This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Don't exceed reloc array bounds
- From: Alan Modra <amodra at gmail dot com>
- To: binutils at sourceware dot org
- Date: Wed, 21 Mar 2018 21:37:12 +1030
- Subject: Don't exceed reloc array bounds
* elf64-ppc.c (ppc64_elf_relocate_section): Don't access rel[1]
without first checking array bounds.
* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
diff --git a/bfd/elf32-ppc.c b/bfd/elf32-ppc.c
index 66bbf0d..182dc2a 100644
--- a/bfd/elf32-ppc.c
+++ b/bfd/elf32-ppc.c
@@ -8000,7 +8000,8 @@ ppc_elf_relocate_section (bfd *output_bfd,
break;
case R_PPC_TLSGD:
- if ((tls_mask & TLS_TLS) != 0 && (tls_mask & TLS_GD) == 0)
+ if ((tls_mask & TLS_TLS) != 0 && (tls_mask & TLS_GD) == 0
+ && rel + 1 < relend)
{
unsigned int insn2;
bfd_vma offset = rel->r_offset;
@@ -8027,7 +8028,8 @@ ppc_elf_relocate_section (bfd *output_bfd,
break;
case R_PPC_TLSLD:
- if ((tls_mask & TLS_TLS) != 0 && (tls_mask & TLS_LD) == 0)
+ if ((tls_mask & TLS_TLS) != 0 && (tls_mask & TLS_LD) == 0
+ && rel + 1 < relend)
{
unsigned int insn2;
diff --git a/bfd/elf64-ppc.c b/bfd/elf64-ppc.c
index 889bdb0..7155aeb 100644
--- a/bfd/elf64-ppc.c
+++ b/bfd/elf64-ppc.c
@@ -13897,7 +13897,8 @@ ppc64_elf_relocate_section (bfd *output_bfd,
break;
case R_PPC64_TLSGD:
- if (tls_mask != 0 && (tls_mask & TLS_GD) == 0)
+ if (tls_mask != 0 && (tls_mask & TLS_GD) == 0
+ && rel + 1 < relend)
{
unsigned int insn2;
bfd_vma offset = rel->r_offset;
@@ -13931,7 +13932,8 @@ ppc64_elf_relocate_section (bfd *output_bfd,
break;
case R_PPC64_TLSLD:
- if (tls_mask != 0 && (tls_mask & TLS_LD) == 0)
+ if (tls_mask != 0 && (tls_mask & TLS_LD) == 0
+ && rel + 1 < relend)
{
unsigned int insn2;
bfd_vma offset = rel->r_offset;
--
Alan Modra
Australia Development Lab, IBM