Unsigned integer overflows in readelf checks

[deliverable/binutils-gdb.git] / binutils / readelf.c

diff --git a/binutils/readelf.c b/binutils/readelf.c
index b13eb6a43ba34f6346a2a080573d972540c91010..3f424c4e63d6779c27c83a2ad8a0d02217fb696b 100644 (file)
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -398,10 +398,11 @@ get_data (void *         var,
       return NULL;
     }
 
-  /* Be kind to memory chekers (eg valgrind, address sanitizer) by not
+  /* Be kind to memory checkers (eg valgrind, address sanitizer) by not
      attempting to allocate memory when the read is bound to fail.  */
-  if (amt > filedata->file_size
-      || offset + archive_file_offset + amt > filedata->file_size)
+  if (archive_file_offset > filedata->file_size
+      || offset > filedata->file_size - archive_file_offset
+      || amt > filedata->file_size - archive_file_offset - offset)
     {
       if (reason)
        error (_("Reading %s bytes extends past end of file for %s\n"),
@@ -5235,7 +5236,8 @@ process_program_headers (Filedata * filedata)
             segment.  Check this after matching against the section headers
             so we don't warn on debuginfo file (which have NOBITS .dynamic
             sections).  */
-         if (dynamic_addr + dynamic_size >= filedata->file_size)
+         if (dynamic_addr > filedata->file_size
+             || dynamic_size > filedata->file_size - dynamic_addr)
            {
              error (_("the dynamic segment offset + size exceeds the size of the file\n"));
              dynamic_addr = dynamic_size = 0;
@@ -8852,21 +8854,28 @@ decode_tic6x_unwind_bytecode (Filedata *                 filedata,
            }
 
          printf (_("pop frame {"));
-         reg = nregs - 1;
-         for (i = i * 2; i > 0; i--)
+         if (nregs == 0)
+           {
+             printf (_("*corrupt* - no registers specified"));
+           }
+         else
            {
-             if (regpos[reg].offset == i - 1)
+             reg = nregs - 1;
+             for (i = i * 2; i > 0; i--)
                {
-                 name = tic6x_unwind_regnames[regpos[reg].reg];
-                 if (reg > 0)
-                   reg--;
-               }
-             else
-               name = _("[pad]");
+                 if (regpos[reg].offset == i - 1)
+                   {
+                     name = tic6x_unwind_regnames[regpos[reg].reg];
+                     if (reg > 0)
+                       reg--;
+                   }
+                 else
+                   name = _("[pad]");
 
-             fputs (name, stdout);
-             if (i > 1)
-               printf (", ");
+                 fputs (name, stdout);
+                 if (i > 1)
+                   printf (", ");
+               }
            }
 
          printf ("}");
@@ -18741,7 +18750,7 @@ process_notes_at (Filedata *           filedata,
         one version of Linux (RedHat 6.0) generates corefiles that don't
         comply with the ELF spec by failing to include the null byte in
         namesz.  */
-      if (inote.namedata[inote.namesz - 1] != '\0')
+      if (inote.namesz > 0 && inote.namedata[inote.namesz - 1] != '\0')
        {
          if ((size_t) (inote.descdata - inote.namedata) == inote.namesz)
            {