Fix illegal memory access implementing relocs in a fuzzed x86_64 object file.
PR 30560
* elf64-x86-64.c (elf_x86_64_relocate_section): Add more checks for a valid relocation offset.
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 1f9b7ec..4fed6e1 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2023-06-19 Nick Clifton <nickc@redhat.com>
+
+ PR 30560
+ * elf64-x86-64.c (elf_x86_64_relocate_section): Add more checks
+ for a valid relocation offset.
+
2023-06-07 Nick Clifton <nickc@redhat.com>
PR 30499
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index dd987ee..f926464 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -3501,6 +3501,9 @@
{
bfd_vma roff = rel->r_offset;
+ if (roff >= input_section->size)
+ goto corrupt_input;
+
BFD_ASSERT (! unresolved_reloc);
if (r_type == R_X86_64_TLSGD)
@@ -3541,6 +3544,8 @@
int largepic = 0;
if (ABI_64_P (output_bfd))
{
+ if (roff + 5 >= input_section->size)
+ goto corrupt_input;
if (contents[roff + 5] == 0xb8)
{
if (roff < 3
@@ -3576,6 +3581,10 @@
"\x64\x8b\x04\x25\0\0\0\0\x48\x8d\x80\0\0\0",
15);
}
+
+ if (roff + 8 + largepic >= input_section->size)
+ goto corrupt_input;
+
bfd_put_32 (output_bfd,
elf_x86_64_tpoff (info, relocation),
contents + roff + 8 + largepic);
@@ -3633,12 +3642,18 @@
}
if (prefix)
{
+ if (roff + 2 >= input_section->size)
+ goto corrupt_input;
+
bfd_put_8 (output_bfd, 0x0f, contents + roff);
bfd_put_8 (output_bfd, 0x1f, contents + roff + 1);
bfd_put_8 (output_bfd, 0x00, contents + roff + 2);
}
else
{
+ if (roff + 1 >= input_section->size)
+ goto corrupt_input;
+
bfd_put_8 (output_bfd, 0x66, contents + roff);
bfd_put_8 (output_bfd, 0x90, contents + roff + 1);
}
