From: Alan Modra <amodra@gmail.com>
Date: Sat, 1 Dec 2018 11:22:37 +0000 (+1030)
Subject: PR23946, illegal memory access in readelf.c:slurp_ia64_unwind_table
X-Git-Tag: users/ARM/embedded-binutils-master-2018q4~64
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4770fb94ee04ef767cb2c171a24168d2b5acca04;p=platform%2Fupstream%2Fbinutils.git

PR23946, illegal memory access in readelf.c:slurp_ia64_unwind_table

	PR 23946
	* readelf.c (slurp_ia64_unwind_table): Bounds check symbol index
	on reloc.
	(slurp_hppa_unwind_table): Likewise.
---

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index ccaa9c9..612b0ed 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,5 +1,12 @@
 2018-12-01  Alan Modra  <amodra@gmail.com>
 
+	PR 23946
+	* readelf.c (slurp_ia64_unwind_table): Bounds check symbol index
+	on reloc.
+	(slurp_hppa_unwind_table): Likewise.
+
+2018-12-01  Alan Modra  <amodra@gmail.com>
+
 	PR 23945
 	* readelf.c (slurp_ia64_unwind_table): Don't call elf_ia64_reloc_type
 	needlessly.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 9eb5931..9969e46 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -7597,9 +7597,9 @@ slurp_ia64_unwind_table (Filedata *                  filedata,
 
       for (rp = rela; rp < rela + nrelas; ++rp)
 	{
+	  unsigned int sym_ndx;
 	  unsigned int r_type = get_reloc_type (filedata, rp->r_info);
 	  relname = elf_ia64_reloc_type (r_type);
-	  sym = aux->symtab + get_reloc_symindex (rp->r_info);
 
 	  /* PR 17531: file: 9fa67536.  */
 	  if (relname == NULL)
@@ -7623,6 +7623,15 @@ slurp_ia64_unwind_table (Filedata *                  filedata,
 	      continue;
 	    }
 
+	  sym_ndx = get_reloc_symindex (rp->r_info);
+	  if (sym_ndx >= aux->nsyms)
+	    {
+	      warn (_("Skipping reloc with invalid symbol index: %u\n"),
+		    sym_ndx);
+	      continue;
+	    }
+	  sym = aux->symtab + sym_ndx;
+
 	  switch (rp->r_offset / eh_addr_size % 3)
 	    {
 	    case 0:
@@ -8053,9 +8062,9 @@ slurp_hppa_unwind_table (Filedata *                  filedata,
 
       for (rp = rela; rp < rela + nrelas; ++rp)
 	{
+	  unsigned int sym_ndx;
 	  unsigned int r_type = get_reloc_type (filedata, rp->r_info);
 	  relname = elf_hppa_reloc_type (r_type);
-	  sym = aux->symtab + get_reloc_symindex (rp->r_info);
 
 	  if (relname == NULL)
 	    {
@@ -8077,6 +8086,15 @@ slurp_hppa_unwind_table (Filedata *                  filedata,
 	      continue;
 	    }
 
+	  sym_ndx = get_reloc_symindex (rp->r_info);
+	  if (sym_ndx >= aux->nsyms)
+	    {
+	      warn (_("Skipping reloc with invalid symbol index: %u\n"),
+		    sym_ndx);
+	      continue;
+	    }
+	  sym = aux->symtab + sym_ndx;
+
 	  switch ((rp->r_offset % unw_ent_size) / 4)
 	    {
 	    case 0: