For PR 14055, add bounds check to _dl_show_auxv().

3 files changed, 10 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 5e4ce0d156..bcca473dd8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-05-02  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #14055]
+	* elf/dl-sysdep.c (_dl_show_auxv): Add bounds check.
+
 2012-05-02  Andreas Jaeger  <aj@suse.de>
 
 	* math/Makefile (CPPFLAGS-test-ildoubl.c): Add -frounding-math
diff --git a/NEWS b/NEWS
index aebe7918fd..12045f6414 100644
--- a/NEWS
+++ b/NEWS
@@ -23,7 +23,7 @@ Version 2.16
   13873, 13879, 13883, 13886, 13892, 13895, 13908, 13910, 13911, 13912,
   13913, 13915, 13916, 13917, 13918, 13919, 13920, 13921, 13924, 13926,
   13927, 13928, 13938, 13941, 13942, 13963, 13967, 13970, 13973, 14027,
-  14033, 14034, 14040
+  14033, 14034, 14040, 14055
 
 * ISO C11 support:
 
diff --git a/elf/dl-sysdep.c b/elf/dl-sysdep.c
index 1cb4460a02..ea505a646f 100644
--- a/elf/dl-sysdep.c
+++ b/elf/dl-sysdep.c
@@ -1,5 +1,5 @@
 /* Operating system support for run-time dynamic linker.  Generic Unix version.
-   Copyright (C) 1995-1998,2000-2008,2009,2010
+   Copyright (C) 1995-1998,2000-2010,2012
 	Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -303,7 +303,9 @@ _dl_show_auxv (void)
 	};
       unsigned int idx = (unsigned int) (av->a_type - 2);
 
-      if ((unsigned int) av->a_type < 2u || auxvars[idx].form == ignore)
+      if ((unsigned int) av->a_type < 2u
+	  || (idx < sizeof (auxvars) / sizeof (auxvars[0])
+	      && auxvars[idx].form == ignore))
 	continue;
 
       assert (AT_NULL == 0);