elfutils/patches/elfutils-0.108-robustify3.patch

src/
2005-06-09  Roland McGrath  <roland@redhat.com>

	* readelf.c (handle_dynamic, handle_symtab): Check for bogus sh_link.
	(handle_verneed, handle_verdef, handle_versym, handle_hash): Likewise.
	(handle_scngrp): Check for bogus sh_info.

	* strip.c (handle_elf): Check for bogus values in sh_link, sh_info,
	st_shndx, e_shstrndx, and SHT_GROUP or SHT_SYMTAB_SHNDX data.
	Don't use assert on input values, instead bail with "illformed" error.

2005-05-17  Jakub Jelinek  <jakub@redhat.com>

libelf/
	* elf32_getphdr.c (elfw2(LIBELFBITS,getphdr)): Check if program header
	table fits into object's bounds.
	* elf_getshstrndx.c (elf_getshstrndx): Add elf->start_offset to
	elf->map_address.  Check if first section header fits into object's
	bounds.
	* elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)): Fix comment pasto.
	Check if section header table fits into object's bounds.
	* elf_begin.c (get_shnum): Fail if maxsize is smaller than ELF headers.
	Ensure first section header fits into object's bounds.
	(file_read_elf): Make sure scncnt is small enough to allocate both
	ElfXX_Shdr and Elf_Scn array.  Make sure section and program header
	tables fit into object's bounds.  Avoid memory leak on failure.

src/
	* elflint.c (check_hash): Don't check entries beyond end of section.
	(check_note): Don't crash if gelf_rawchunk fails.
	(section_name): Return <invalid> if gelf_getshdr returns NULL.

2005-05-14  Jakub Jelinek  <jakub@redhat.com>

libelf/
	* libelfP.h (INVALID_NDX): Define.
	* gelf_getdyn.c (gelf_getdyn): Use it.  Remove ndx < 0 test if any.
	* gelf_getlib.c (gelf_getlib): Likewise.
	* gelf_getmove.c (gelf_getmove): Likewise.
	* gelf_getrel.c (gelf_getrel): Likewise.
	* gelf_getrela.c (gelf_getrela): Likewise.
	* gelf_getsym.c (gelf_getsym): Likewise.
	* gelf_getsyminfo.c (gelf_getsyminfo): Likewise.
	* gelf_getsymshndx.c (gelf_getsymshndx): Likewise.
	* gelf_getversym.c (gelf_getversym): Likewise.
	* gelf_update_dyn.c (gelf_update_dyn): Likewise.
	* gelf_update_lib.c (gelf_update_lib): Likewise.
	* gelf_update_move.c (gelf_update_move): Likewise.
	* gelf_update_rel.c (gelf_update_rel): Likewise.
	* gelf_update_rela.c (gelf_update_rela): Likewise.
	* gelf_update_sym.c (gelf_update_sym): Likewise.
	* gelf_update_syminfo.c (gelf_update_syminfo): Likewise.
	* gelf_update_symshndx.c (gelf_update_symshndx): Likewise.
	* gelf_update_versym.c (gelf_update_versym): Likewise.
	* elf_newscn.c (elf_newscn): Check for overflow.
	* elf32_updatefile.c (__elfw2(LIBELFBITS,updatemmap)): Likewise.
	(__elfw2(LIBELFBITS,updatefile)): Likewise.
	* elf_begin.c (file_read_elf): Likewise.
	* elf32_newphdr.c (elfw2(LIBELFBITS,newphdr)): Likewise.
	* elf_getarsym.c (elf_getarsym): Likewise.
	* elf32_getshdr.c (elfw2(LIBELFBITS,getshdr)): Likewise.
src/
	* elflint.c (section_name): Return "<invalid>" instead of
	crashing on invalid section name.
	(check_symtab, is_rel_dyn, check_rela, check_rel, check_dynamic,
	check_symtab_shndx, check_hash, check_versym): Robustify.

--- elfutils-0.108/libelf/gelf_getrel.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_getrel.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Get REL relocation information at given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -38,12 +38,6 @@ gelf_getrel (data, ndx, dst)
   if (data_scn == NULL)
     return NULL;
 
-  if (unlikely (ndx < 0))
-    {
-      __libelf_seterrno (ELF_E_INVALID_INDEX);
-      return NULL;
-    }
-
   if (unlikely (data_scn->d.d_type != ELF_T_REL))
     {
       __libelf_seterrno (ELF_E_INVALID_HANDLE);
@@ -60,7 +54,8 @@ gelf_getrel (data, ndx, dst)
   if (scn->elf->class == ELFCLASS32)
     {
       /* We have to convert the data.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf32_Rel)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  result = NULL;
@@ -80,7 +75,8 @@ gelf_getrel (data, ndx, dst)
     {
       /* Simply copy the data after we made sure we are actually getting
 	 correct data.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf64_Rel)
+	  || unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  result = NULL;
--- elfutils-0.108/libelf/gelf_getsym.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_getsym.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Get symbol information from symbol table at the given index.
-   Copyright (C) 1999, 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 1999, 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 1999.
 
    This program is free software; you can redistribute it and/or modify
@@ -57,7 +57,8 @@ gelf_getsym (data, ndx, dst)
 	 table entries has to be adopted.  The user better has provided
 	 a buffer where we can store the information.  While copying the
 	 data we are converting the format.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))
+      if (INVALID_NDX (ndx, Elf32_Sym)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data->d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
@@ -86,7 +87,8 @@ gelf_getsym (data, ndx, dst)
 
       /* The data is already in the correct form.  Just make sure the
 	 index is OK.  */
-      if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))
+      if (INVALID_NDX (ndx, GElf_Sym)
+	  || unlikely ((ndx + 1) * sizeof (GElf_Sym) > data->d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
--- elfutils-0.108/libelf/gelf_update_sym.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_update_sym.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Update symbol information in symbol table at the given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -39,12 +39,6 @@ gelf_update_sym (data, ndx, src)
   if (data == NULL)
     return 0;
 
-  if (unlikely (ndx < 0))
-    {
-      __libelf_seterrno (ELF_E_INVALID_INDEX);
-      return 0;
-    }
-
   if (unlikely (data_scn->d.d_type != ELF_T_SYM))
     {
       /* The type of the data better should match.  */
@@ -69,7 +63,8 @@ gelf_update_sym (data, ndx, src)
 	}
 
       /* Check whether we have to resize the data buffer.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf32_Sym)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
@@ -92,7 +87,8 @@ gelf_update_sym (data, ndx, src)
   else
     {
       /* Check whether we have to resize the data buffer.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf64_Sym)
+	  || unlikely ((ndx + 1) * sizeof (Elf64_Sym) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
--- elfutils-0.108/libelf/gelf_getrela.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_getrela.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Get RELA relocation information at given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -38,12 +38,6 @@ gelf_getrela (data, ndx, dst)
   if (data_scn == NULL)
     return NULL;
 
-  if (unlikely (ndx < 0))
-    {
-      __libelf_seterrno (ELF_E_INVALID_INDEX);
-      return NULL;
-    }
-
   if (unlikely (data_scn->d.d_type != ELF_T_RELA))
     {
       __libelf_seterrno (ELF_E_INVALID_HANDLE);
@@ -60,7 +54,8 @@ gelf_getrela (data, ndx, dst)
   if (scn->elf->class == ELFCLASS32)
     {
       /* We have to convert the data.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf32_Rela)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  result = NULL;
@@ -81,7 +76,8 @@ gelf_getrela (data, ndx, dst)
     {
       /* Simply copy the data after we made sure we are actually getting
 	 correct data.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf64_Rela)
+	  || unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  result = NULL;
--- elfutils-0.108/libelf/gelf_update_syminfo.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_update_syminfo.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Update additional symbol information in symbol table at the given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -39,12 +39,6 @@ gelf_update_syminfo (data, ndx, src)
   if (data == NULL)
     return 0;
 
-  if (unlikely (ndx < 0))
-    {
-      __libelf_seterrno (ELF_E_INVALID_INDEX);
-      return 0;
-    }
-
   if (unlikely (data_scn->d.d_type != ELF_T_SYMINFO))
     {
       /* The type of the data better should match.  */
@@ -60,7 +54,8 @@ gelf_update_syminfo (data, ndx, src)
   rwlock_wrlock (scn->elf->lock);
 
   /* Check whether we have to resize the data buffer.  */
-  if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))
+  if (INVALID_NDX (ndx, GElf_Syminfo)
+      || unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data_scn->d.d_size))
     {
       __libelf_seterrno (ELF_E_INVALID_INDEX);
       goto out;
--- elfutils-0.108/libelf/gelf_getsyminfo.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_getsyminfo.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Get additional symbol information from symbol table at the given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -51,7 +51,8 @@ gelf_getsyminfo (data, ndx, dst)
 
   /* The data is already in the correct form.  Just make sure the
      index is OK.  */
-  if (unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))
+  if (INVALID_NDX (ndx, GElf_Syminfo)
+      || unlikely ((ndx + 1) * sizeof (GElf_Syminfo) > data->d_size))
     {
       __libelf_seterrno (ELF_E_INVALID_INDEX);
       goto out;
--- elfutils-0.108/libelf/elf_newscn.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/elf_newscn.c	2005-05-14 01:38:35.000000000 +0200
@@ -1,5 +1,5 @@
 /* Append new section.
-   Copyright (C) 1998, 1999, 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 1998, 1999, 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 1998.
 
    This program is free software; you can redistribute it and/or modify
@@ -71,13 +71,21 @@ elf_newscn (elf)
   else
     {
       /* We must allocate a new element.  */
-      Elf_ScnList *newp;
+      Elf_ScnList *newp = NULL;
 
       assert (elf->state.elf.scnincr > 0);
 
-      newp = (Elf_ScnList *) calloc (sizeof (Elf_ScnList)
-				     + ((elf->state.elf.scnincr *= 2)
-					* sizeof (Elf_Scn)), 1);
+      if (
+#if SIZE_MAX <= 4294967295U
+	  likely (elf->state.elf.scnincr
+		  < SIZE_MAX / 2 / sizeof (Elf_Scn) - sizeof (Elf_ScnList))
+#else
+	  1
+#endif
+	  )
+	newp = (Elf_ScnList *) calloc (sizeof (Elf_ScnList)
+				       + ((elf->state.elf.scnincr *= 2)
+					  * sizeof (Elf_Scn)), 1);
       if (newp == NULL)
 	{
 	  __libelf_seterrno (ELF_E_NOMEM);
--- elfutils-0.108/libelf/gelf_update_lib.c.jj	2004-01-23 19:23:03.000000000 +0100
+++ elfutils-0.108/libelf/gelf_update_lib.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Update library in table at the given index.
-   Copyright (C) 2004 Red Hat, Inc.
+   Copyright (C) 2004, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2004.
 
    This program is free software; you can redistribute it and/or modify
@@ -35,12 +35,6 @@ gelf_update_lib (data, ndx, src)
   if (data == NULL)
     return 0;
 
-  if (unlikely (ndx < 0))
-    {
-      __libelf_seterrno (ELF_E_INVALID_INDEX);
-      return 0;
-    }
-
   Elf_Data_Scn *data_scn = (Elf_Data_Scn *) data;
   if (unlikely (data_scn->d.d_type != ELF_T_LIB))
     {
@@ -54,7 +48,8 @@ gelf_update_lib (data, ndx, src)
 
   /* Check whether we have to resize the data buffer.  */
   int result = 0;
-  if (unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))
+  if (INVALID_NDX (ndx, Elf64_Lib)
+      || unlikely ((ndx + 1) * sizeof (Elf64_Lib) > data_scn->d.d_size))
     __libelf_seterrno (ELF_E_INVALID_INDEX);
   else
     {
--- elfutils-0.108/libelf/gelf_getmove.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_getmove.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Get move structure at the given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -50,7 +50,8 @@ gelf_getmove (data, ndx, dst)
 
   /* The data is already in the correct form.  Just make sure the
      index is OK.  */
-  if (unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))
+  if (INVALID_NDX (ndx, GElf_Move)
+      || unlikely ((ndx + 1) * sizeof (GElf_Move) > data->d_size))
     {
       __libelf_seterrno (ELF_E_INVALID_INDEX);
       goto out;
--- elfutils-0.108/libelf/elf32_updatefile.c.jj	2005-02-06 10:14:52.000000000 +0100
+++ elfutils-0.108/libelf/elf32_updatefile.c	2005-05-14 00:45:03.000000000 +0200
@@ -164,6 +164,9 @@ __elfw2(LIBELFBITS,updatemmap) (Elf *elf
   /* Write all the sections.  Well, only those which are modified.  */
   if (shnum > 0)
     {
+      if (unlikely (shnum > SIZE_MAX / sizeof (Elf_Scn *)))
+	return 1;
+
       ElfW2(LIBELFBITS,Shdr) *shdr_dest;
       Elf_ScnList *list = &elf->state.ELFW(elf,LIBELFBITS).scns;
       Elf_Scn **scns = (Elf_Scn **) alloca (shnum * sizeof (Elf_Scn *));
@@ -468,6 +471,10 @@ __elfw2(LIBELFBITS,updatefile) (Elf *elf
   /* Write all the sections.  Well, only those which are modified.  */
   if (shnum > 0)
     {
+      if (unlikely (shnum > SIZE_MAX / (sizeof (Elf_Scn *)
+					+ sizeof (ElfW2(LIBELFBITS,Shdr)))))
+	return 1;
+
       off_t shdr_offset = elf->start_offset + ehdr->e_shoff;
 #if EV_NUM != 2
       xfct_t shdr_fctp = __elf_xfctstom[__libelf_version - 1][EV_CURRENT - 1][ELFW(ELFCLASS, LIBELFBITS) - 1][ELF_T_SHDR];
--- elfutils-0.108/libelf/gelf_getsymshndx.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_getsymshndx.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,6 +1,6 @@
 /* Get symbol information and separate section index from symbol table
    at the given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -57,7 +57,9 @@ gelf_getsymshndx (symdata, shndxdata, nd
      section index table.  */
   if (likely (shndxdata_scn != NULL))
     {
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Word) > shndxdata_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf32_Word)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Word)
+		       > shndxdata_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
@@ -77,7 +79,8 @@ gelf_getsymshndx (symdata, shndxdata, nd
 	 table entries has to be adopted.  The user better has provided
 	 a buffer where we can store the information.  While copying the
 	 data we are converting the format.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))
+      if (INVALID_NDX (ndx, Elf32_Sym)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata->d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
@@ -106,7 +109,8 @@ gelf_getsymshndx (symdata, shndxdata, nd
 
       /* The data is already in the correct form.  Just make sure the
 	 index is OK.  */
-      if (unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))
+      if (INVALID_NDX (ndx, GElf_Sym)
+	  || unlikely ((ndx + 1) * sizeof (GElf_Sym) > symdata->d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
--- elfutils-0.108/libelf/gelf_update_move.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_update_move.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Update move structure at the given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -42,7 +42,7 @@ gelf_update_move (data, ndx, src)
   assert (sizeof (GElf_Move) == sizeof (Elf64_Move));
 
   /* Check whether we have to resize the data buffer.  */
-  if (unlikely (ndx < 0)
+  if (INVALID_NDX (ndx, GElf_Move)
       || unlikely ((ndx + 1) * sizeof (GElf_Move) > data_scn->d.d_size))
     {
       __libelf_seterrno (ELF_E_INVALID_INDEX);
--- elfutils-0.108/libelf/gelf_update_dyn.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_update_dyn.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Update information in dynamic table at the given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -38,12 +38,6 @@ gelf_update_dyn (data, ndx, src)
   if (data == NULL)
     return 0;
 
-  if (unlikely (ndx < 0))
-    {
-      __libelf_seterrno (ELF_E_INVALID_INDEX);
-      return 0;
-    }
-
   if (unlikely (data_scn->d.d_type != ELF_T_DYN))
     {
       /* The type of the data better should match.  */
@@ -69,7 +63,8 @@ gelf_update_dyn (data, ndx, src)
 	}
 
       /* Check whether we have to resize the data buffer.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf32_Dyn)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
@@ -83,7 +78,8 @@ gelf_update_dyn (data, ndx, src)
   else
     {
       /* Check whether we have to resize the data buffer.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf64_Dyn)
+	  || unlikely ((ndx + 1) * sizeof (Elf64_Dyn) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
--- elfutils-0.108/libelf/gelf_getversym.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_getversym.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Get symbol version information at the given index.
-   Copyright (C) 1999, 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 1999, 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 1999.
 
    This program is free software; you can redistribute it and/or modify
@@ -59,7 +59,8 @@ gelf_getversym (data, ndx, dst)
 
   /* The data is already in the correct form.  Just make sure the
      index is OK.  */
-  if (unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))
+  if (INVALID_NDX (ndx, GElf_Versym)
+      || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data->d_size))
     {
       __libelf_seterrno (ELF_E_INVALID_INDEX);
       result = NULL;
--- elfutils-0.108/libelf/elf32_newphdr.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/elf32_newphdr.c	2005-05-14 01:17:53.000000000 +0200
@@ -1,5 +1,5 @@
 /* Create new ELF program header table.
-   Copyright (C) 1999, 2000, 2002 Red Hat, Inc.
+   Copyright (C) 1999, 2000, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 1998.
 
    This program is free software; you can redistribute it and/or modify
@@ -91,6 +91,12 @@ elfw2(LIBELFBITS,newphdr) (elf, count)
   else if (elf->state.ELFW(elf,LIBELFBITS).ehdr->e_phnum != count
 	   || elf->state.ELFW(elf,LIBELFBITS).phdr == NULL)
     {
+      if (unlikely (count > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Phdr))))
+	{
+	  result = NULL;
+	  goto out;
+	}
+
       /* Allocate a new program header with the appropriate number of
 	 elements.  */
       result = (ElfW2(LIBELFBITS,Phdr) *)
--- elfutils-0.108/libelf/gelf_getdyn.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_getdyn.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Get information from dynamic table at the given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -60,7 +60,8 @@ gelf_getdyn (data, ndx, dst)
 	 table entries has to be adopted.  The user better has provided
 	 a buffer where we can store the information.  While copying the
 	 data we are converting the format.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf32_Dyn)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Dyn) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
@@ -81,7 +82,8 @@ gelf_getdyn (data, ndx, dst)
 
       /* The data is already in the correct form.  Just make sure the
 	 index is OK.  */
-      if (unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, GElf_Dyn)
+	  || unlikely ((ndx + 1) * sizeof (GElf_Dyn) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
--- elfutils-0.108/libelf/elf_getarsym.c.jj	2005-02-06 10:14:52.000000000 +0100
+++ elfutils-0.108/libelf/elf_getarsym.c	2005-05-14 01:37:47.000000000 +0200
@@ -144,6 +144,9 @@ elf_getarsym (elf, ptr)
       size_t index_size = atol (tmpbuf);
 
       if (SARMAG + sizeof (struct ar_hdr) + index_size > elf->maximum_size
+#if SIZE_MAX <= 4294967295U
+	  || n >= SIZE_MAX / sizeof (Elf_Arsym)
+#endif
 	  || n * sizeof (uint32_t) > index_size)
 	{
 	  /* This index table cannot be right since it does not fit into
--- elfutils-0.108/libelf/libelfP.h.jj	2005-03-30 03:42:32.000000000 +0200
+++ elfutils-0.108/libelf/libelfP.h	2005-05-14 01:28:47.000000000 +0200
@@ -531,4 +531,13 @@ extern uint32_t __libelf_crc32 (uint32_t
   } while (0)
 #endif
 
+/* Convenience macro.  Assumes int NDX and TYPE with size at least
+   2 bytes.  */
+#if SIZE_MAX > 4294967295U
+# define INVALID_NDX(ndx, type) unlikely (ndx < 0)
+#else
+# define INVALID_NDX(ndx, type) \
+  unlikely ((unsigned int) (ndx) >= SIZE_MAX / sizeof (type))
+#endif
+
 #endif  /* libelfP.h */
--- elfutils-0.108/libelf/gelf_getlib.c.jj	2004-01-23 19:22:56.000000000 +0100
+++ elfutils-0.108/libelf/gelf_getlib.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Get library from table at the given index.
-   Copyright (C) 2004 Red Hat, Inc.
+   Copyright (C) 2004, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2004.
 
    This program is free software; you can redistribute it and/or modify
@@ -53,7 +53,8 @@ gelf_getlib (data, ndx, dst)
   /* The data is already in the correct form.  Just make sure the
      index is OK.  */
   GElf_Lib *result = NULL;
-  if (unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))
+  if (INVALID_NDX (ndx, GElf_Lib)
+      || unlikely ((ndx + 1) * sizeof (GElf_Lib) > data->d_size))
     __libelf_seterrno (ELF_E_INVALID_INDEX);
   else
     {
--- elfutils-0.108/libelf/gelf_update_symshndx.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_update_symshndx.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,6 +1,6 @@
 /* Update symbol information and section index in symbol table at the
    given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -44,12 +44,6 @@ gelf_update_symshndx (symdata, shndxdata
   if (symdata == NULL)
     return 0;
 
-  if (unlikely (ndx < 0))
-    {
-      __libelf_seterrno (ELF_E_INVALID_INDEX);
-      return 0;
-    }
-
   if (unlikely (symdata_scn->d.d_type != ELF_T_SYM))
     {
       /* The type of the data better should match.  */
@@ -95,7 +89,8 @@ gelf_update_symshndx (symdata, shndxdata
 	}
 
       /* Check whether we have to resize the data buffer.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf32_Sym)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Sym) > symdata_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
@@ -118,7 +113,8 @@ gelf_update_symshndx (symdata, shndxdata
   else
     {
       /* Check whether we have to resize the data buffer.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf64_Sym)
+	  || unlikely ((ndx + 1) * sizeof (Elf64_Sym) > symdata_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
--- elfutils-0.108/libelf/elf32_getshdr.c.jj	2005-02-06 10:14:52.000000000 +0100
+++ elfutils-0.108/libelf/elf32_getshdr.c	2005-05-14 00:32:57.000000000 +0200
@@ -66,7 +66,8 @@ elfw2(LIBELFBITS,getshdr) (scn)
 	goto out;
 
       size_t shnum;
-      if (INTUSE (elf_getshnum) (elf, &shnum) != 0)
+      if (INTUSE (elf_getshnum) (elf, &shnum) != 0
+	  || shnum > SIZE_MAX / sizeof (ElfW2(LIBELFBITS,Shdr)))
 	goto out;
       size_t size = shnum * sizeof (ElfW2(LIBELFBITS,Shdr));
 
--- elfutils-0.108/libelf/gelf_update_rela.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_update_rela.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Update RELA relocation information at given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -35,12 +35,6 @@ gelf_update_rela (Elf_Data *dst, int ndx
   if (dst == NULL)
     return 0;
 
-  if (unlikely (ndx < 0))
-    {
-      __libelf_seterrno (ELF_E_INVALID_INDEX);
-      return 0;
-    }
-
   if (unlikely (data_scn->d.d_type != ELF_T_RELA))
     {
       /* The type of the data better should match.  */
@@ -68,7 +62,8 @@ gelf_update_rela (Elf_Data *dst, int ndx
 	}
 
       /* Check whether we have to resize the data buffer.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf32_Rela)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Rela) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
@@ -84,7 +79,8 @@ gelf_update_rela (Elf_Data *dst, int ndx
   else
     {
       /* Check whether we have to resize the data buffer.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf64_Rela)
+	  || unlikely ((ndx + 1) * sizeof (Elf64_Rela) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
--- elfutils-0.108/libelf/gelf_update_versym.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_update_versym.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Update symbol version information.
-   Copyright (C) 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2001.
 
    This program is free software; you can redistribute it and/or modify
@@ -42,7 +42,7 @@ gelf_update_versym (data, ndx, src)
   assert (sizeof (GElf_Versym) == sizeof (Elf64_Versym));
 
   /* Check whether we have to resize the data buffer.  */
-  if (unlikely (ndx < 0)
+  if (INVALID_NDX (ndx, GElf_Versym)
       || unlikely ((ndx + 1) * sizeof (GElf_Versym) > data_scn->d.d_size))
     {
       __libelf_seterrno (ELF_E_INVALID_INDEX);
--- elfutils-0.108/libelf/gelf_update_rel.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/gelf_update_rel.c	2005-05-14 01:31:25.000000000 +0200
@@ -1,5 +1,5 @@
 /* Update REL relocation information at given index.
-   Copyright (C) 2000, 2001, 2002 Red Hat, Inc.
+   Copyright (C) 2000, 2001, 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2000.
 
    This program is free software; you can redistribute it and/or modify
@@ -35,12 +35,6 @@ gelf_update_rel (Elf_Data *dst, int ndx,
   if (dst == NULL)
     return 0;
 
-  if (unlikely (ndx < 0))
-    {
-      __libelf_seterrno (ELF_E_INVALID_INDEX);
-      return 0;
-    }
-
   if (unlikely (data_scn->d.d_type != ELF_T_REL))
     {
       /* The type of the data better should match.  */
@@ -66,7 +60,8 @@ gelf_update_rel (Elf_Data *dst, int ndx,
 	}
 
       /* Check whether we have to resize the data buffer.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf32_Rel)
+	  || unlikely ((ndx + 1) * sizeof (Elf32_Rel) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
@@ -81,7 +76,8 @@ gelf_update_rel (Elf_Data *dst, int ndx,
   else
     {
       /* Check whether we have to resize the data buffer.  */
-      if (unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
+      if (INVALID_NDX (ndx, Elf64_Rel)
+	  || unlikely ((ndx + 1) * sizeof (Elf64_Rel) > data_scn->d.d_size))
 	{
 	  __libelf_seterrno (ELF_E_INVALID_INDEX);
 	  goto out;
--- elfutils-0.108/src/elflint.c.jj	2005-05-07 01:46:26.000000000 +0200
+++ elfutils-0.108/src/elflint.c	2005-05-14 02:22:24.000000000 +0200
@@ -111,6 +111,9 @@ static uint32_t shstrndx;
 /* Array to count references in section groups.  */
 static int *scnref;
 
+/* Number of sections.  */
+static unsigned int shnum;
+
 
 int
 main (int argc, char *argv[])
@@ -300,10 +303,17 @@ section_name (Ebl *ebl, int idx)
 {
   GElf_Shdr shdr_mem;
   GElf_Shdr *shdr;
+  const char *ret;
+
+  if ((unsigned int) idx > shnum)
+    return "<invalid>";
 
   shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);
 
-  return elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
+  ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
+  if (ret == NULL)
+    return "<invalid>";
+  return ret;
 }
 
 
@@ -325,10 +335,6 @@ static const int valid_e_machine[] =
   (sizeof (valid_e_machine) / sizeof (valid_e_machine[0]))
 
 
-/* Number of sections.  */
-static unsigned int shnum;
-
-
 static void
 check_elf_header (Ebl *ebl, GElf_Ehdr *ehdr, size_t size)
 {
@@ -608,7 +614,8 @@ check_symtab (Ebl *ebl, GElf_Ehdr *ehdr,
       xndxdata = NULL;
     }
 
-  if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT))
+  size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_SYM, 1, EV_CURRENT);
+  if (shdr->sh_entsize != sh_entsize)
     ERROR (gettext ("\
 section [%2zu] '%s': entry size is does not match ElfXX_Sym\n"),
 	   cnt, section_name (ebl, cnt));
@@ -646,7 +653,7 @@ section [%2d] '%s': XINDEX for zeroth en
 	       xndxscnidx, section_name (ebl, xndxscnidx));
     }
 
-  for (cnt = 1; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
+  for (cnt = 1; cnt < shdr->sh_size / sh_entsize; ++cnt)
     {
       sym = gelf_getsymshndx (data, xndxdata, cnt, &sym_mem, &xndx);
       if (sym == NULL)
@@ -664,7 +671,8 @@ section [%2d] '%s': symbol %zu: invalid 
       else
 	{
 	  name = elf_strptr (ebl->elf, shdr->sh_link, sym->st_name);
-	  assert (name != NULL);
+	  assert (name != NULL
+		  || strshdr->sh_type != SHT_STRTAB);
 	}
 
       if (sym->st_shndx == SHN_XINDEX)
@@ -954,7 +962,7 @@ is_rel_dyn (Ebl *ebl, GElf_Ehdr *ehdr, i
       const GElf_Shdr *rcshdr = gelf_getshdr (scn, &rcshdr_mem);
       assert (rcshdr != NULL);
 
-      if (rcshdr->sh_type == SHT_DYNAMIC)
+      if (rcshdr->sh_type == SHT_DYNAMIC && rcshdr->sh_entsize)
 	{
 	  /* Found the dynamic section.  Look through it.  */
 	  Elf_Data *d = elf_getdata (scn, NULL);
@@ -964,14 +972,17 @@ is_rel_dyn (Ebl *ebl, GElf_Ehdr *ehdr, i
 	    {
 	      GElf_Dyn dyn_mem;
 	      GElf_Dyn *dyn = gelf_getdyn (d, cnt, &dyn_mem);
-	      assert (dyn != NULL);
+
+	      if (dyn == NULL)
+		break;
 
 	      if (dyn->d_tag == DT_RELCOUNT)
 		{
 		  /* Found it.  One last check: does the number
 		     specified number of relative relocations exceed
 		     the total number of relocations?  */
-		  if (dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
+		  if (shdr->sh_entsize
+		      && dyn->d_un.d_val > shdr->sh_size / shdr->sh_entsize)
 		    ERROR (gettext ("\
 section [%2d] '%s': DT_RELCOUNT value %d too high for this section\n"),
 			   idx, section_name (ebl, idx),
@@ -1048,7 +1059,8 @@ section [%2d] '%s': no relocations for m
 	}
     }
 
-  if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT))
+  size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_RELA, 1, EV_CURRENT);
+  if (shdr->sh_entsize != sh_entsize)
     ERROR (gettext ("\
 section [%2d] '%s': section entry size does not match ElfXX_Rela\n"),
 	   idx, section_name (ebl, idx));
@@ -1058,7 +1070,7 @@ section [%2d] '%s': section entry size d
   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
   Elf_Data *symdata = elf_getdata (symscn, NULL);
 
-  for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
+  for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
     {
       GElf_Rela rela_mem;
       GElf_Rela *rela;
@@ -1183,7 +1195,8 @@ section [%2d] '%s': no relocations for m
 	}
     }
 
-  if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT))
+  size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_REL, 1, EV_CURRENT);
+  if (shdr->sh_entsize != sh_entsize)
     ERROR (gettext ("\
 section [%2d] '%s': section entry size does not match ElfXX_Rel\n"),
 	   idx, section_name (ebl, idx));
@@ -1193,7 +1206,7 @@ section [%2d] '%s': section entry size d
   GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
   Elf_Data *symdata = elf_getdata (symscn, NULL);
 
-  for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
+  for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
     {
       GElf_Rel rel_mem;
       GElf_Rel *rel;
@@ -1341,7 +1354,8 @@ section [%2d] '%s': referenced as string
 	   shdr->sh_link, section_name (ebl, shdr->sh_link),
 	   idx, section_name (ebl, idx));
 
-  if (shdr->sh_entsize != gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT))
+  size_t sh_entsize = gelf_fsize (ebl->elf, ELF_T_DYN, 1, EV_CURRENT);
+  if (shdr->sh_entsize != sh_entsize)
     ERROR (gettext ("\
 section [%2d] '%s': section entry size does not match ElfXX_Dyn\n"),
 	   idx, section_name (ebl, idx));
@@ -1351,7 +1365,7 @@ section [%2d] '%s': section entry size d
 	   idx, section_name (ebl, idx));
 
   bool non_null_warned = false;
-  for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
+  for (cnt = 0; cnt < shdr->sh_size / sh_entsize; ++cnt)
     {
       GElf_Dyn dyn_mem;
       GElf_Dyn *dyn;
@@ -1502,6 +1516,8 @@ section [%2d] '%s': entry size does not 
 	   idx, section_name (ebl, idx));
 
   if (symshdr != NULL
+      && shdr->sh_entsize
+      && symshdr->sh_entsize
       && (shdr->sh_size / shdr->sh_entsize
 	  < symshdr->sh_size / symshdr->sh_entsize))
     ERROR (gettext ("\
@@ -1530,6 +1546,12 @@ section [%2d] '%s': extended section ind
     }
 
   data = elf_getdata (scn, NULL);
+  if (data == NULL)
+    {
+      ERROR (gettext ("section [%2d] '%s': cannot get section data\n"),
+	     idx, section_name (ebl, idx));
+      return;
+    }
 
   if (*((Elf32_Word *) data->d_buf) != 0)
     ERROR (gettext ("symbol 0 should have zero extended section index\n"));
@@ -1613,7 +1635,7 @@ section [%2d] '%s': hash table section i
 	   idx, section_name (ebl, idx), (long int) shdr->sh_size,
 	   (long int) ((2 + nbucket + nchain) * shdr->sh_entsize));
 
-  if (symshdr != NULL)
+  if (symshdr != NULL && symshdr->sh_entsize)
     {
       size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
       size_t cnt;
@@ -1910,8 +1932,10 @@ section [%2d] '%s' refers in sh_link to 
       return;
     }
 
-  if (shdr->sh_size / shdr->sh_entsize
-      != symshdr->sh_size / symshdr->sh_entsize)
+  if (shdr->sh_entsize
+      && symshdr->sh_entsize
+      && shdr->sh_size / shdr->sh_entsize
+	 != symshdr->sh_size / symshdr->sh_entsize)
     ERROR (gettext ("\
 section [%2d] '%s' has different number of entries than symbol table [%2d] '%s'\n"),
 	   idx, section_name (ebl, idx),

--- elfutils-0.108/libelf/elf32_getphdr.c.jj	2005-02-06 10:14:52.000000000 +0100
+++ elfutils-0.108/libelf/elf32_getphdr.c	2005-05-17 16:53:41.000000000 +0200
@@ -80,6 +80,16 @@ elfw2(LIBELFBITS,getphdr) (elf)
 
       if (elf->map_address != NULL)
 	{
+	  /* First see whether the information in the ELF header is
+	     valid and it does not ask for too much.  */
+	  if (unlikely (ehdr->e_phoff >= elf->maximum_size)
+	      || unlikely (ehdr->e_phoff + size > elf->maximum_size))
+	    {
+	      /* Something is wrong.  */
+	      __libelf_seterrno (ELF_E_INVALID_PHDR);
+	      goto out;
+	    }
+
 	  /* All the data is already mapped.  Use it.  */
 	  if (ehdr->e_ident[EI_DATA] == MY_ELFDATA
 	      && (ALLOW_UNALIGNED
--- elfutils-0.108/libelf/elf_getshstrndx.c.jj	2004-01-05 21:45:05.000000000 +0100
+++ elfutils-0.108/libelf/elf_getshstrndx.c	2005-05-17 15:42:32.000000000 +0200
@@ -1,5 +1,5 @@
 /* Return section index of section header string table.
-   Copyright (C) 2002 Red Hat, Inc.
+   Copyright (C) 2002, 2005 Red Hat, Inc.
    Written by Ulrich Drepper <drepper@redhat.com>, 2002.
 
    This program is free software; you can redistribute it and/or modify
@@ -90,10 +90,25 @@ elf_getshstrndx (elf, dst)
 	      if (elf->map_address != NULL
 		  && elf->state.elf32.ehdr->e_ident[EI_DATA] == MY_ELFDATA
 		  && (ALLOW_UNALIGNED
-		      || (((size_t) ((char *) elf->map_address + offset))
+		      || (((size_t) ((char *) elf->map_address
+			   + elf->start_offset + offset))
 			  & (__alignof__ (Elf32_Shdr) - 1)) == 0))
-		/* We can directly access the memory.  */
-		num = ((Elf32_Shdr *) (elf->map_address + offset))->sh_link;
+		{
+		  /* First see whether the information in the ELF header is
+		     valid and it does not ask for too much.  */
+		  if (unlikely (offset + sizeof (Elf32_Shdr)
+				> elf->maximum_size))
+		    {
+		      /* Something is wrong.  */
+		      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
+		      result = -1;
+		      goto out;
+		    }
+
+		  /* We can directly access the memory.  */
+		  num = ((Elf32_Shdr *) (elf->map_address + elf->start_offset
+			 + offset))->sh_link;
+		}
 	      else
 		{
 		  /* We avoid reading in all the section headers.  Just read
@@ -129,10 +144,25 @@ elf_getshstrndx (elf, dst)
 	      if (elf->map_address != NULL
 		  && elf->state.elf64.ehdr->e_ident[EI_DATA] == MY_ELFDATA
 		  && (ALLOW_UNALIGNED
-		      || (((size_t) ((char *) elf->map_address + offset))
+		      || (((size_t) ((char *) elf->map_address
+			   + elf->start_offset + offset))
 			  & (__alignof__ (Elf64_Shdr) - 1)) == 0))
-		/* We can directly access the memory.  */
-		num = ((Elf64_Shdr *) (elf->map_address + offset))->sh_link;
+		{
+		  /* First see whether the information in the ELF header is
+		     valid and it does not ask for too much.  */
+		  if (unlikely (offset + sizeof (Elf64_Shdr)
+				> elf->maximum_size))
+		    {
+		      /* Something is wrong.  */
+		      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
+		      result = -1;
+		      goto out;
+		    }
+
+		  /* We can directly access the memory.  */
+		  num = ((Elf64_Shdr *) (elf->map_address
+			 + elf->start_offset + offset))->sh_link;
+		}
 	      else
 		{
 		  /* We avoid reading in all the section headers.  Just read
--- elfutils-0.108/libelf/elf32_getshdr.c.jj	2005-05-14 00:32:57.000000000 +0200
+++ elfutils-0.108/libelf/elf32_getshdr.c	2005-05-17 15:27:52.000000000 +0200
@@ -71,7 +71,7 @@ elfw2(LIBELFBITS,getshdr) (scn)
 	goto out;
       size_t size = shnum * sizeof (ElfW2(LIBELFBITS,Shdr));
 
-      /* Allocate memory for the program headers.  We know the number
+      /* Allocate memory for the section headers.  We know the number
 	 of entries from the ELF header.  */
       ElfW2(LIBELFBITS,Shdr) *shdr = elf->state.ELFW(elf,LIBELFBITS).shdr =
 	(ElfW2(LIBELFBITS,Shdr) *) malloc (size);
@@ -93,6 +93,16 @@ elfw2(LIBELFBITS,getshdr) (scn)
 		      && (ehdr->e_shoff
 			  & (__alignof__ (ElfW2(LIBELFBITS,Shdr)) - 1)) != 0));
 
+	  /* First see whether the information in the ELF header is
+	     valid and it does not ask for too much.  */
+	  if (unlikely (ehdr->e_shoff >= elf->maximum_size)
+	      || unlikely (ehdr->e_shoff + size > elf->maximum_size))
+	    {
+	      /* Something is wrong.  */
+	      __libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
+	      goto free_and_out;
+	    }
+
 	  /* Now copy the data and at the same time convert the byte
 	     order.  */
 	  if (ALLOW_UNALIGNED
--- elfutils-0.108/libelf/elf_begin.c.jj	2005-05-17 16:18:51.000000000 +0200
+++ elfutils-0.108/libelf/elf_begin.c	2005-05-17 17:31:37.000000000 +0200
@@ -77,7 +77,11 @@ get_shnum (void *map_address, unsigned c
 	  || (((size_t) ((char *) map_address + offset))
 	      & ((is32 ? __alignof__ (Elf32_Ehdr) : __alignof__ (Elf64_Ehdr))
 		 - 1)) == 0))
-    ehdr.p = (char *) map_address + offset;
+    {
+      ehdr.p = (char *) map_address + offset;
+      if (maxsize < (is32 ? sizeof (Elf32_Ehdr) : sizeof (Elf64_Ehdr)))
+	return (size_t) -1l;
+    }
   else
     {
       /* We have to read the data from the file.  */
@@ -111,7 +115,8 @@ get_shnum (void *map_address, unsigned c
 
       if (unlikely (result == 0) && ehdr.e32->e_shoff != 0)
 	{
-	  if (offset + ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize)
+	  if (unlikely (ehdr.e32->e_shoff >= maxsize)
+	      || unlikely (ehdr.e32->e_shoff + sizeof (Elf32_Shdr) > maxsize))
 	    /* Cannot read the first section header.  */
 	    return (size_t) -1l;
 
@@ -147,7 +152,8 @@ get_shnum (void *map_address, unsigned c
 
       if (unlikely (result == 0) && ehdr.e64->e_shoff != 0)
 	{
-	  if (offset + ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize)
+	  if (unlikely (ehdr.e64->e_shoff >= maxsize)
+	      || unlikely (ehdr.e64->e_shoff + sizeof (Elf64_Shdr) > maxsize))
 	    /* Cannot read the first section header.  */
 	    return (size_t) -1l;
 
@@ -224,6 +226,15 @@ file_read_elf (int fildes, void *map_add
     /* Could not determine the number of sections.  */
     return NULL;
 
+  /* Check for too many sections.  */
+  if (e_ident[EI_CLASS] == ELFCLASS32)
+    {
+      if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf32_Shdr)))
+	return NULL;
+    }
+  else if (scncnt > SIZE_MAX / (sizeof (Elf_Scn) + sizeof (Elf64_Shdr)))
+    return NULL;
+
   /* We can now allocate the memory.  */
   elf = allocate_elf (fildes, map_address, offset, maxsize, cmd, parent,
 		      ELF_K_ELF, scncnt * sizeof (Elf_Scn));
@@ -255,15 +270,31 @@ file_read_elf (int fildes, void *map_add
 	  /* We can use the mmapped memory.  */
 	  elf->state.elf32.ehdr =
 	    (Elf32_Ehdr *) ((char *) map_address + offset);
+	  if (unlikely (elf->state.elf32.ehdr->e_shoff >= maxsize)
+	      || unlikely (elf->state.elf32.ehdr->e_shoff
+			   + scncnt * sizeof (Elf32_Shdr) > maxsize))
+	    {
+	    free_and_out:
+	      __libelf_seterrno (ELF_E_INVALID_FILE);
+	      free (elf);
+	      return NULL;
+	    }
 	  elf->state.elf32.shdr =
 	    (Elf32_Shdr *) ((char *) map_address + offset
 			    + elf->state.elf32.ehdr->e_shoff);
 	  if (elf->state.elf32.ehdr->e_phnum)
-	    /* Assign a value only if there really is a program
-	       header.  Otherwise the value remains NULL.  */
-	    elf->state.elf32.phdr
-	      = (Elf32_Phdr *) ((char *) map_address + offset
-				+ elf->state.elf32.ehdr->e_phoff);
+	    {
+	      /* Assign a value only if there really is a program
+		 header.  Otherwise the value remains NULL.  */
+	      if (unlikely (elf->state.elf32.ehdr->e_phoff >= maxsize)
+		  || unlikely (elf->state.elf32.ehdr->e_phoff
+			       + elf->state.elf32.ehdr->e_phnum
+			       * sizeof (Elf32_Phdr) > maxsize))
+		goto free_and_out;
+	      elf->state.elf32.phdr
+		= (Elf32_Phdr *) ((char *) map_address + offset
+				  + elf->state.elf32.ehdr->e_phoff);
+	    }
 
 	  for (size_t cnt = 0; cnt < scncnt; ++cnt)
 	    {
@@ -285,8 +316,7 @@ file_read_elf (int fildes, void *map_add
 		     sizeof (Elf32_Ehdr), offset) != sizeof (Elf32_Ehdr))
 	    {
 	      /* We must be able to read the ELF header.  */
-	      __libelf_seterrno (ELF_E_INVALID_FILE);
-	      return NULL;
+	      goto free_and_out;
 	    }
 
 	  if (e_ident[EI_DATA] != MY_ELFDATA)
@@ -340,15 +370,26 @@ file_read_elf (int fildes, void *map_add
 	  /* We can use the mmapped memory.  */
 	  elf->state.elf64.ehdr =
 	    (Elf64_Ehdr *) ((char *) map_address + offset);
+	  if (unlikely (elf->state.elf64.ehdr->e_shoff >= maxsize)
+	      || unlikely (elf->state.elf64.ehdr->e_shoff
+			   + scncnt * sizeof (Elf64_Shdr) > maxsize))
+	    goto free_and_out;
 	  elf->state.elf64.shdr =
 	    (Elf64_Shdr *) ((char *) map_address + offset
 			    + elf->state.elf64.ehdr->e_shoff);
 	  if (elf->state.elf64.ehdr->e_phnum)
-	    /* Assign a value only if there really is a program
-	       header.  Otherwise the value remains NULL.  */
-	    elf->state.elf64.phdr
-	      = (Elf64_Phdr *) ((char *) map_address + offset
-				+ elf->state.elf64.ehdr->e_phoff);
+	    {
+	      /* Assign a value only if there really is a program
+		 header.  Otherwise the value remains NULL.  */
+	      if (unlikely (elf->state.elf64.ehdr->e_phoff >= maxsize)
+		  || unlikely (elf->state.elf64.ehdr->e_phoff
+			       + elf->state.elf64.ehdr->e_phnum
+			       * sizeof (Elf64_Phdr) > maxsize))
+		goto free_and_out;
+	      elf->state.elf64.phdr
+		= (Elf64_Phdr *) ((char *) map_address + offset
+				  + elf->state.elf64.ehdr->e_phoff);
+	    }
 
 	  for (size_t cnt = 0; cnt < scncnt; ++cnt)
 	    {
@@ -370,8 +411,7 @@ file_read_elf (int fildes, void *map_add
 		     sizeof (Elf64_Ehdr), offset) != sizeof (Elf64_Ehdr))
 	    {
 	      /* We must be able to read the ELF header.  */
-	      __libelf_seterrno (ELF_E_INVALID_FILE);
-	      return NULL;
+	      goto free_and_out;
 	    }
 
 	  if (e_ident[EI_DATA] != MY_ELFDATA)
--- elfutils-0.108/src/elflint.c.jj	2005-05-14 02:22:24.000000000 +0200
+++ elfutils-0.108/src/elflint.c	2005-05-17 18:02:00.000000000 +0200
@@ -309,6 +309,8 @@ section_name (Ebl *ebl, int idx)
     return "<invalid>";
 
   shdr = gelf_getshdr (elf_getscn (ebl->elf, idx), &shdr_mem);
+  if (shdr == NULL)
+    return "<invalid>";
 
   ret = elf_strptr (ebl->elf, shstrndx, shdr->sh_name);
   if (ret == NULL)
@@ -1639,19 +1641,26 @@ section [%2d] '%s': hash table section i
     {
       size_t symsize = symshdr->sh_size / symshdr->sh_entsize;
       size_t cnt;
+      Elf32_Word *buf, *end;
 
       if (nchain < symshdr->sh_size / symshdr->sh_entsize)
 	ERROR (gettext ("section [%2d] '%s': chain array not large enough\n"),
 	       idx, section_name (ebl, idx));
 
+      buf = ((Elf32_Word *) data->d_buf) + 2;
+      end = (Elf32_Word *) ((char *) data->d_buf + shdr->sh_size);
       for (cnt = 2; cnt < 2 + nbucket; ++cnt)
-	if (((Elf32_Word *) data->d_buf)[cnt] >= symsize)
+	if (buf >= end)
+	  return;
+	else if (*buf++ >= symsize)
 	  ERROR (gettext ("\
 section [%2d] '%s': hash bucket reference %zu out of bounds\n"),
 		 idx, section_name (ebl, idx), cnt - 2);
 
       for (; cnt < 2 + nbucket + nchain; ++cnt)
-	if (((Elf32_Word *) data->d_buf)[cnt] >= symsize)
+	if (buf >= end)
+	  return;
+	else if (*buf++ >= symsize)
 	  ERROR (gettext ("\
 section [%2d] '%s': hash chain reference %zu out of bounds\n"),
 		 idx, section_name (ebl, idx), cnt - 2 - nbucket);
@@ -2311,6 +2320,8 @@ phdr[%d]: no note entries defined for th
     return;
 
   char *notemem = gelf_rawchunk (ebl->elf, phdr->p_offset, phdr->p_filesz);
+  if (notemem == NULL)
+    return;
 
   /* ELF64 files often use note section entries in the 32-bit format.
      The p_align field is set to 8 in case the 64-bit format is used.

--- elfutils/src/strip.c
+++ elfutils/src/strip.c
@@ -400,6 +400,7 @@ handle_elf (int fd, Elf *elf, const char
   Elf_Data debuglink_crc_data;
   bool any_symtab_changes = false;
   Elf_Data *shstrtab_data = NULL;
+  size_t shdridx = 0;
 
   /* Create the full name of the file.  */
   if (prefix != NULL)
@@ -531,6 +532,11 @@ handle_elf (int fd, Elf *elf, const char
       goto fail_close;
     }
 
+  if (shstrndx >= shnum)
+    goto illformed;
+
+#define elf_assert(test) do { if (!(test)) goto illformed; } while (0)
+
   /* Storage for section information.  We leave room for two more
      entries since we unconditionally create a section header string
      table.  Maybe some weird tool created an ELF file without one.
@@ -552,7 +558,7 @@ handle_elf (int fd, Elf *elf, const char
     {
       /* This should always be true (i.e., there should not be any
 	 holes in the numbering).  */
-      assert (elf_ndxscn (scn) == cnt);
+      elf_assert (elf_ndxscn (scn) == cnt);
 
       shdr_info[cnt].scn = scn;
 
@@ -565,6 +571,7 @@ handle_elf (int fd, Elf *elf, const char
 					shdr_info[cnt].shdr.sh_name);
       if (shdr_info[cnt].name == NULL)
 	{
+	illformed:
 	  error (0, 0, gettext ("illformed file '%s'"), fname);
 	  goto fail_close;
 	}
@@ -574,6 +581,8 @@ handle_elf (int fd, Elf *elf, const char
 
       /* Remember the shdr.sh_link value.  */
       shdr_info[cnt].old_sh_link = shdr_info[cnt].shdr.sh_link;
+      if (shdr_info[cnt].old_sh_link >= shnum)
+	goto illformed;
 
       /* Sections in files other than relocatable object files which
 	 are not loaded can be freely moved by us.  In relocatable
@@ -586,7 +595,7 @@ handle_elf (int fd, Elf *elf, const char
 	 appropriate reference.  */
       if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB_SHNDX))
 	{
-	  assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
+	  elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx == 0);
 	  shdr_info[shdr_info[cnt].shdr.sh_link].symtab_idx = cnt;
 	}
       else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GROUP))
@@ -605,7 +614,12 @@ handle_elf (int fd, Elf *elf, const char
 	  for (inner = 1;
 	       inner < shdr_info[cnt].data->d_size / sizeof (Elf32_Word);
 	       ++inner)
-	    shdr_info[grpref[inner]].group_idx = cnt;
+	    {
+	      if (grpref[inner] < shnum)
+		shdr_info[grpref[inner]].group_idx = cnt;
+	      else
+		goto illformed;
+	    }
 
 	  if (inner == 1 || (inner == 2 && (grpref[0] & GRP_COMDAT) == 0))
 	    /* If the section group contains only one element and this
@@ -616,7 +630,7 @@ handle_elf (int fd, Elf *elf, const char
 	}
       else if (unlikely (shdr_info[cnt].shdr.sh_type == SHT_GNU_versym))
 	{
-	  assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
+	  elf_assert (shdr_info[shdr_info[cnt].shdr.sh_link].version_idx == 0);
 	  shdr_info[shdr_info[cnt].shdr.sh_link].version_idx = cnt;
 	}
 
@@ -624,7 +638,7 @@ handle_elf (int fd, Elf *elf, const char
 	 discarded right away.  */
       if ((shdr_info[cnt].shdr.sh_flags & SHF_GROUP) != 0)
 	{
-	  assert (shdr_info[cnt].group_idx != 0);
+	  elf_assert (shdr_info[cnt].group_idx != 0);
 
 	  if (shdr_info[shdr_info[cnt].group_idx].idx == 0)
 	    {
@@ -700,10 +714,14 @@ handle_elf (int fd, Elf *elf, const char
 	    {
 	      /* If a relocation section is marked as being removed make
 		 sure the section it is relocating is removed, too.  */
-	      if ((shdr_info[cnt].shdr.sh_type == SHT_REL
-		   || shdr_info[cnt].shdr.sh_type == SHT_RELA)
-		  && shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
-		shdr_info[cnt].idx = 1;
+	      if (shdr_info[cnt].shdr.sh_type == SHT_REL
+		  || shdr_info[cnt].shdr.sh_type == SHT_RELA)
+		{
+		  if (shdr_info[cnt].shdr.sh_info >= shnum)
+		    goto illformed;
+		  else if (shdr_info[shdr_info[cnt].shdr.sh_info].idx != 0)
+		    shdr_info[cnt].idx = 1;
+		}
 	    }
 
 	  if (shdr_info[cnt].idx == 1)
@@ -733,7 +751,7 @@ handle_elf (int fd, Elf *elf, const char
 		  if (shdr_info[cnt].symtab_idx != 0
 		      && shdr_info[shdr_info[cnt].symtab_idx].data == NULL)
 		    {
-		      assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
+		      elf_assert (shdr_info[cnt].shdr.sh_type == SHT_SYMTAB);
 
 		      shdr_info[shdr_info[cnt].symtab_idx].data
 			= elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
@@ -773,6 +791,9 @@ handle_elf (int fd, Elf *elf, const char
 		      else if (scnidx == SHN_XINDEX)
 			scnidx = xndx;
 
+		      if (scnidx >= shnum)
+			goto illformed;
+
 		      if (shdr_info[scnidx].idx == 0)
 			{
 			  /* Mark this section as used.  */
@@ -804,11 +825,15 @@ handle_elf (int fd, Elf *elf, const char
 		}
 
 	      /* Handle references through sh_info.  */
-	      if (SH_INFO_LINK_P (&shdr_info[cnt].shdr)
-		  && shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
+	      if (SH_INFO_LINK_P (&shdr_info[cnt].shdr))
 		{
-		  shdr_info[shdr_info[cnt].shdr.sh_info].idx = 1;
-		  changes |= shdr_info[cnt].shdr.sh_info < cnt;
+		  if (shdr_info[cnt].shdr.sh_info >= shnum)
+		    goto illformed;
+		  else if ( shdr_info[shdr_info[cnt].shdr.sh_info].idx == 0)
+		    {
+		      shdr_info[shdr_info[cnt].shdr.sh_info].idx = 1;
+		      changes |= shdr_info[cnt].shdr.sh_info < cnt;
+		    }
 		}
 
 	      /* Mark the section as investigated.  */
@@ -911,7 +936,7 @@ handle_elf (int fd, Elf *elf, const char
 	  error (EXIT_FAILURE, 0, gettext ("while generating output file: %s"),
 		 elf_errmsg (-1));
 
-	assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
+	elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
 
 	/* Add this name to the section header string table.  */
 	shdr_info[cnt].se = ebl_strtabadd (shst, shdr_info[cnt].name, 0);
@@ -951,7 +976,7 @@ handle_elf (int fd, Elf *elf, const char
 	error (EXIT_FAILURE, 0,
 	       gettext ("while create section header section: %s"),
 	       elf_errmsg (-1));
-      assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
+      elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == shdr_info[cnt].idx);
 
       shdr_info[cnt].data = elf_newdata (shdr_info[cnt].newscn);
       if (shdr_info[cnt].data == NULL)
@@ -982,7 +1007,7 @@ handle_elf (int fd, Elf *elf, const char
     }
 
   /* Index of the section header table in the shdr_info array.  */
-  size_t shdridx = cnt;
+  shdridx = cnt;
 
   /* Add the section header string table section name.  */
   shdr_info[cnt].se = ebl_strtabadd (shst, ".shstrtab", 10);
@@ -1007,7 +1032,7 @@ handle_elf (int fd, Elf *elf, const char
     error (EXIT_FAILURE, 0,
 	   gettext ("while create section header section: %s"),
 	   elf_errmsg (-1));
-  assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
+  elf_assert (elf_ndxscn (shdr_info[cnt].newscn) == idx);
 
   /* Finalize the string table and fill in the correct indices in the
      section headers.  */
@@ -1097,21 +1122,21 @@ handle_elf (int fd, Elf *elf, const char
 		    shndxdata = elf_getdata (shdr_info[shdr_info[cnt].symtab_idx].scn,
 					     NULL);
 
-		    assert ((versiondata->d_size / sizeof (Elf32_Word))
-			    >= shdr_info[cnt].data->d_size / elsize);
+		    elf_assert ((versiondata->d_size / sizeof (Elf32_Word))
+				>= shdr_info[cnt].data->d_size / elsize);
 		  }
 
 		if (shdr_info[cnt].version_idx != 0)
 		  {
-		    assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
+		    elf_assert (shdr_info[cnt].shdr.sh_type == SHT_DYNSYM);
 		    /* This section has associated version
 		       information.  We have to modify that
 		       information, too.  */
 		    versiondata = elf_getdata (shdr_info[shdr_info[cnt].version_idx].scn,
 					       NULL);
 
-		    assert ((versiondata->d_size / sizeof (GElf_Versym))
-			    >= shdr_info[cnt].data->d_size / elsize);
+		    elf_assert ((versiondata->d_size / sizeof (GElf_Versym))
+				>= shdr_info[cnt].data->d_size / elsize);
 		  }
 
 		shdr_info[cnt].newsymidx
@@ -1165,7 +1190,7 @@ handle_elf (int fd, Elf *elf, const char
 		      sec = shdr_info[sym->st_shndx].idx;
 		    else
 		      {
-			assert (shndxdata != NULL);
+			elf_assert (shndxdata != NULL);
 
 			sec = shdr_info[xshndx].idx;
 		      }
@@ -1186,7 +1211,7 @@ handle_elf (int fd, Elf *elf, const char
 			    nxshndx = sec;
 			  }
 
-			assert (sec < SHN_LORESERVE || shndxdata != NULL);
+			elf_assert (sec < SHN_LORESERVE || shndxdata != NULL);
 
 			if ((inner != destidx || nshndx != sym->st_shndx
 			     || (shndxdata != NULL && nxshndx != xshndx))
@@ -1209,7 +1234,7 @@ handle_elf (int fd, Elf *elf, const char
 		    else
 		      /* This is a section symbol for a section which has
 			 been removed.  */
-		      assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION);
+		      elf_assert (GELF_ST_TYPE (sym->st_info) == STT_SECTION);
 		  }
 
 		if (destidx != inner)
@@ -1373,11 +1398,11 @@ handle_elf (int fd, Elf *elf, const char
 		    {
 		      GElf_Sym sym_mem;
 		      GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
-		      assert (sym != NULL);
+		      elf_assert (sym != NULL);
 
 		      const char *name = elf_strptr (elf, strshndx,
 						     sym->st_name);
-		      assert (name != NULL);
+		      elf_assert (name != NULL);
 		      size_t hidx = elf_hash (name) % nbucket;
 
 		      if (bucket[hidx] == 0)
@@ -1396,8 +1421,8 @@ handle_elf (int fd, Elf *elf, const char
 	      else
 		{
 		  /* Alpha and S390 64-bit use 64-bit SHT_HASH entries.  */
-		  assert (shdr_info[cnt].shdr.sh_entsize
-			  == sizeof (Elf64_Xword));
+		  elf_assert (shdr_info[cnt].shdr.sh_entsize
+			      == sizeof (Elf64_Xword));
 
 		  Elf64_Xword *bucket = (Elf64_Xword *) hashd->d_buf;
 
@@ -1430,11 +1455,11 @@ handle_elf (int fd, Elf *elf, const char
 		    {
 		      GElf_Sym sym_mem;
 		      GElf_Sym *sym = gelf_getsym (symd, inner, &sym_mem);
-		      assert (sym != NULL);
+		      elf_assert (sym != NULL);
 
 		      const char *name = elf_strptr (elf, strshndx,
 						     sym->st_name);
-		      assert (name != NULL);
+		      elf_assert (name != NULL);
 		      size_t hidx = elf_hash (name) % nbucket;
 
 		      if (bucket[hidx] == 0)
--- elfutils/src/readelf.c
+++ elfutils/src/readelf.c
@@ -947,6 +947,7 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
   GElf_Shdr *symshdr;
   Elf_Data *symdata;
   GElf_Sym sym_mem;
+  GElf_Sym *sym;
   size_t cnt;
   size_t shstrndx;
 
@@ -966,6 +967,8 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
     error (EXIT_FAILURE, 0,
 	   gettext ("cannot get section header string table index"));
 
+  sym = gelf_getsym (symdata, shdr->sh_info, &sym_mem);
+
   grpref = (Elf32_Word *) data->d_buf;
 
   printf ((grpref[0] & GRP_COMDAT)
@@ -980,8 +983,8 @@ handle_scngrp (Ebl *ebl, Elf_Scn *scn, G
 		      data->d_size / sizeof (Elf32_Word) - 1),
 	  elf_ndxscn (scn),
 	  elf_strptr (ebl->elf, shstrndx, shdr->sh_name),
-	  elf_strptr (ebl->elf, symshdr->sh_link,
-		      gelf_getsym (symdata, shdr->sh_info, &sym_mem)->st_name)
+	  (sym == NULL ? NULL
+	   : elf_strptr (ebl->elf, symshdr->sh_link, sym->st_name))
 	  ?: gettext ("<INVALID SYMBOL>"),
 	  data->d_size / sizeof (Elf32_Word) - 1);
 
@@ -1135,7 +1138,8 @@ static void
 handle_dynamic (Ebl *ebl, Elf_Scn *scn, GElf_Shdr *shdr)
 {
   int class = gelf_getclass (ebl->elf);
-  GElf_Shdr glink;
+  GElf_Shdr glink_mem;
+  GElf_Shdr *glink;
   Elf_Data *data;
   size_t cnt;
   size_t shstrndx;
@@ -1150,6 +1154,11 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn, 
     error (EXIT_FAILURE, 0,
 	   gettext ("cannot get section header string table index"));
 
+  glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
+  if (glink == NULL)
+    error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
+	   elf_ndxscn (scn));
+
   printf (ngettext ("\
 \nDynamic segment contains %lu entry:\n Addr: %#0*" PRIx64 "  Offset: %#08" PRIx64 "  Link to section: [%2u] '%s'\n",
 		    "\
@@ -1159,9 +1168,7 @@ handle_dynamic (Ebl *ebl, Elf_Scn *scn, 
 	  class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
 	  shdr->sh_offset,
 	  (int) shdr->sh_link,
-	  elf_strptr (ebl->elf, shstrndx,
-		      gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
-				    &glink)->sh_name));
+	  elf_strptr (ebl->elf, shstrndx, glink->sh_name));
   fputs_unlocked (gettext ("  Type              Value\n"), stdout);
 
   for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
@@ -1656,7 +1663,8 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
   unsigned int cnt;
   Elf32_Word verneed_stridx = 0;
   Elf32_Word verdef_stridx = 0;
-  GElf_Shdr glink;
+  GElf_Shdr glink_mem;
+  GElf_Shdr *glink;
   size_t shstrndx;
 
   /* Get the data of the section.  */
@@ -1701,6 +1709,11 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
     error (EXIT_FAILURE, 0,
 	   gettext ("cannot get section header string table index"));
 
+  glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
+  if (glink == NULL)
+    error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
+	   elf_ndxscn (scn));
+
   /* Now we can compute the number of entries in the section.  */
   nsyms = data->d_size / (class == ELFCLASS32
 			  ? sizeof (Elf32_Sym) : sizeof (Elf64_Sym));
@@ -1715,9 +1728,7 @@ handle_symtab (Ebl *ebl, Elf_Scn *scn, G
 		    shdr->sh_info),
 	  (unsigned long int) shdr->sh_info,
 	  (unsigned int) shdr->sh_link,
-	  elf_strptr (ebl->elf, shstrndx,
-		      gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
-				    &glink)->sh_name));
+	  elf_strptr (ebl->elf, shstrndx, glink->sh_name));
 
   fputs_unlocked (class == ELFCLASS32
 		  ? gettext ("\
@@ -1945,7 +1956,8 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn, 
 {
   Elf_Data *data;
   int class = gelf_getclass (ebl->elf);
-  GElf_Shdr glink;
+  GElf_Shdr glink_mem;
+  GElf_Shdr *glink;
   int cnt;
   unsigned int offset;
   size_t shstrndx;
@@ -1960,6 +1972,11 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn, 
     error (EXIT_FAILURE, 0,
 	   gettext ("cannot get section header string table index"));
 
+  glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
+  if (glink == NULL)
+    error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
+	   elf_ndxscn (scn));
+
   printf (ngettext ("\
 \nVersion needs section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 "  Offset: %#08" PRIx64 "  Link to section: [%2u] '%s'\n",
 		    "\
@@ -1970,9 +1987,7 @@ handle_verneed (Ebl *ebl, Elf_Scn *scn, 
 	  class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
 	  shdr->sh_offset,
 	  (unsigned int) shdr->sh_link,
-	  elf_strptr (ebl->elf, shstrndx,
-		      gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
-				    &glink)->sh_name));
+	  elf_strptr (ebl->elf, shstrndx, glink->sh_name));
 
   offset = 0;
   for (cnt = shdr->sh_info; --cnt >= 0; )
@@ -2022,7 +2037,8 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
 {
   Elf_Data *data;
   int class = gelf_getclass (ebl->elf);
-  GElf_Shdr glink;
+  GElf_Shdr glink_mem;
+  GElf_Shdr *glink;
   int cnt;
   unsigned int offset;
   size_t shstrndx;
@@ -2037,6 +2053,11 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
     error (EXIT_FAILURE, 0,
 	   gettext ("cannot get section header string table index"));
 
+  glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
+  if (glink == NULL)
+    error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
+	   elf_ndxscn (scn));
+
   printf (ngettext ("\
 \nVersion definition section [%2u] '%s' contains %d entry:\n Addr: %#0*" PRIx64 "  Offset: %#08" PRIx64 "  Link to section: [%2u] '%s'\n",
 		    "\
@@ -2048,9 +2069,7 @@ handle_verdef (Ebl *ebl, Elf_Scn *scn, G
 	  class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
 	  shdr->sh_offset,
 	  (unsigned int) shdr->sh_link,
-	  elf_strptr (ebl->elf, shstrndx,
-		      gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
-				    &glink)->sh_name));
+	  elf_strptr (ebl->elf, shstrndx, glink->sh_name));
 
   offset = 0;
   for (cnt = shdr->sh_info; --cnt >= 0; )
@@ -2106,7 +2125,8 @@ handle_versym (Ebl *ebl, Elf_Scn *scn, G
   Elf_Data *data;
   int class = gelf_getclass (ebl->elf);
   Elf_Scn *verscn;
-  GElf_Shdr glink;
+  GElf_Shdr glink_mem;
+  GElf_Shdr *glink;
   Elf_Scn *defscn;
   Elf_Scn *needscn;
   const char **vername;
@@ -2125,6 +2145,11 @@ handle_versym (Ebl *ebl, Elf_Scn *scn, G
     error (EXIT_FAILURE, 0,
 	   gettext ("cannot get section header string table index"));
 
+  glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link), &glink_mem);
+  if (glink == NULL)
+    error (EXIT_FAILURE, 0, gettext ("invalid sh_link value in section %Zu"),
+	   elf_ndxscn (scn));
+
   /* We have to find the version definition section and extract the
      version names.  */
   defscn = NULL;
@@ -2347,9 +2372,7 @@ handle_versym (Ebl *ebl, Elf_Scn *scn, G
 	  class == ELFCLASS32 ? 10 : 18, shdr->sh_addr,
 	  shdr->sh_offset,
 	  (unsigned int) shdr->sh_link,
-	  elf_strptr (ebl->elf, shstrndx,
-		      gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
-				    &glink)->sh_name));
+	  elf_strptr (ebl->elf, shstrndx, glink->sh_name));
 
   /* Now we can finally look at the actual contents of this section.  */
   for (cnt = 0; cnt < shdr->sh_size / shdr->sh_entsize; ++cnt)
@@ -2425,7 +2448,8 @@ handle_hash (Ebl *ebl)
 	  Elf32_Word maxlength = 0;
 	  Elf32_Word nsyms = 0;
 	  uint64_t nzero_counts = 0;
-	  GElf_Shdr glink;
+	  GElf_Shdr glink_mem;
+	  GElf_Shdr *glink;
 
 	  if (data == NULL)
 	    {
@@ -2434,6 +2458,16 @@ handle_hash (Ebl *ebl)
 	      continue;
 	    }
 
+
+	  glink = gelf_getshdr (elf_getscn (ebl->elf, shdr->sh_link),
+				&glink_mem);
+	  if (glink == NULL)
+	    {
+	      error (0, 0, gettext ("invalid sh_link value in section %Zu"),
+		     elf_ndxscn (scn));
+	      continue;
+	    }
+
 	  nbucket = ((Elf32_Word *) data->d_buf)[0];
 	  nchain = ((Elf32_Word *) data->d_buf)[1];
 	  bucket = &((Elf32_Word *) data->d_buf)[2];
@@ -2451,10 +2485,7 @@ handle_hash (Ebl *ebl)
 		  shdr->sh_addr,
 		  shdr->sh_offset,
 		  (unsigned int) shdr->sh_link,
-		  elf_strptr (ebl->elf, shstrndx,
-			      gelf_getshdr (elf_getscn (ebl->elf,
-							shdr->sh_link),
-					    &glink)->sh_name));
+		  elf_strptr (ebl->elf, shstrndx, glink->sh_name));
 
 	  lengths = (uint32_t *) xcalloc (nbucket, sizeof (uint32_t));
 