#441 Null dereference in timestamp() of readelf.c

[antiAgainst]

Based on r2983.

In summary, the return value of gmtime() at line 2661 in readelf.c is not checked against NULL. Large value of type time_t on 64-bit machines cannot be handled by gmtime(), gmtime() will return NULL. A post about this on stackoverflow. Test program attached. Command is readelf -a readelf-5-293-A. gdb outputs:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004063b1 in timestamp (ti=-185773484621168596) at readelf.c:2662
2662            snprintf(ts, sizeof(ts), "%04d-%02d-%02dT%02d:%02d:%02d",

#0  0x00000000004063b1 in timestamp (ti=-185773484621168596) at readelf.c:2662
#1  0x000000000040665f in dump_arch_dyn_val (re=0x7fffffffd4f0, dyn=0x7fffffffd440, stab=0) at readelf.c:2747
#2  0x00000000004066cb in dump_dyn_val (re=0x7fffffffd4f0, dyn=0x7fffffffd440, stab=0) at readelf.c:2763
#3  0x000000000040634f in dump_dynamic (re=0x7fffffffd4f0) at readelf.c:2647
#4  0x0000000000410b67 in dump_elf (re=0x7fffffffd4f0) at readelf.c:6208
#5  0x000000000041139a in dump_object (re=0x7fffffffd4f0) at readelf.c:6374
#6  0x00000000004123ea in main (argc=1, argv=0x7fffffffd6d8) at readelf.c:6841

timestamp() is called by dump_arch_dyn_val(). br readelf.c:2689 in dump_arch_dyn_val(), p re->ehdr.e_machine is 8 (EM_MIPS). p dyn->d_tag is 0x70000002 (DT_MIPS_TIME_STAMP). p /x dyn->d_un.d_val is 0xfd6c00000078002c (a very large value).

[Ed Maste]

Not reproducible on FreeBSD - I see:

...
Dynamic section at offset 0x1f0 contains 2 entries:
  Tag                Type                  Name/Value
 0x0000000070000002 MIPS_TIME_STAMP      1900-01-00T00:00:00
 0x0000000000000000 NULL                 0x0
Symbol table (ERROR) contains 2 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
     1: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
...

Needs review & testing on other OS