From: Alan Modra <amodra@gmail.com>
Date: Wed, 24 Sep 2025 22:52:24 +0000 (+0930)
Subject: PR 33452 SEGV in bfd_elf_gc_record_vtentry
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=047435dd988a3975d40c6626a8f739a0b2e154bc;p=thirdparty%2Fbinutils-gdb.git

PR 33452 SEGV in bfd_elf_gc_record_vtentry

Limit addends on vtentry relocs, otherwise ld might attempt to
allocate a stupidly large array.  This also fixes the expression
overflow leading to pr33452.  A vtable of 33M entries on a 64-bit
host is surely large enough, especially considering that VTINHERIT
and VTENTRY relocations are to support -fvtable-gc that disappeared
from gcc over 20 years ago.

	PR ld/33452
	* elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend.
---

diff --git a/bfd/elflink.c b/bfd/elflink.c
index 54f0d6e957e..0a0456177c2 100644
--- a/bfd/elflink.c
+++ b/bfd/elflink.c
@@ -14865,7 +14865,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec,
   const struct elf_backend_data *bed = get_elf_backend_data (abfd);
   unsigned int log_file_align = bed->s->log_file_align;
 
-  if (!h)
+  if (!h || addend > 1u << 28)
     {
       /* xgettext:c-format */
       _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"),