From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@sourceware.org>
Received: by sourceware.org (Postfix, from userid 1062)
 id CE7DE3858C50; Tue, 23 Aug 2022 09:05:06 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CE7DE3858C50
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Alan Modra <amodra@sourceware.org>
To: bfd-cvs@sourceware.org
Subject: [binutils-gdb] Re: bfd_elf_set_group_contents assertion
X-Act-Checkin: binutils-gdb
X-Git-Author: Alan Modra <amodra@gmail.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: 25ee24d990d6beb3fb01c673fcf13e0ea1522c5b
X-Git-Newrev: 6ecc36f7b7a29952579a49dc3d90f6871c6ab238
Message-Id: <20220823090506.CE7DE3858C50@sourceware.org>
Date: Tue, 23 Aug 2022 09:05:06 +0000 (GMT)
X-BeenThere: binutils-cvs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils-cvs mailing list <binutils-cvs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils-cvs>,
 <mailto:binutils-cvs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils-cvs/>
List-Help: <mailto:binutils-cvs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils-cvs>,
 <mailto:binutils-cvs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2022 09:05:06 -0000

https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3D6ecc36f7b7a2=
9952579a49dc3d90f6871c6ab238

commit 6ecc36f7b7a29952579a49dc3d90f6871c6ab238
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Aug 23 18:24:36 2022 +0930

    Re: bfd_elf_set_group_contents assertion
   =20
    Further to commit 7744e3278b9f.
   =20
            * elf.c (bfd_elf_set_group_contents): Restrict loc in loop writ=
ing
            contents, and add another assertion.

Diff:
---
 bfd/elf.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/bfd/elf.c b/bfd/elf.c
index 35aa45e3b90..f186a2cffe9 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -3594,6 +3594,8 @@ bfd_elf_set_group_contents (bfd *abfd, asection *sec,=
 void *failedptrarg)
 	    {
 	      elf_sec->rel.hdr->sh_flags |=3D SHF_GROUP;
 	      loc -=3D 4;
+	      if (loc =3D=3D sec->contents)
+		break;
 	      H_PUT_32 (abfd, elf_sec->rel.idx, loc);
 	    }
 	  if (elf_sec->rela.hdr !=3D NULL
@@ -3603,9 +3605,13 @@ bfd_elf_set_group_contents (bfd *abfd, asection *sec=
, void *failedptrarg)
 	    {
 	      elf_sec->rela.hdr->sh_flags |=3D SHF_GROUP;
 	      loc -=3D 4;
+	      if (loc =3D=3D sec->contents)
+		break;
 	      H_PUT_32 (abfd, elf_sec->rela.idx, loc);
 	    }
 	  loc -=3D 4;
+	  if (loc =3D=3D sec->contents)
+	    break;
 	  H_PUT_32 (abfd, elf_sec->this_idx, loc);
 	}
       elt =3D elf_next_in_group (elt);
@@ -3613,12 +3619,20 @@ bfd_elf_set_group_contents (bfd *abfd, asection *se=
c, void *failedptrarg)
 	break;
     }
=20
-  loc -=3D 4;
-  if (loc !=3D sec->contents)
+  /* We should always get here with loc =3D=3D sec->contents + 4, but it is
+     possible to craft bogus SHT_GROUP sections that will cause segfaults
+     in objcopy without checking loc here and in the loop above.  */
+  if (loc =3D=3D sec->contents)
+    BFD_ASSERT (0);
+  else
     {
-      BFD_ASSERT (0);
-      memset (sec->contents + 4, 0, loc - sec->contents);
-      loc =3D sec->contents;
+      loc -=3D 4;
+      if (loc !=3D sec->contents)
+	{
+	  BFD_ASSERT (0);
+	  memset (sec->contents + 4, 0, loc - sec->contents);
+	  loc =3D sec->contents;
+	}
     }
=20
   H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);