Fix a memory access violation triggeed by a fuzzed binary.

PR binutils/17512 * format.c (bfd_check_format_matches): Check for a matching vector before using match priorities. * mach-o.c (bfd_mach_o_canonicalize_one_reloc): Fix off-by-one errors with previous delta.
2014-12-16 14:17:15 +00:00 · 2014-12-16 14:17:15 +00:00 · 033539e268
parent beed38b827
commit 033539e268
3 changed files with 13 additions and 3 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,11 @@
+2014-12-16  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/17512
+	* format.c (bfd_check_format_matches): Check for a matching vector
+	before using match priorities.
+	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Fix off-by-one
+	errors with previous delta.
+
 2014-12-15  H.J. Lu  <hongjiu.lu@intel.com>

 	PR ld/17713
--- a/bfd/format.c
+++ b/bfd/format.c
@ -402,7 +402,7 @@ bfd_check_format_matches (bfd *abfd, bfd_format format, char ***matching)
  /* We still have more than one equally good match, and at least some
     of the targets support match priority.  Choose the first of the
     best matches.  */
-  if (match_count > 1 && best_count != match_count)
+  if (matching_vector && match_count > 1 && best_count != match_count)
    {
      int i;

--- a/bfd/mach-o.c
+++ b/bfd/mach-o.c
@ -1350,7 +1350,7 @@ bfd_mach_o_canonicalize_one_reloc (bfd *abfd,
      if (reloc.r_extern)
 	{
 	  /* PR 17512: file: 8396-1185-0.004.  */
-	  if (num >= bfd_get_symcount (abfd))
+	  if (bfd_get_symcount (abfd) > 0 && num > bfd_get_symcount (abfd))
 	    sym = bfd_und_section_ptr->symbol_ptr_ptr;
 	  else
 	    /* An external symbol number.  */
@ -1368,7 +1368,7 @@ bfd_mach_o_canonicalize_one_reloc (bfd *abfd,
      else
        {
 	  /* PR 17512: file: 006-2964-0.004.  */
-	  if (num >= mdata->nsects)
+	  if (num > mdata->nsects)
 	    return -1;
 	  
 	  /* A section number.  */
@ -1400,6 +1400,7 @@ bfd_mach_o_canonicalize_one_reloc (bfd *abfd,

  if (!(*bed->_bfd_mach_o_swap_reloc_in)(res, &reloc))
    return -1;
+
  return 0;
 }

@ -1414,6 +1415,7 @@ bfd_mach_o_canonicalize_relocs (bfd *abfd, unsigned long filepos,

  /* Allocate and read relocs.  */
  native_size = count * BFD_MACH_O_RELENT_SIZE;
+
  native_relocs =
    (struct mach_o_reloc_info_external *) bfd_malloc (native_size);
  if (native_relocs == NULL)