Fix illegal memory access triggered by an attempt to disassemble a corrupt RISC-V...

	PR 28303
	* elfxx-riscv.c (riscv_elf_add_sub_reloc): Add check for out of
	range relocs.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 6d551303637cc37851343a47eaa3093eeac43d90..4e53a1f38dcb47637da4468254e852c0a5ff4d14 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2021-09-07  Nick Clifton  <nickc@redhat.com>
+
+       PR 28303
+       * elfxx-riscv.c (riscv_elf_add_sub_reloc): Add check for out of
+       range relocs.
+
 2021-08-10  Nick Clifton  <nickc@redhat.com>
 
        * po/sr.po: Updated Serbian translation.

diff --git a/bfd/elfxx-riscv.c b/bfd/elfxx-riscv.c
index 2b8f60caf3286476ea698468e1230dd07836e412..ddcf872d63c3315301b8be819d78b257362afdfd 100644 (file)
--- a/bfd/elfxx-riscv.c
+++ b/bfd/elfxx-riscv.c
@@ -1002,6 +1002,13 @@ riscv_elf_add_sub_reloc (bfd *abfd,
 
   relocation = symbol->value + symbol->section->output_section->vma
     + symbol->section->output_offset + reloc_entry->addend;
+
+  bfd_size_type octets = reloc_entry->address
+    * bfd_octets_per_byte (abfd, input_section);
+  if (!bfd_reloc_offset_in_range (reloc_entry->howto, abfd,
+                                 input_section, octets))
+    return bfd_reloc_outofrange;
+
   bfd_vma old_value = bfd_get (howto->bitsize, abfd,
                               data + reloc_entry->address);