===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ctfconv/elf.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- src/usr.bin/ctfconv/elf.c	2017/09/29 16:05:53	1.5
+++ src/usr.bin/ctfconv/elf.c	2017/09/30 10:15:59	1.6
@@ -1,4 +1,4 @@
-/*	$OpenBSD: elf.c,v 1.5 2017/09/29 16:05:53 jsg Exp $ */
+/*	$OpenBSD: elf.c,v 1.6 2017/09/30 10:15:59 jsg Exp $ */
 
 /*
  * Copyright (c) 2016 Martin Pieuchot <mpi@openbsd.org>
@@ -125,6 +125,9 @@
 		if ((sh->sh_offset + sh->sh_size) > filesize)
 			continue;
 
+		if (sh->sh_entsize == 0)
+			continue;
+
 		if (strncmp(shstab + sh->sh_name, ELF_SYMTAB, snlen) == 0) {
 			if (symtab != NULL)
 				*symtab = (Elf_Sym *)(p + sh->sh_offset);
@@ -154,6 +157,9 @@
 
 	/* Find the given section. */
 	for (i = 0; i < eh->e_shnum; i++) {
+		if ((eh->e_shoff + i * eh->e_shentsize) > filesize)
+			continue;
+
 		sh = (Elf_Shdr *)(p + eh->e_shoff + i * eh->e_shentsize);
 
 		if ((sh->sh_link >= eh->e_shnum) || (sh->sh_name >= shstabsz))
@@ -242,6 +248,9 @@
 
 	/* Apply possible relocation. */
 	for (i = 0; i < eh->e_shnum; i++) {
+		if ((eh->e_shoff + i * eh->e_shentsize) > filesize)
+			continue;
+
 		sh = (Elf_Shdr *)(p + eh->e_shoff + i * eh->e_shentsize);
 
 		if (sh->sh_size == 0)
@@ -250,6 +259,9 @@
 		if ((sh->sh_info != sidx) || (sh->sh_link != symtabidx))
 			continue;
 
+		if ((sh->sh_offset + sh->sh_size) > filesize)
+			continue;
+
 		switch (sh->sh_type) {
 		case SHT_RELA:
 			rela = (Elf_RelA *)(p + sh->sh_offset);
@@ -259,6 +271,8 @@
 				roff = rela[j].r_offset;
 				if (rsym >= nsymb)
 					continue;
+				if (roff >= filesize)
+					continue;
 				sym = &symtab[rsym];
 				value = sym->st_value + rela[j].r_addend;
 
@@ -276,6 +290,8 @@
 				rtyp = ELF_R_TYPE(rel[j].r_info);
 				roff = rel[j].r_offset;
 				if (rsym >= nsymb)
+					continue;
+				if (roff >= filesize)
 					continue;
 				sym = &symtab[rsym];
 				value = sym->st_value;