PR24336, buffer overflow in swap_reloca_in

	PR 24336
	* elflink.c (elf_link_read_relocs_from_section): Handle fuzzed
	object files with sh_size not a multiple of sh_entsize.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index a072ade..b1011b1 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2019-03-15  Alan Modra  <amodra@gmail.com>
+
+       PR 24336
+       * elflink.c (elf_link_read_relocs_from_section): Handle fuzzed
+       object files with sh_size not a multiple of sh_entsize.
+
 2019-03-15  H.J. Lu  <hongjiu.lu@intel.com>
 
        PR ld/24338

diff --git a/bfd/elflink.c b/bfd/elflink.c
index 3413726..2600c39 100644 (file)
--- a/bfd/elflink.c
+++ b/bfd/elflink.c
@@ -2523,9 +2523,11 @@ elf_link_read_relocs_from_section (bfd *abfd,
     }
 
   erela = (const bfd_byte *) external_relocs;
-  erelaend = erela + shdr->sh_size;
+  /* Setting erelaend like this and comparing with <= handles case of
+     a fuzzed object with sh_size not a multiple of sh_entsize.  */
+  erelaend = erela + shdr->sh_size - shdr->sh_entsize;
   irela = internal_relocs;
-  while (erela < erelaend)
+  while (erela <= erelaend)
     {
       bfd_vma r_symndx;