From 4939c49d213c760406f2ad0178ddb3461b618eb9 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Thu, 5 Aug 2021 17:19:08 +0930 Subject: [PATCH] PR28165, buffer overflow in elf32-rx.c:rx_info_to_howto_rela PR 28165 * elf32-rx.c (rx_elf_howto_table): Add missing empty entries. (rx_info_to_howto_rela): Assert rx_elf_howto_table is correct size. Use actual size when sanity checking r_type. --- bfd/elf32-rx.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/bfd/elf32-rx.c b/bfd/elf32-rx.c index 771863590d5..0df790406fc 100644 --- a/bfd/elf32-rx.c +++ b/bfd/elf32-rx.c @@ -211,7 +211,17 @@ static reloc_howto_type rx_elf_howto_table [] = RXREL (OPshla, 2, 32, 0, dont, false), RXREL (OPshra, 2, 32, 0, dont, false), RXREL (OPsctsize, 2, 32, 0, dont, false), + + EMPTY_HOWTO (0x89), + EMPTY_HOWTO (0x8a), + EMPTY_HOWTO (0x8b), + EMPTY_HOWTO (0x8c), + RXREL (OPscttop, 2, 32, 0, dont, false), + + EMPTY_HOWTO (0x8e), + EMPTY_HOWTO (0x8f), + RXREL (OPand, 2, 32, 0, dont, false), RXREL (OPor, 2, 32, 0, dont, false), RXREL (OPxor, 2, 32, 0, dont, false), @@ -307,7 +317,8 @@ rx_info_to_howto_rela (bfd * abfd, unsigned int r_type; r_type = ELF32_R_TYPE (dst->r_info); - if (r_type >= (unsigned int) R_RX_max) + BFD_ASSERT (R_RX_max == ARRAY_SIZE (rx_elf_howto_table)); + if (r_type >= ARRAY_SIZE (rx_elf_howto_table)) { /* xgettext:c-format */ _bfd_error_handler (_("%pB: unsupported relocation type %#x"), -- 2.30.2