From ec1f73bb0be7482f2dffd9bbca2f93fc74eca172 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Mon, 1 Feb 2016 21:27:02 +1030
Subject: [PATCH] x86 synthetic plt symbols

Changing "pushq $1" in the following to "pushq $too_big" results in an
abort.  BFD shouldn't abort on (deliberately) bad user input.

 400480:       ff 25 9a 0b 20 00       jmpq   *0x200b9a(%rip)
 400486:       68 01 00 00 00          pushq  $0x1
 40048b:       e9 d0 ff ff ff          jmpq   400460 <_init+0x20>

	* elf64-x86-64.c (elf_x86_64_get_plt_sym_val): Don't abort on
	an out of range reloc_index.
	* elf32-i386.c (elf_i386_get_plt_sym_val): Likewise.
---
 bfd/ChangeLog      |  6 ++++++
 bfd/elf32-i386.c   |  6 +++---
 bfd/elf64-x86-64.c | 23 ++++++++++++-----------
 3 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 8648c50..f75631e 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2016-02-01  Alan Modra  <amodra@gmail.com>
+
+	* elf64-x86-64.c (elf_x86_64_get_plt_sym_val): Don't abort on
+	an out of range reloc_index.
+	* elf32-i386.c (elf_i386_get_plt_sym_val): Likewise.
+
 2016-02-01  Kamil Rytarowski  <n54@gmx.com>
 
 	* Makefile.am (OPTIONAL_BACKENDS): Add netbsd-core.lo.
diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
index 81a95e0..ccd0135 100644
--- a/bfd/elf32-i386.c
+++ b/bfd/elf32-i386.c
@@ -5684,9 +5684,9 @@ bad_return:
       reloc_index = H_GET_32 (abfd, (plt_contents + plt_offset
 				     + bed->plt->plt_reloc_offset));
       reloc_index /= sizeof (Elf32_External_Rel);
-      if (reloc_index >= count)
-	abort ();
-      plt_sym_val[reloc_index] = plt->vma + plt_offset;
+      if (reloc_index < count)
+	plt_sym_val[reloc_index] = plt->vma + plt_offset;
+
       plt_offset += bed->plt->plt_entry_size;
 
       /* PR binutils/18437: Skip extra relocations in the .rel.plt
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index 37528be..88ed00e 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -6066,19 +6066,20 @@ bad_return:
 
       reloc_index = H_GET_32 (abfd, (plt_contents + plt_offset
 				     + bed->plt_reloc_offset));
-      if (reloc_index >= count)
-	abort ();
-      if (plt_bnd)
+      if (reloc_index < count)
 	{
-	  /* This is the index in .plt section.  */
-	  long plt_index = plt_offset / bed->plt_entry_size;
-	  /* Store VMA + the offset in .plt.bnd section.  */
-	  plt_sym_val[reloc_index] =
-	    (plt_bnd->vma
-	     + (plt_index - 1) * sizeof (elf_x86_64_legacy_plt2_entry));
+	  if (plt_bnd)
+	    {
+	      /* This is the index in .plt section.  */
+	      long plt_index = plt_offset / bed->plt_entry_size;
+	      /* Store VMA + the offset in .plt.bnd section.  */
+	      plt_sym_val[reloc_index] =
+		(plt_bnd->vma
+		 + (plt_index - 1) * sizeof (elf_x86_64_legacy_plt2_entry));
+	    }
+	  else
+	    plt_sym_val[reloc_index] = plt->vma + plt_offset;
 	}
-      else
-	plt_sym_val[reloc_index] = plt->vma + plt_offset;
       plt_offset += bed->plt_entry_size;
 
       /* PR binutils/18437: Skip extra relocations in the .rela.plt
-- 
2.7.4