From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@gmail.com>
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633])
	by sourceware.org (Postfix) with ESMTPS id 06C77385843E
	for <binutils@sourceware.org>; Wed, 26 Oct 2022 06:53:17 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 06C77385843E
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pl1-x633.google.com with SMTP id y4so13177825plb.2
        for <binutils@sourceware.org>; Tue, 25 Oct 2022 23:53:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=2L4es3ftVarawWSpD+0kkwLldw30T6mznyeNzx01yWI=;
        b=ZhalWy7Y6QIg09AmbouyVoWX5H6QbAWQAVM1YFO+axu6PN7rxNxJoRH/sjlNQiXXEN
         gLD4A7Aks2bzDCnbxGxvX7/EBJMryFP63Tw9Fcq78dUK1KQXiLXWUrU/lEjQDrFM+Cjk
         pAuFIJRkAW25anX+o7xPShgxFty06RzmiKexdbhdLe3PySeATRiRvV1bcdqmIOzJeOSK
         MLf9jJi4vitVGMBHEphO5MK5UFTpFxtAg6LrUE/tSOpPR8iHyi8m0Eh+s1NwzZlYCV+X
         iGYaD+hT1i5bf+mzyVUbrYOaMzERuhpKKGqrj6YZGD675YluPvTNR3HWwY7oUUYINv4f
         l8mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=2L4es3ftVarawWSpD+0kkwLldw30T6mznyeNzx01yWI=;
        b=AFoOIIIz5xHOeXtW8LvF50ZbSeltix1vYLM+AAG+VreoYrLcEp8ZBD8rC/meXaG05T
         f1H3CH5bDJSOmS+QBR7czG+F9Wx3qsaRewShdw23ioZI8wyfp+SMvQfNfahZUlq5nnTO
         XpYJQMxrQQl4h4bpCaWTOHfr1FaIHERFQqAzf6G2TAqIzEITejQ3mWKHAAnA87kmk6qP
         1U/2d2GGo/eIOOz9ygxn2jge64kpWBR0yZ0zqChABysfkGhzTuw2efVZTPcryh8wSJXw
         BzRgT9b+HJPbXrX91mAUdCuB4Lhtd45nwGYY14N3zPHZbTk+oj2pB3wAVNZLlZUKLKqY
         D48g==
X-Gm-Message-State: ACrzQf3XSGOKH8MfuGxrQXeAreO0T6pz3pIsiLVLh3g0RGnKeznt24YO
	DqUT8t4QXOyvBvMB3bllRcg6Ld5tx/A=
X-Google-Smtp-Source: AMsMyM6Eu2w487UXAF1hrXbz4HL8RtEbmcytdTSQrL1UcSzMlcr+Xv/5pTBD0Qq//xhp+i4qb0ZsUg==
X-Received: by 2002:a17:90b:314b:b0:20d:a462:b996 with SMTP id ip11-20020a17090b314b00b0020da462b996mr2551360pjb.39.1666767195667;
        Tue, 25 Oct 2022 23:53:15 -0700 (PDT)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158])
        by smtp.gmail.com with ESMTPSA id o19-20020a17090aac1300b0020bfd6586c6sm598229pjq.7.2022.10.25.23.53.14
        for <binutils@sourceware.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Oct 2022 23:53:14 -0700 (PDT)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
	id 223201141EBA; Wed, 26 Oct 2022 17:23:12 +1030 (ACDT)
Date: Wed, 26 Oct 2022 17:23:12 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: Correct ELF reloc size sanity check
Message-ID: <Y1jZWIeIvCCYm9/g@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3036.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

The external reloc size check was wrong.  Here asect is the code/data
section, not the reloc section.  So using this_hdr gave the size of
the code/data section.

	* elf.c (_bfd_elf_get_reloc_upper_bound): Properly get
	external size from reloc headers.

diff --git a/bfd/elf.c b/bfd/elf.c
index 7cd7febcf95..81825b748d7 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -8708,15 +8708,20 @@ _bfd_elf_get_reloc_upper_bound (bfd *abfd, sec_ptr asect)
   if (asect->reloc_count != 0 && !bfd_write_p (abfd))
     {
       /* Sanity check reloc section size.  */
-      struct bfd_elf_section_data *d = elf_section_data (asect);
-      Elf_Internal_Shdr *rel_hdr = &d->this_hdr;
-      bfd_size_type ext_rel_size = rel_hdr->sh_size;
       ufile_ptr filesize = bfd_get_file_size (abfd);
 
-      if (filesize != 0 && ext_rel_size > filesize)
+      if (filesize != 0)
 	{
-	  bfd_set_error (bfd_error_file_truncated);
-	  return -1;
+	  struct bfd_elf_section_data *d = elf_section_data (asect);
+	  bfd_size_type rel_size = d->rel.hdr ? d->rel.hdr->sh_size : 0;
+	  bfd_size_type rela_size = d->rela.hdr ? d->rela.hdr->sh_size : 0;
+
+	  if (rel_size + rela_size > filesize
+	      || rel_size + rela_size < rel_size)
+	    {
+	      bfd_set_error (bfd_error_file_truncated);
+	      return -1;
+	    }
 	}
     }
 

-- 
Alan Modra
Australia Development Lab, IBM