ static const int valid_e_machine[] =

   (sizeof (valid_e_machine) / sizeof (valid_e_machine[0]))

-/* Number of sections.  */

-static unsigned int shnum;

-

-

 static void

 check_elf_header (Ebl *ebl, GElf_Ehdr *ehdr, size_t size)

 {

@@ -611,7 +619,8 @@ section [%2d] '%s': symbol table cannot 

 	  }