PR28175, Segment fault in coff-tic30.c reloc_processing

Message ID YQ06SlmqhjhuW9b6@squeak.grove.modra.org
State New
Headers show
Series
  • PR28175, Segment fault in coff-tic30.c reloc_processing
Related show

Commit Message

Alan Modra via Binutils Aug. 6, 2021, 1:34 p.m.
The obj_convert table shouldn't be accessed without first checking the
index against the table size.

	PR 28175
	* coff-tic30.c (reloc_processing): Sanity check reloc symbol index.
	* coff-z80.c (reloc_processing): Likewise.
	* coff-z8k.c (reloc_processing): Likewise.


-- 
Alan Modra
Australia Development Lab, IBM

Patch

diff --git a/bfd/coff-tic30.c b/bfd/coff-tic30.c
index a3ea69e1a3f..01ca6cb2170 100644
--- a/bfd/coff-tic30.c
+++ b/bfd/coff-tic30.c
@@ -161,11 +161,18 @@  reloc_processing (arelent *relent,
   relent->address = reloc->r_vaddr;
   rtype2howto (relent, reloc);
 
-  if (reloc->r_symndx > 0)
+  if (reloc->r_symndx == -1)
+    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+  else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd))
     relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx];
   else
-    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
-
+    {
+      _bfd_error_handler
+	/* xgettext:c-format */
+	(_("%pB: warning: illegal symbol index %ld in relocs"),
+	 abfd, reloc->r_symndx);
+      relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+    }
   relent->addend = reloc->r_offset;
   relent->address -= section->vma;
 }
diff --git a/bfd/coff-z80.c b/bfd/coff-z80.c
index c0f1739dfcb..632ac0fb3cd 100644
--- a/bfd/coff-z80.c
+++ b/bfd/coff-z80.c
@@ -314,11 +314,18 @@  reloc_processing (arelent *relent,
   relent->address = reloc->r_vaddr;
   rtype2howto (relent, reloc);
 
-  if (reloc->r_symndx > 0)
+  if (reloc->r_symndx == -1)
+    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+  else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd))
     relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx];
   else
-    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
-
+    {
+      _bfd_error_handler
+	/* xgettext:c-format */
+	(_("%pB: warning: illegal symbol index %ld in relocs"),
+	 abfd, reloc->r_symndx);
+      relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+    }
   relent->addend = reloc->r_offset;
   relent->address -= section->vma;
 }
diff --git a/bfd/coff-z8k.c b/bfd/coff-z8k.c
index 6cd5d652ade..e4d4d3f1581 100644
--- a/bfd/coff-z8k.c
+++ b/bfd/coff-z8k.c
@@ -177,11 +177,18 @@  reloc_processing (arelent *relent,
   relent->address = reloc->r_vaddr;
   rtype2howto (relent, reloc);
 
-  if (reloc->r_symndx > 0)
+  if (reloc->r_symndx == -1)
+    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+  else if (reloc->r_symndx >= 0 && reloc->r_symndx < obj_conv_table_size (abfd))
     relent->sym_ptr_ptr = symbols + obj_convert (abfd)[reloc->r_symndx];
   else
-    relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
-
+    {
+      _bfd_error_handler
+	/* xgettext:c-format */
+	(_("%pB: warning: illegal symbol index %ld in relocs"),
+	 abfd, reloc->r_symndx);
+      relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+    }
   relent->addend = reloc->r_offset;
   relent->address -= section->vma;
 }