PR28403, null pointer dereference in disassemble_bytes

Indexing of symbol and howto arrays wasn't checked in aout targets. PR 28403 * aout-ns32k.c (MY (reloc_howto)): Sanity check howto_table index. Make r_index unsigned. (MY_swap_std_reloc_in): Make r_index unsigned. * aoutx.h (MOVE_ADDRESS): Sanity check symbol r_index. (aout_link_input_section_std): Make r_index unsigned. (aout_link_input_section_ext): Likewise. * i386lynx.c (MOVE_ADDRESS): Sanity check symbol r_index. (swap_ext_reloc_in, swap_std_reloc_in): Make r_index unsigned. * pdp11.c (MOVE_ADDRESS): Sanity check symbol r_index.
2025-06-24 20:28:28 +08:00 · 2021-10-06 10:17:29 +10:30
parent 55e3926e79
commit 0a6041ce93
4 changed files with 45 additions and 39 deletions
--- a/bfd/aout-ns32k.c
+++ b/bfd/aout-ns32k.c
@ -143,12 +143,12 @@ reloc_howto_type MY (howto_table)[] =
 static reloc_howto_type *
 MY (reloc_howto) (bfd *abfd ATTRIBUTE_UNUSED,
 		  struct reloc_std_external *rel,
-		  int *r_index,
+		  unsigned int *r_index,
 		  int *r_extern,
 		  int *r_pcrel)
 {
  unsigned int r_length;
-  int r_ns32k_type;
+  unsigned int r_ns32k_type;

  *r_index =  ((rel->r_index[2] << 16)
 	       | (rel->r_index[1] << 8)
@ -159,6 +159,8 @@ MY (reloc_howto) (bfd *abfd ATTRIBUTE_UNUSED,
 		>> RELOC_STD_BITS_LENGTH_SH_LITTLE);
  r_ns32k_type  =  ((rel->r_type[0] & RELOC_STD_BITS_NS32K_TYPE_LITTLE)
 		    >> RELOC_STD_BITS_NS32K_TYPE_SH_LITTLE);
+  if (r_length > 2 || r_ns32k_type > 2)
+    return NULL;
  return (MY (howto_table) + r_length + 3 * (*r_pcrel) + 6 * r_ns32k_type);
 }

@ -271,7 +273,7 @@ MY_swap_std_reloc_in (bfd *abfd,
 		      asymbol **symbols,
 		      bfd_size_type symcount ATTRIBUTE_UNUSED)
 {
-  int r_index;
+  unsigned int r_index;
  int r_extern;
  int r_pcrel;
  struct aoutdata  *su = &(abfd->tdata.aout_data->a);
--- a/bfd/aoutx.h
+++ b/bfd/aoutx.h
@ -2130,6 +2130,7 @@ NAME (aout, swap_ext_reloc_out) (bfd *abfd,
  if (r_extern)								\
    {									\
      /* Undefined symbol.  */						\
+      if (r_index < bfd_get_symcount (abfd))				\
 	cache_ptr->sym_ptr_ptr = symbols + r_index;			\
      cache_ptr->addend = ad;						\
    }									\
@ -4021,7 +4022,7 @@ aout_link_input_section_std (struct aout_final_link_info *flaginfo,
  for (; rel < rel_end; rel++)
    {
      bfd_vma r_addr;
-      int r_index;
+      unsigned int r_index;
      int r_extern;
      int r_pcrel;
      int r_baserel = 0;
@ -4133,7 +4134,7 @@ aout_link_input_section_std (struct aout_final_link_info *flaginfo,
 		     map.  */
 		  r_index = symbol_map[r_index];

-		  if (r_index == -1)
+		  if (r_index == -1u)
 		    {
 		      if (h != NULL)
 			{
@ -4369,7 +4370,7 @@ aout_link_input_section_ext (struct aout_final_link_info *flaginfo,
  for (; rel < rel_end; rel++)
    {
      bfd_vma r_addr;
-      int r_index;
+      unsigned int r_index;
      int r_extern;
      unsigned int r_type;
      bfd_vma r_addend;
@ -4469,7 +4470,7 @@ aout_link_input_section_ext (struct aout_final_link_info *flaginfo,
 		     map.  */
 		  r_index = symbol_map[r_index];

-		  if (r_index == -1)
+		  if (r_index == -1u)
 		    {
 		      if (h != NULL)
 			{
--- a/bfd/i386lynx.c
+++ b/bfd/i386lynx.c
@ -283,6 +283,7 @@ NAME(lynx,swap_ext_reloc_out) (bfd *abfd,
  if (r_extern)								\
    {									\
      /* undefined symbol */						\
+      if (r_index < bfd_get_symcount (abfd))				\
 	cache_ptr->sym_ptr_ptr = symbols + r_index;			\
      cache_ptr->addend = ad;						\
    }									\
@ -290,7 +291,8 @@ NAME(lynx,swap_ext_reloc_out) (bfd *abfd,
    {									\
      /* defined, section relative. replace symbol with pointer to	\
 	 symbol which points to section  */				\
-    switch (r_index) {							\
+      switch (r_index)							\
+	{								\
 	case N_TEXT:							\
 	case N_TEXT | N_EXT:						\
 	  cache_ptr->sym_ptr_ptr  = obj_textsec(abfd)->symbol_ptr_ptr;	\
@ -322,7 +324,7 @@ NAME(lynx,swap_ext_reloc_in) (bfd *abfd,
 			      asymbol **symbols,
 			      bfd_size_type symcount ATTRIBUTE_UNUSED)
 {
-  int r_index;
+  unsigned int r_index;
  int r_extern;
  unsigned int r_type;
  struct aoutdata *su = &(abfd->tdata.aout_data->a);
@ -345,7 +347,7 @@ NAME(lynx,swap_std_reloc_in) (bfd *abfd,
 			      asymbol **symbols,
 			      bfd_size_type symcount ATTRIBUTE_UNUSED)
 {
-  int r_index;
+  unsigned int r_index;
  int r_extern;
  unsigned int r_length;
  int r_pcrel;
--- a/bfd/pdp11.c
+++ b/bfd/pdp11.c
@ -1862,6 +1862,7 @@ pdp11_aout_swap_reloc_out (bfd *abfd, arelent *g, bfd_byte *natptr)
  if (r_extern)								\
    {									\
      /* Undefined symbol.  */						\
+      if (r_index < bfd_get_symcount (abfd))				\
 	cache_ptr->sym_ptr_ptr = symbols + r_index;			\
      cache_ptr->addend = ad;						\
    }									\