From 458027d294ac6e8a8678d9fd0f96759d7196ae2b Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mjw@redhat.com>
Date: Tue, 12 May 2015 15:16:35 +0200
Subject: libelf: Make sure shdrs are valid before storing extended phnum in
 newphdr.

Creating phdr with more than PN_XNUM phnum requires a valid section zero
shdr to store the extended value. Make sure the shdrs are valid. Also fix
the error when count was too big to store by setting ELF_E_INVALID_INDEX
before failing.

Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
 libelf/ChangeLog       |  6 ++++++
 libelf/elf32_newphdr.c | 12 +++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

(limited to 'libelf')

diff --git a/libelf/ChangeLog b/libelf/ChangeLog
index 312d5cfb..a7983a0a 100644
--- a/libelf/ChangeLog
+++ b/libelf/ChangeLog
@@ -1,3 +1,9 @@
+2015-05-12  Mark Wielaard  <mjw@redhat.com>
+
+	* elf32_newphdr.c (newphdr): Call __libelf_seterrno with
+	ELF_E_INVALID_INDEX before failing. Check whether section zero shdr
+	actually exists if we need to put extended phnum in section zero.
+
 2015-05-08  Mark Wielaard  <mjw@redhat.com>
 
 	* nlist.c (nlist): Call gelf_fsize with EV_CURRENT.
diff --git a/libelf/elf32_newphdr.c b/libelf/elf32_newphdr.c
index 01038e73..f89153b4 100644
--- a/libelf/elf32_newphdr.c
+++ b/libelf/elf32_newphdr.c
@@ -116,6 +116,17 @@ elfw2(LIBELFBITS,newphdr) (elf, count)
     {
       if (unlikely (count > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Phdr))))
 	{
+	  __libelf_seterrno (ELF_E_INVALID_INDEX);
+	  result = NULL;
+	  goto out;
+	}
+
+      Elf_Scn *scn0 = &elf->state.ELFW(elf,LIBELFBITS).scns.data[0];
+      if (unlikely (count >= PN_XNUM && scn0->shdr.ELFW(e,LIBELFBITS) == NULL))
+	{
+	  /* Something is wrong with section zero, but we need it to write
+	     the extended phdr count.  */
+	  __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
 	  result = NULL;
 	  goto out;
 	}
@@ -134,7 +145,6 @@ elfw2(LIBELFBITS,newphdr) (elf, count)
 	  if (count >= PN_XNUM)
 	    {
 	      /* We have to write COUNT into the zeroth section's sh_info.  */
-	      Elf_Scn *scn0 = &elf->state.ELFW(elf,LIBELFBITS).scns.data[0];
 	      if (elf->state.ELFW(elf,LIBELFBITS).scns.cnt == 0)
 		{
 		  assert (elf->state.ELFW(elf,LIBELFBITS).scns.max > 0);
-- 
cgit v1.2.3