elflint: Add sanity checks to check_attributes.

This is similar to commit 9644aa for readelf print_attributes.
Bail out when the vendor name isn't terminated and add overflow check
for subsection_len.

Note that readelf does handle non-gnu attributes, while elflint doesn't.

Signed-off-by: Mark Wielaard <[email protected]>

2 files changed, 6 insertions, 2 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index 93f4aba2..089fe93f 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -4,6 +4,8 @@
 	shift too big.
 	(check_verdef): Use Elf64_Word for shdr->sh_info cnt.
 	(check_verneed): Likewise.
+	(check_attributes): Break when vendor name isn't terminated.
+	Add overflow check for subsection_len.
 
 2015-05-05  Mark Wielaard  <[email protected]>
 
diff --git a/src/elflint.c b/src/elflint.c
index 4e536460..df476a1f 100644
--- a/src/elflint.c
+++ b/src/elflint.c
@@ -3423,7 +3423,7 @@ section [%2d] '%s': offset %zu: invalid length in attribute section\n"),
 	  ERROR (gettext ("\
 section [%2d] '%s': offset %zu: unterminated vendor name string\n"),
 		 idx, section_name (ebl, idx), pos (p));
-	  continue;
+	  break;
 	}
       ++q;
 
@@ -3466,7 +3466,9 @@ section [%2d] '%s': offset %zu: zero length field in attribute subsection\n"),
 	    if (MY_ELFDATA != ehdr->e_ident[EI_DATA])
 	      CONVERT (subsection_len);
 
-	    if (p - chunk < (ptrdiff_t) subsection_len)
+	    /* Don't overflow, ptrdiff_t might be 32bits, but signed.  */
+	    if (p - chunk < (ptrdiff_t) subsection_len
+	        || subsection_len >= (uint32_t) PTRDIFF_MAX)
 	      {
 		ERROR (gettext ("\
 section [%2d] '%s': offset %zu: invalid length in attribute subsection\n"),