From 5dcae8f603b9379ef1c5f59331987322fd4d2126 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 26 Oct 2022 17:13:12 +1030 Subject: Correct ELF reloc size sanity check The external reloc size check was wrong. Here asect is the code/data section, not the reloc section. So using this_hdr gave the size of the code/data section. * elf.c (_bfd_elf_get_reloc_upper_bound): Properly get external size from reloc headers. --- bfd/elf.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'bfd/elf.c') diff --git a/bfd/elf.c b/bfd/elf.c index 7cd7feb..81825b7 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -8708,15 +8708,20 @@ _bfd_elf_get_reloc_upper_bound (bfd *abfd, sec_ptr asect) if (asect->reloc_count != 0 && !bfd_write_p (abfd)) { /* Sanity check reloc section size. */ - struct bfd_elf_section_data *d = elf_section_data (asect); - Elf_Internal_Shdr *rel_hdr = &d->this_hdr; - bfd_size_type ext_rel_size = rel_hdr->sh_size; ufile_ptr filesize = bfd_get_file_size (abfd); - if (filesize != 0 && ext_rel_size > filesize) + if (filesize != 0) { - bfd_set_error (bfd_error_file_truncated); - return -1; + struct bfd_elf_section_data *d = elf_section_data (asect); + bfd_size_type rel_size = d->rel.hdr ? d->rel.hdr->sh_size : 0; + bfd_size_type rela_size = d->rela.hdr ? d->rela.hdr->sh_size : 0; + + if (rel_size + rela_size > filesize + || rel_size + rela_size < rel_size) + { + bfd_set_error (bfd_error_file_truncated); + return -1; + } } } -- cgit v1.1