Fix memory access violations triggered by running objdump on fuzzed binaries.

	PR binutils/17512
	* elf-m10300.c (mn10300_info_to_howto): Replace assertion with an
	error message.  Never return an invalid howto pointer.
	* elf32-cr16.c (cr16_info_to_howto): Likewise.
	* elf32-crx.c (elf_crx_info_to_howto): Likewise.
	* elf32-i370.c (i370_elf_info_to_howto): Likewise.
	* elf32-mcore.c (mcore_elf_info_to_howto): Likewise.
	* elf32-microblaze.c (microblaze_elf_info_to_howto): Likewise.
	* elf32-mips.c (mips_elf32_rtype_to_howto): Likewise.
	* elf32-pj.c (pj_elf_info_to_howto): Likewise.
	* elf32-ppc.c (ppc_elf_info_to_howto): Likewise.
	* elf32-spu.c (spu_elf_info_to_howto): Likewise.
	* elf32-v850.c (v850_elf_info_to_howto_rela): Likewise.
	* elf32-vax.c (rtype_to_howto): Likewise.
	* elf64-alpha.c (elf64_alpha_info_to_howto): Likewise.
	* elf64-mips.c (mips_elf64_rtype_to_howto): Likewise.
	* elfn32-mips.c (sh_elf_info_to_howto): Likewise.
	* elf32-sh.c (sh_elf_info_to_howto): Likewise.
	(sh_elf_reloc): Check that the reloc is in range.
	* reloc.c (bfd_perform_relocation): Check that the section is big
	enough for the entire reloc.
	(bfd_generic_get_relocated_section_contents): Report unexpected
	return values from perform_reloc.

1 files changed, 20 insertions, 7 deletions

diff --git a/bfd/elf32-sh.c b/bfd/elf32-sh.c
index 04e588d..a13a6f6 100644
--- a/bfd/elf32-sh.c
+++ b/bfd/elf32-sh.c
@@ -255,6 +255,13 @@ sh_elf_reloc (bfd *abfd, arelent *reloc_entry, asymbol *symbol_in,
       && bfd_is_und_section (symbol_in->section))
     return bfd_reloc_undefined;
 
+  /* PR 17512: file: 9891ca98.  */
+  if (addr > bfd_get_section_limit (abfd, input_section)
+      - bfd_get_reloc_size (reloc_entry->howto)
+      || bfd_get_reloc_size (reloc_entry->howto)
+      > bfd_get_section_limit (abfd, input_section))
+    return bfd_reloc_outofrange;
+
   if (bfd_is_com_section (symbol_in->section))
     sym_value = 0;
   else
@@ -474,13 +481,19 @@ sh_elf_info_to_howto (bfd *abfd, arelent *cache_ptr, Elf_Internal_Rela *dst)
 
   r = ELF32_R_TYPE (dst->r_info);
 
-  BFD_ASSERT (r < (unsigned int) R_SH_max);
-  BFD_ASSERT (r < R_SH_FIRST_INVALID_RELOC || r > R_SH_LAST_INVALID_RELOC);
-  BFD_ASSERT (r < R_SH_FIRST_INVALID_RELOC_2 || r > R_SH_LAST_INVALID_RELOC_2);
-  BFD_ASSERT (r < R_SH_FIRST_INVALID_RELOC_3 || r > R_SH_LAST_INVALID_RELOC_3);
-  BFD_ASSERT (r < R_SH_FIRST_INVALID_RELOC_4 || r > R_SH_LAST_INVALID_RELOC_4);
-  BFD_ASSERT (r < R_SH_FIRST_INVALID_RELOC_5 || r > R_SH_LAST_INVALID_RELOC_5);
-  BFD_ASSERT (r < R_SH_FIRST_INVALID_RELOC_6 || r > R_SH_LAST_INVALID_RELOC_6);
+  if (r >= R_SH_max
+      || (r >= R_SH_FIRST_INVALID_RELOC   && r <= R_SH_LAST_INVALID_RELOC)
+      || (r >= R_SH_FIRST_INVALID_RELOC_2 && r <= R_SH_LAST_INVALID_RELOC_2)
+      || (r >= R_SH_FIRST_INVALID_RELOC_3 && r <= R_SH_LAST_INVALID_RELOC_3)
+      || (r >= R_SH_FIRST_INVALID_RELOC_4 && r <= R_SH_LAST_INVALID_RELOC_4)
+      || (r >= R_SH_FIRST_INVALID_RELOC_5 && r <= R_SH_LAST_INVALID_RELOC_5)
+      || (r >= R_SH_FIRST_INVALID_RELOC_6 && r <= R_SH_LAST_INVALID_RELOC_6))
+    {
+      (*_bfd_error_handler) (_("%A: unrecognised SH reloc number: %d"),
+			     abfd, r);
+      bfd_set_error (bfd_error_bad_value);
+      r = R_SH_NONE;
+    }
 
   cache_ptr->howto = get_howto_table (abfd) + r;
 }