elflint: Add sanity checks to check_attributes.

This is similar to commit 9644aa for readelf print_attributes. Bail out when the vendor name isn't terminated and add overflow check for subsection_len. Note that readelf does handle non-gnu attributes, while elflint doesn't. Signed-off-by: Mark Wielaard <mjw@redhat.com>
author: Mark Wielaard <mjw@redhat.com> 2015-05-06 17:38:18 +0200
committer: Mark Wielaard <mjw@redhat.com> 2015-05-12 16:48:33 +0200
commit: 5e80a1e8f57fbae3bd5687bb80a65e97f824f914 (patch)
tree: c10e6d88946a4ace08877fdad42620d844fea62e /src/elflint.c
parent: 9d0926538635fe9a2bda0684623516aaf4407ecb (diff)
download: elfutils-5e80a1e8f57fbae3bd5687bb80a65e97f824f914.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/src/elflint.c b/src/elflint.c
index 4e536460..df476a1f 100644
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -3423,7 +3423,7 @@ section [%2d] '%s': offset %zu: invalid length in attribute section\n"),
 	  ERROR (gettext ("\
 section [%2d] '%s': offset %zu: unterminated vendor name string\n"),
 		 idx, section_name (ebl, idx), pos (p));
-	  continue;
+	  break;
 	}
       ++q;
 
@@ -3466,7 +3466,9 @@ section [%2d] '%s': offset %zu: zero length field in attribute subsection\n"),
 	    if (MY_ELFDATA != ehdr->e_ident[EI_DATA])
 	      CONVERT (subsection_len);
 
-	    if (p - chunk < (ptrdiff_t) subsection_len)
+	    /* Don't overflow, ptrdiff_t might be 32bits, but signed.  */
+	    if (p - chunk < (ptrdiff_t) subsection_len
+	        || subsection_len >= (uint32_t) PTRDIFF_MAX)
 	      {
 		ERROR (gettext ("\
 section [%2d] '%s': offset %zu: invalid length in attribute subsection\n"),
author	Mark Wielaard <mjw@redhat.com>	2015-05-06 17:38:18 +0200
committer	Mark Wielaard <mjw@redhat.com>	2015-05-12 16:48:33 +0200
commit	5e80a1e8f57fbae3bd5687bb80a65e97f824f914 (patch)
tree	c10e6d88946a4ace08877fdad42620d844fea62e /src/elflint.c
parent	9d0926538635fe9a2bda0684623516aaf4407ecb (diff)
download	elfutils-5e80a1e8f57fbae3bd5687bb80a65e97f824f914.tar.gz