Fix a seg-fault when processing a corrupt binary containing reloc(s) with negative...

	PR binutils/21434
	* reloc.c (bfd_perform_relocation): Check for a negative address
	in the reloc.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index c75897c..26b3572 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2017-04-26  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21434
+       * reloc.c (bfd_perform_relocation): Check for a negative address
+       in the reloc.
+

 2017-04-26  Maciej W. Rozycki  <macro@imgtec.com>
 
        PR ld/21334
 2017-04-26  Maciej W. Rozycki  <macro@imgtec.com>
 
        PR ld/21334

diff --git a/bfd/reloc.c b/bfd/reloc.c
index 2791458..9a04022 100644 (file)
--- a/bfd/reloc.c
+++ b/bfd/reloc.c
@@ -624,7 +624,10 @@ bfd_perform_relocation (bfd *abfd,
      PR 17512: file: c146ab8b, 46dff27f, 38e53ebf.  */
   octets = reloc_entry->address * bfd_octets_per_byte (abfd);
   if (octets + bfd_get_reloc_size (howto)
      PR 17512: file: c146ab8b, 46dff27f, 38e53ebf.  */
   octets = reloc_entry->address * bfd_octets_per_byte (abfd);
   if (octets + bfd_get_reloc_size (howto)

-      > bfd_get_section_limit_octets (abfd, input_section))
+      > bfd_get_section_limit_octets (abfd, input_section)
+      /* Check for an overly large offset which
+        masquerades as a negative value too.  */
+      || (octets + bfd_get_reloc_size (howto) < bfd_get_reloc_size (howto)))

     return bfd_reloc_outofrange;
 
   /* Work out which section the relocation is targeted at and the
     return bfd_reloc_outofrange;
 
   /* Work out which section the relocation is targeted at and the