PR28175, Segment fault in coff-tic30.c reloc_processing

The obj_convert table shouldn't be accessed without first checking the index against the table size. PR 28175 * coff-tic30.c (reloc_processing): Sanity check reloc symbol index. * coff-z80.c (reloc_processing): Likewise. * coff-z8k.c (reloc_processing): Likewise.
2021-08-06 20:48:41 +09:30 · 2021-08-06 20:48:41 +09:30 · e039f7ed86
commit e039f7ed86
parent a379e7588c
3 changed files with 30 additions and 9 deletions
--- a/bfd/coff-tic30.c
+++ b/bfd/coff-tic30.c
@ -161,11 +161,18 @@ reloc_processing (arelent *relent,
  relent->address = reloc->r_vaddr;
  rtype2howto (relent, reloc);

-  if (reloc->r_symndx > 0)
+  if (reloc->r_symndx == -1)
+    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+  else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd))
    relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx];
  else
-    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
-
+    {
+      _bfd_error_handler
+	/* xgettext:c-format */
+	(_("%pB: warning: illegal symbol index %ld in relocs"),
+	 abfd, reloc->r_symndx);
+      relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+    }
  relent->addend = reloc->r_offset;
  relent->address -= section->vma;
 }
--- a/bfd/coff-z80.c
+++ b/bfd/coff-z80.c
@ -314,11 +314,18 @@ reloc_processing (arelent *relent,
  relent->address = reloc->r_vaddr;
  rtype2howto (relent, reloc);

-  if (reloc->r_symndx > 0)
+  if (reloc->r_symndx == -1)
+    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+  else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd))
    relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx];
  else
-    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
-
+    {
+      _bfd_error_handler
+	/* xgettext:c-format */
+	(_("%pB: warning: illegal symbol index %ld in relocs"),
+	 abfd, reloc->r_symndx);
+      relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+    }
  relent->addend = reloc->r_offset;
  relent->address -= section->vma;
 }
--- a/bfd/coff-z8k.c
+++ b/bfd/coff-z8k.c
@ -177,11 +177,18 @@ reloc_processing (arelent *relent,
  relent->address = reloc->r_vaddr;
  rtype2howto (relent, reloc);

-  if (reloc->r_symndx > 0)
+  if (reloc->r_symndx == -1)
+    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+  else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd))
    relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx];
  else
-    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
-
+    {
+      _bfd_error_handler
+	/* xgettext:c-format */
+	(_("%pB: warning: illegal symbol index %ld in relocs"),
+	 abfd, reloc->r_symndx);
+      relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+    }
  relent->addend = reloc->r_offset;
  relent->address -= section->vma;
 }