PR binutils/22875: IQ2000/ELF: Prevent an out-of-bounds howto table access

Prevent an out-of-bounds `iq2000_elf_howto_table' table access in
`iq2000_info_to_howto_rela' by using the size of the table rather than
R_IQ2000_max to determine the number of entries in the contiguous
regular IQ2000 relocation range defined and described in the table.

	bfd/
	* elf32-iq2000.c (iq2000_info_to_howto_rela): Correct the range
	check for `iq2000_elf_howto_table' table access.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 072ad98..8e1df6d 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,10 @@
 2018-04-04  Maciej W. Rozycki  <macro@mips.com>
 
+       * elf32-iq2000.c (iq2000_info_to_howto_rela): Correct the range
+       check for `iq2000_elf_howto_table' table access.
+
+2018-04-04  Maciej W. Rozycki  <macro@mips.com>
+
        * elf32-frv.c (frv_info_to_howto_rela): Correct the range check
        for `elf32_frv_howto_table' table access.
 

diff --git a/bfd/elf32-iq2000.c b/bfd/elf32-iq2000.c
index d1ce3c8..e616766 100644 (file)
--- a/bfd/elf32-iq2000.c
+++ b/bfd/elf32-iq2000.c
@@ -22,6 +22,7 @@
 #include "libbfd.h"
 #include "elf-bfd.h"
 #include "elf/iq2000.h"
+#include "libiberty.h"
 
 /* Forward declarations.  */
 
@@ -435,7 +436,7 @@ iq2000_info_to_howto_rela (bfd * abfd ATTRIBUTE_UNUSED,
       break;
 
     default:
-      if (r_type >= (unsigned int) R_IQ2000_max)
+      if (r_type >= ARRAY_SIZE (iq2000_elf_howto_table))
        {
          /* xgettext:c-format */
          _bfd_error_handler (_("%pB: unsupported relocation type %#x"),