On Fri, Jul 12, 2019 at 3:04 PM Ren Kimura <rkx1209...@gmail.com> wrote:
>
> This patch fixes a Bug 90924.
> simple_object_elf functions don't load section table 0 of ELF file, which is
> not a useful.
> However If e_shstrndx in ELF header points to a section table 0 (i.e.
> e_shstrndx == 0), a calculation of offset to string section table causes
> integer overflow at every line "(eor->shstrndx - 1)".
> A result becomes negative value (unsigned int)-1 and cause memory corruption.
>
> Signed-off-by: Ren Kimura <rkx1209...@gmail.com>
> ---
> libiberty/simple-object-elf.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
> index 22c9ae7ed2d..33562e4eb18 100644
> --- a/libiberty/simple-object-elf.c
> +++ b/libiberty/simple-object-elf.c
> @@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char
> header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
> XDELETE (eor);
> return NULL;
> }
> -
> +
> + if (!eor->shstrndx)
> + {
> + *errmsg = "invalid ELF shstrndx == 0";
> + *err = 0;
> + XDELETE (eor);
> + return NULL;
> + }
> +
> return (void *) eor;
> }
Please write that as
if (eor->shstrndx == 0)
It's not a boolean value, so don't use a boolean negation.
This is OK with that change and a ChangeLog entry.
Thanks.
Ian
