Correct readelf dynamic section buffer overlow test

	PR binutils/18672
	* readelf.c (get_32bit_dynamic_section): Correct buffer limit test.
	(get_64bit_dynamic_section): Likewise.

2 files changed, 9 insertions, 3 deletions

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 5ae64e5922b..3565e949447 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2015-07-16  Alan Modra  <amodra@gmail.com>
+
+	PR binutils/18672
+	* readelf.c (get_32bit_dynamic_section): Correct buffer limit test.
+	(get_64bit_dynamic_section): Likewise.
+
 2015-03-25  Nick Clifton  <nickc@redhat.com>
 
 	* coffgrok.c: Remove redundant prototypes.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 2f8257a0610..59d3381e7e7 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -8365,7 +8365,7 @@ get_32bit_dynamic_section (FILE * file)
      might not have the luxury of section headers.  Look for the DT_NULL
      terminator to determine the number of entries.  */
   for (ext = edyn, dynamic_nent = 0;
-       (char *) ext < (char *) edyn + dynamic_size - sizeof (* entry);
+       (char *) (ext + 1) <= (char *) edyn + dynamic_size;
        ext++)
     {
       dynamic_nent++;
@@ -8413,8 +8413,8 @@ get_64bit_dynamic_section (FILE * file)
      might not have the luxury of section headers.  Look for the DT_NULL
      terminator to determine the number of entries.  */
   for (ext = edyn, dynamic_nent = 0;
-       /* PR 17533 file: 033-67080-0.004 - do not read off the end of the buffer.  */
-       (char *) ext < ((char *) edyn) + dynamic_size - sizeof (* ext);
+       /* PR 17533 file: 033-67080-0.004 - do not read past end of buffer.  */
+       (char *) (ext + 1) <= (char *) edyn + dynamic_size;
        ext++)
     {
       dynamic_nent++;