From 3f1a2892e1fea343880b276474cb44db3abcaa9a Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 7 Sep 2021 09:44:17 +0100
Subject: [PATCH] Fix illegal memory access triggered by an attempt to
 disassemble a corrupt RISC-V binary.

	PR 28303
	* elfxx-riscv.c (riscv_elf_add_sub_reloc): Add check for out of
	range relocs.
---
 bfd/ChangeLog     | 6 ++++++
 bfd/elfxx-riscv.c | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 6d551303637..4e53a1f38dc 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2021-09-07  Nick Clifton  <nickc@redhat.com>
+
+	PR 28303
+	* elfxx-riscv.c (riscv_elf_add_sub_reloc): Add check for out of
+	range relocs.
+
 2021-08-10  Nick Clifton  <nickc@redhat.com>
 
 	* po/sr.po: Updated Serbian translation.
diff --git a/bfd/elfxx-riscv.c b/bfd/elfxx-riscv.c
index 2b8f60caf32..ddcf872d63c 100644
--- a/bfd/elfxx-riscv.c
+++ b/bfd/elfxx-riscv.c
@@ -1002,6 +1002,13 @@ riscv_elf_add_sub_reloc (bfd *abfd,
 
   relocation = symbol->value + symbol->section->output_section->vma
     + symbol->section->output_offset + reloc_entry->addend;
+
+  bfd_size_type octets = reloc_entry->address
+    * bfd_octets_per_byte (abfd, input_section);
+  if (!bfd_reloc_offset_in_range (reloc_entry->howto, abfd,
+				  input_section, octets))
+    return bfd_reloc_outofrange;
+
   bfd_vma old_value = bfd_get (howto->bitsize, abfd,
 			       data + reloc_entry->address);
 
-- 
2.30.2