===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ctfconv/elf.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -c -r1.5 -r1.6
*** src/usr.bin/ctfconv/elf.c	2017/09/29 16:05:53	1.5
--- src/usr.bin/ctfconv/elf.c	2017/09/30 10:15:59	1.6
***************
*** 1,4 ****
! /*	$OpenBSD: elf.c,v 1.5 2017/09/29 16:05:53 jsg Exp $ */
  
  /*
   * Copyright (c) 2016 Martin Pieuchot <mpi@openbsd.org>
--- 1,4 ----
! /*	$OpenBSD: elf.c,v 1.6 2017/09/30 10:15:59 jsg Exp $ */
  
  /*
   * Copyright (c) 2016 Martin Pieuchot <mpi@openbsd.org>
***************
*** 125,130 ****
--- 125,133 ----
  		if ((sh->sh_offset + sh->sh_size) > filesize)
  			continue;
  
+ 		if (sh->sh_entsize == 0)
+ 			continue;
+ 
  		if (strncmp(shstab + sh->sh_name, ELF_SYMTAB, snlen) == 0) {
  			if (symtab != NULL)
  				*symtab = (Elf_Sym *)(p + sh->sh_offset);
***************
*** 154,159 ****
--- 157,165 ----
  
  	/* Find the given section. */
  	for (i = 0; i < eh->e_shnum; i++) {
+ 		if ((eh->e_shoff + i * eh->e_shentsize) > filesize)
+ 			continue;
+ 
  		sh = (Elf_Shdr *)(p + eh->e_shoff + i * eh->e_shentsize);
  
  		if ((sh->sh_link >= eh->e_shnum) || (sh->sh_name >= shstabsz))
***************
*** 242,247 ****
--- 248,256 ----
  
  	/* Apply possible relocation. */
  	for (i = 0; i < eh->e_shnum; i++) {
+ 		if ((eh->e_shoff + i * eh->e_shentsize) > filesize)
+ 			continue;
+ 
  		sh = (Elf_Shdr *)(p + eh->e_shoff + i * eh->e_shentsize);
  
  		if (sh->sh_size == 0)
***************
*** 250,255 ****
--- 259,267 ----
  		if ((sh->sh_info != sidx) || (sh->sh_link != symtabidx))
  			continue;
  
+ 		if ((sh->sh_offset + sh->sh_size) > filesize)
+ 			continue;
+ 
  		switch (sh->sh_type) {
  		case SHT_RELA:
  			rela = (Elf_RelA *)(p + sh->sh_offset);
***************
*** 259,264 ****
--- 271,278 ----
  				roff = rela[j].r_offset;
  				if (rsym >= nsymb)
  					continue;
+ 				if (roff >= filesize)
+ 					continue;
  				sym = &symtab[rsym];
  				value = sym->st_value + rela[j].r_addend;
  
***************
*** 276,281 ****
--- 290,297 ----
  				rtyp = ELF_R_TYPE(rel[j].r_info);
  				roff = rel[j].r_offset;
  				if (rsym >= nsymb)
+ 					continue;
+ 				if (roff >= filesize)
  					continue;
  				sym = &symtab[rsym];
  				value = sym->st_value;