From: Alan Modra <amodra@gmail.com>
Date: Sat, 17 Mar 2018 07:19:12 +0000 (+1030)
Subject: Don't exceed reloc array bounds
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=675e28092f9d92c56c38d40d13ad5b766bdede05;p=binutils-gdb.git

Don't exceed reloc array bounds

	* elf64-ppc.c (ppc64_elf_relocate_section): Don't access rel[1]
	without first checking array bounds.
	* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
---

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 1850d200ddb..684648131b2 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2018-03-21  Alan Modra  <amodra@gmail.com>
+
+	* elf64-ppc.c (ppc64_elf_relocate_section): Don't access rel[1]
+	without first checking array bounds.
+	* elf32-ppc.c (ppc_elf_relocate_section): Likewise.
+
 2018-03-20  H.J. Lu  <hongjiu.lu@intel.com>
 
 	PR ld/22983
diff --git a/bfd/elf32-ppc.c b/bfd/elf32-ppc.c
index 66bbf0d8691..182dc2a8458 100644
--- a/bfd/elf32-ppc.c
+++ b/bfd/elf32-ppc.c
@@ -8000,7 +8000,8 @@ ppc_elf_relocate_section (bfd *output_bfd,
 	  break;
 
 	case R_PPC_TLSGD:
-	  if ((tls_mask & TLS_TLS) != 0 && (tls_mask & TLS_GD) == 0)
+	  if ((tls_mask & TLS_TLS) != 0 && (tls_mask & TLS_GD) == 0
+	      && rel + 1 < relend)
 	    {
 	      unsigned int insn2;
 	      bfd_vma offset = rel->r_offset;
@@ -8027,7 +8028,8 @@ ppc_elf_relocate_section (bfd *output_bfd,
 	  break;
 
 	case R_PPC_TLSLD:
-	  if ((tls_mask & TLS_TLS) != 0 && (tls_mask & TLS_LD) == 0)
+	  if ((tls_mask & TLS_TLS) != 0 && (tls_mask & TLS_LD) == 0
+	      && rel + 1 < relend)
 	    {
 	      unsigned int insn2;
 
diff --git a/bfd/elf64-ppc.c b/bfd/elf64-ppc.c
index 889bdb0defb..7155aebf253 100644
--- a/bfd/elf64-ppc.c
+++ b/bfd/elf64-ppc.c
@@ -13897,7 +13897,8 @@ ppc64_elf_relocate_section (bfd *output_bfd,
 	  break;
 
 	case R_PPC64_TLSGD:
-	  if (tls_mask != 0 && (tls_mask & TLS_GD) == 0)
+	  if (tls_mask != 0 && (tls_mask & TLS_GD) == 0
+	      && rel + 1 < relend)
 	    {
 	      unsigned int insn2;
 	      bfd_vma offset = rel->r_offset;
@@ -13931,7 +13932,8 @@ ppc64_elf_relocate_section (bfd *output_bfd,
 	  break;
 
 	case R_PPC64_TLSLD:
-	  if (tls_mask != 0 && (tls_mask & TLS_LD) == 0)
+	  if (tls_mask != 0 && (tls_mask & TLS_LD) == 0
+	      && rel + 1 < relend)
 	    {
 	      unsigned int insn2;
 	      bfd_vma offset = rel->r_offset;