Fix an illegal memory access when accessing corrupt dynamic secondary relocations.

	PR 26931
	* elf-bfd.h (struct elf_backend_data): Add bfd_boolean field to
	slurp_secondary_relocs field.
	(_bfd_elf_slurp_secondary_reloc_section): Update prototype.
	* elf.c (_bfd_elf_slurp_secondary_reloc_section): Add new
	parameter.  Compute number of symbols based upon the new
	parameter.
	* elfcode.h (elf_slurp_reloc_table): Pass dynamic as new
	parameter.

4 files changed, 23 insertions, 8 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 6a552c7..d47d518 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,15 @@
+2020-11-23  Nick Clifton  <nickc@redhat.com>
+
+	PR 26931
+	* elf-bfd.h (struct elf_backend_data): Add bfd_boolean field to
+	slurp_secondary_relocs field.
+	(_bfd_elf_slurp_secondary_reloc_section): Update prototype.
+	* elf.c (_bfd_elf_slurp_secondary_reloc_section): Add new
+	parameter.  Compute number of symbols based upon the new
+	parameter.
+	* elfcode.h (elf_slurp_reloc_table): Pass dynamic as new
+	parameter.
+
 2020-11-23  H.J. Lu  <hongjiu.lu@intel.com>
 
 	PR ld/26918
diff --git a/bfd/elf-bfd.h b/bfd/elf-bfd.h
index ffb75f7..e8455d1 100644
--- a/bfd/elf-bfd.h
+++ b/bfd/elf-bfd.h
@@ -1571,7 +1571,7 @@ struct elf_backend_data
 					       const char *, unsigned int);
 
   /* Called when after loading the normal relocs for a section.  */
-  bfd_boolean (*slurp_secondary_relocs) (bfd *, asection *, asymbol **);
+  bfd_boolean (*slurp_secondary_relocs) (bfd *, asection *, asymbol **, bfd_boolean);
 
   /* Called after writing the normal relocs for a section.  */
   bfd_boolean (*write_secondary_relocs) (bfd *, asection *);
@@ -2919,7 +2919,7 @@ extern bfd_boolean is_debuginfo_file (bfd *);
 extern bfd_boolean _bfd_elf_init_secondary_reloc_section
   (bfd *, Elf_Internal_Shdr *, const char *, unsigned int);
 extern bfd_boolean _bfd_elf_slurp_secondary_reloc_section
-  (bfd *, asection *, asymbol **);
+  (bfd *, asection *, asymbol **, bfd_boolean);
 extern bfd_boolean _bfd_elf_copy_special_section_fields
   (const bfd *, bfd *, const Elf_Internal_Shdr *, Elf_Internal_Shdr *);
 extern bfd_boolean _bfd_elf_write_secondary_reloc_section
diff --git a/bfd/elf.c b/bfd/elf.c
index 9624df7..dbff0f2 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -12560,9 +12560,10 @@ _bfd_elf_init_secondary_reloc_section (bfd * abfd,
 /* Read in any secondary relocs associated with SEC.  */
 
 bfd_boolean
-_bfd_elf_slurp_secondary_reloc_section (bfd *      abfd,
-					asection * sec,
-					asymbol ** symbols)
+_bfd_elf_slurp_secondary_reloc_section (bfd *       abfd,
+					asection *  sec,
+					asymbol **  symbols,
+					bfd_boolean dynamic)
 {
   const struct elf_backend_data * const ebd = get_elf_backend_data (abfd);
   asection * relsec;
@@ -12641,7 +12642,10 @@ _bfd_elf_slurp_secondary_reloc_section (bfd *      abfd,
 	      continue;
 	    }
 
-	  symcount = bfd_get_symcount (abfd);
+	  if (dynamic)
+	    symcount = bfd_get_dynamic_symcount (abfd);
+	  else
+	    symcount = bfd_get_symcount (abfd);
 
 	  for (i = 0, internal_reloc = internal_relocs,
 		 native_reloc = native_relocs;
@@ -12688,7 +12692,6 @@ _bfd_elf_slurp_secondary_reloc_section (bfd *      abfd,
 		  asymbol **ps;
 
 		  ps = symbols + r_sym (rela.r_info) - 1;
-
 		  internal_reloc->sym_ptr_ptr = ps;
 		  /* Make sure that this symbol is not removed by strip.  */
 		  (*ps)->flags |= BSF_KEEP;
diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index 606ff64..c7da8f6 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -1603,7 +1603,7 @@ elf_slurp_reloc_table (bfd *abfd,
 					      symbols, dynamic))
     return FALSE;
 
-  if (!bed->slurp_secondary_relocs (abfd, asect, symbols))
+  if (!bed->slurp_secondary_relocs (abfd, asect, symbols, dynamic))
     return FALSE;
 
   asect->relocation = relents;