A delay-import symbol (of a function) is resolved when a call to it is made.
The delay loader may overwrite the `__imp_` pointer to the actual function
after it has been resolved, which requires the pointer itself be in a
writeable section.
Previously it was placed in the ordinary Import Address Table (IAT), which
is emitted into the `.idata` section, which had been changed to read-only
in db00f6c3ac, which caused segmentation
faults when functions from delay-import library were called. This is
PR 32675.
This commit makes DLLTOOL emit delay-import IAT into `.didat`, as specified
by Microsoft. Most of the code is copied from `.idata`, except that this
section is writeable. As a side-effect of this, PR 14339 is also fixed.
Using this DEF:
```
; ws2_32.def
LIBRARY "WS2_32.DLL"
EXPORTS
WSAGetLastError
```
and this C program:
```
// delay.c
#define WIN32_LEAN_AND_MEAN 1
#include <windows.h>
#include <stdio.h>
/////////////////////////////////////////////////////////
// User code
/////////////////////////////////////////////////////////
DWORD WINAPI WSAGetLastError(void);
extern PVOID __imp_WSAGetLastError;
int
main(void)
{
fprintf(stderr, "before delay load, __imp_WSAGetLastError = %p\n", __imp_WSAGetLastError);
SetLastError(123);
fprintf(stderr, "WSAGetLastError() = %d\n", WSAGetLastError());
fprintf(stderr, "after delay load, __imp_WSAGetLastError = %p\n", __imp_WSAGetLastError);
__imp_WSAGetLastError = (PVOID) 1234567;
fprintf(stderr, "after plain write, __imp_WSAGetLastError = %p\n", __imp_WSAGetLastError);
}
/////////////////////////////////////////////////////////
// Overridden `__delayLoadHelper2` facility
/////////////////////////////////////////////////////////
extern char __ImageBase[];
PVOID WINAPI ResolveDelayLoadedAPI(PVOID ParentModuleBase, LPCVOID DelayloadDescriptor,
PVOID FailureDllHook, PVOID FailureSystemHook,
FARPROC* ThunkAddress, ULONG Flags);
FARPROC WINAPI DelayLoadFailureHook(LPCSTR name, LPCSTR function);
FARPROC WINAPI __delayLoadHelper2(LPCVOID pidd, FARPROC* ppfnIATEntry)
{
return ResolveDelayLoadedAPI(&__ImageBase, pidd, NULL, (PVOID) DelayLoadFailureHook,
ppfnIATEntry, 0);
}
```
This program used to crash:
```
$ dlltool -nn -d ws2_32.def -y delay_ws2_32.a
$ gcc -g delay.c delay_ws2_32.a -o delay.exe
$ ./delay.exe
before delay load, __imp_WSAGetLastError = 00007FF6937215C6
Segmentation fault
```
After this commit, it loads and calls `WSAGetLastError()` properly, and
`__imp_WSAGetLastError` is writeable:
```
$ dlltool -nn -d ws2_32.def -y delay_ws2_32.a
$ gcc -g delay.c delay_ws2_32.a -o delay.exe
$ ./delay.exe
before delay load, __imp_WSAGetLastError = 00007FF76E2215C6
WSAGetLastError() = 123
after delay load, __imp_WSAGetLastError = 00007FFF191FA720
after plain write, __imp_WSAGetLastError = 000000000012D687
```
Reference: https://learn.microsoft.com/en-us/windows/win32/secbp/pe-metadata#import-handling
Co-authored-by: Jeremy Drake <sourceware-bugzilla@jdrake.com>
Signed-off-by: LIU Hao <lh_mouse@126.com>
Signed-off-by: Jeremy Drake <sourceware-bugzilla@jdrake.com>
While COFF, unlike ELF, doesn't have a generic way to express symbol
size, there is a means to do so for functions. When inputs are ELF,
propagate function sizes, including the fact that a symbol denotes a
function, to the output's symbol table.
Note that this requires hackery (cross-object-format processing) in two
places - when linking, global symbols are entered into a global hash
table, and hence relevant information needs to be updated there in that
case, while otherwise the original symbol structures can be consulted.
For the setting of ->u.syment.n_type the later writing of the field to
literal 0 needs to be dropped from coff_write_alien_symbol(). It was
redundant anyway with an earlier write of the field using C_NUL.
NULL is a possible return from bfd_section_already_linked_table_lookup
if out-of-memory.
PR 32703
* linker.c (_bfd_generic_section_already_linked): Catch
bfd_section_already_linked_table_lookup failure.
* coffgen.c (_bfd_coff_section_already_linked): Likewise.
Commit 8d97c1a53f claimed to replace all einfo calls using %F with
a call to fatal. It did so only for the ld/ directory. This patch
adds a "fatal" to linker callbacks, and replaces those calls in bfd/
too.
bfd_make_readable leaks memory that could be freed by
_free_cached_info except that does too much in releasing all bfd
memory. (The fact that we had to hack around keeping the bfd filename
also indicates that releasing all bfd memory was too much.) So this
patch moves code releasing bfd_alloc'd memory to the COFF
_free_cached_info, where the syms and suchlike are released. This is
the memory that archive handling wants to release in the call there to
bfd_free_cached_info.
* coffgen.c (_bfd_coff_free_cached_info): Release syms.
* opncls.c (_bfd_new_bfd): Correct error return path.
(_bfd_free_cached_info): Don't kill all abfd->memory.
(_bfd_delete_bfd): Adjust fallback for bfd_free_cached_info.
(bfd_make_readable): Call target bfd_free_cached_info and
_bfd_free_cached_info plus reinstate section_htab.
_bfd_coff_free_cached_info should always call
_bfd_generic_bfd_free_cached_info, even if _bfd_coff_free_symbols
returns an error. (It won't return an error here, but let's not leave
anyone wondering about _bfd_coff_free_cached_info.)
* coffgen.c (_bfd_coff_free_cached_info): Ignore return status
of _bfd_coff_free_symbols.
The aout object_p function copies any existing tdata. Apparently this
was done for hp300, an old target that is no longer supported. See
commit ebd2413529. This isn't useful for current sources, nor is it
necessary or useful any more to preserve tdata in object_p functions
when a target doesn't match. When I was fixing this, I noticed some
object_p functions rudely didn't release memory on failures, and
others had nits in the bfd_error returns.
* aoutx.h (some_aout_object_p): Don't restore previous tdata
on failure. Don't copy any existing tdata.
* archive.c (bfd_generic_archive_p): Don't restore previous
tdata on failure.
* pdp11.c (some_aout_object_p): Likewise.
* coff-rs6000.c (_bfd_xcoff_archive_p): Allocate both artdata
and extension in one call. Don't restore previous tdata on
failure.
* coff64-rs6000.c (xcoff64_archive_p): Likewise.
* coffgen.c (coff_real_object_p): Don't restore previous
tdata on failure.
* ihex.c (ihex_object_p): Likewise. Simplify release of tdata
on scan failure.
* mach-o.c (bfd_mach_o_scan): Don't set tdata here. Do set
error on read_command failure.
(bfd_mach_o_header_p): Set tdata here, release on failure.
Tidy bfd_error return values.
(bfd_mach_o_fat_archive_p): Tidy error return values.
* mmo.c (mmo_mkobject): Do not test current tdata.
* pef.c (bfd_pef_scan_start_address): Set bfd_error on
failure.
(bfd_pef_scan): Don't set tdata here.
(bfd_pef_object_p): Set tdata here, release on failure. Tidy
bfd_error return values.
(bfd_pef_xlib_object_p): Tidy bfd_error return values.
* srec.c (srec_object_p): Don't restore previous tdata on
failure. Do release tdata on failure.
(symbolsrec_object_p): Likewise.
* tekhex.c (tekhex_object_p): Don't ignore tekhex_mkobject
failure. Release tdata on failure.
* vms-alpha.c (alpha_vms_object_p): Don't restore previous
tdata on failure. Simplify release of tdata.
* xsym.c (bfd_sym_scan): Don't set tdata here.
(bfd_sym_object_p): Set tdata here. Release on failure.
Commit 68bbe11833 results in a lot of follow up work, much of which
likely is still to be done. (And yes, since this is all for corrupted
or fuzzed object files, a whole lot of work doesn't much benefit
anyone. It was a bad idea to put NULL in asymbol->name.) So I'm
changing the approach to instead put a unique empty string for symbols
with a corrupted st_name. An empty string won't require much work to
ensure nm, objcopy, objdump etc. won't crash, since these tools
already must work with unnamed local symbols.
The unique empty string is called bfd_symbol_error_name. This patch
uses that name string for corrupted symbols in the ELF and COFF
backends. Such symbols are displayed by nm and objdump as the
translated string "<corrupt>", which is what the COFF backend used to
put directly into corrupted symbols.
ie. it's the way I should have written the original patch, plus a few
tides and cleanups I retained from the reverted patches.
A NULL return from bfd_elf_string_from_elf_section indicates an error.
That shouldn't be masked by bfd_elf_sym_name but rather passed up to
callers such as group_signature. If we want to print "(null)" then
that should be done at a higher level. That's what this patch does,
except that I chose to print "<null>" instead, like readelf. If we
see "(null)" we're probably passing a NULL to printf. I haven't
changed aoutx.h or pdp11.c print_symbol functions because they already
handle NULL names by omitting the name. I also haven't changed
mach-o.c, mmo.c, som.c, srec.c, tekhex.c, vms-alpha.c and
wasm-module.c print_symbol function because it looks like they will
never have NULL symbol names.
bfd/
* elf.c (bfd_elf_sym_name): Don't turn a NULL name into a
pointer to "(null)".
(bfd_elf_print_symbol): Print "<null>" for NULL symbol names.
* coffgen.c (coff_print_symbol): Likewise.
* ecoff.c (_bfd_ecoff_print_symbol): Likewise.
* pef.c (bfd_pef_print_symbol): Likewise.
* syms.c (bfd_symbol_info): Return "<null>" in symbol_info.name
if symbol name is NULL.
ld/
* ldlang.c (ld_is_local_symbol): Don't check for "(null)"
symbol name.
Adds two new external authors to etc/update-copyright.py to cover
bfd/ax_tls.m4, and adds gprofng to dirs handled automatically, then
updates copyright messages as follows:
1) Update cgen/utils.scm emitted copyrights.
2) Run "etc/update-copyright.py --this-year" with an extra external
author I haven't committed, 'Kalray SA.', to cover gas testsuite
files (which should have their copyright message removed).
3) Build with --enable-maintainer-mode --enable-cgen-maint=yes.
4) Check out */po/*.pot which we don't update frequently.
A low level function like coff_swap_aux_in really has no business
concatenating multiple auxents for the old PE multi-aux scheme of
handling long file names. In doing so, it assumes multiple internal
auxent buffers are available, which they are not in most calls to
bfd_coff_swap_aux_in, both inside BFD and outside, eg. GDB. Buffer
overflow fun. Concatenating multiple auxents belongs at a higher
level.
This required some changes to coff_get_normalized_symtab, which now
uses the external auxents to access the concatenated file name.
(Internal auxents are larger than the x_fname array, so the pieces of
the file name are not adjacent as they are in the external auxents.)
* coffswap.h (coff_swap_aux_in): Do not write more than one
internal auxent.
* coffcode.h (coff_bigobj_swap_aux_in): Likewise.
* coffgen.c (coff_get_normalized_symtab): Normalize strings
after swapping in each symbol so that external auxents are
available. Use external auxents for multi-aux long file
names. Formatting. Wrap long lines. Remove excess parens
and unnecessary casts. Don't zalloc when only the string
terminator needs zeroing, and memcpy rather than strncpy.
Delete unnecessary sanity check with unsigned _n_offset.
Return with failure if debug section can't be read, to avoid
trying to read it multiple times. Correct sanity check
against debug section size.
A bfd_cleanup function needs to run when only tdata is correct for the
bfd. The xvec may have changed during bfd_check_format and thus the
flavour may be incorrect. The format won't have changed but checking
is superfluous. (In contrast to _bfd_free_cached_info or
_close_and_cleanup where we do need to check things.)
Not getting this correct leaked comdat_hash.
Also, pe_ILF_cleanup ought to call coff_object_cleanup as do all PE
files.
* coffgen.c (coff_object_cleanup): Don't check bfd flavour or
format.
* peicode.h (pe_ILF_cleanup): Call coff_object_cleanup.
These were renamed from bfd_read and bfd_write back in 2001 when they
lost an unnecessary parameter. Rename them back, and get rid of a few
casts that are only needed without prototyped functions (K&R C).
doc/bfdint.texi and comments in the aout and som code about this
function are just wrong, and its name is not very apt. Better would
be _bfd_mostly_destroy, and we certainly should not be saying anything
about the possibility of later recreating anything lost by this
function. What's more, if _bfd_free_cached_info is called when
creating an archive map to reduce memory usage by throwing away
symbols, the target _close_and_cleanup function won't have access to
tdata or section bfd_user_data to tidy memory. This means most of the
target _close_and_cleanup function won't do anything, and therefore
sometimes will result in memory leaks.
This patch fixes the documentation problems and moves most of the
target _close_and_cleanup code to target _bfd_free_cached_info.
Another notable change is that bfd_generic_bfd_free_cached_info is now
defined as _bfd_free_cached_info rather than _bfd_bool_bfd_true,
ie. the default now frees objalloc memory.
The rs6000 backend can call coff_section_from_bfd_index from its
object_p function via coff_set_alignment_hook. If the object doesn't
match, or another target matches too, then the hash table needs to be
freed via a cleanup.
* coffgen.c (coff_object_cleanup): New function.
(coff_real_object_p): Return coff_object_cleanup, and call on
failure path. Move declaration to..
* libcoff-in.h: ..here.
(coff_object_cleanup): Declare.
* coff-stgo32.c (go32exe_cleanup): Call coff_object_cleanup.
(go32exe_check_format): Adjust assertion.
* libcoff.h: Regenerate.
PR 30444
* coffcode.h (coff_write_object_contents): Handle base64 encoding on PE. Also check for too large string table.
* coffgen.c (extract_long_section_name): New function extracted from ... (make_a_section_from_file): ... here. Add support for base64 long section names. (decode_base64): New function.
Commit 0e759f232b regressed these tests:
rs6000-aix7.2 +FAIL: Garbage collection test 1 (32-bit)
rs6000-aix7.2 +FAIL: Garbage collection test 1 (64-bit)
rs6000-aix7.2 +FAIL: Glink test 1 (32-bit)
rs6000-aix7.2 +FAIL: Glink test 1 (64-bit)
Investigation showed segfaults in coff_section_from_bfd_index called
by xcoff_write_global_symbol due to the hash table pointer being
NULL. Well, yes, the hash table isn't initialised for the output bfd.
mkobject_hook is the wrong place to do that.
* coffcode.h: Revert 0e759f232b changes.
* peicode.h: Likewise.
* coff-x86_64.c (htab_hash_section_index, htab_eq_section_index):
Moved here from coffcode.h.
(coff_amd64_rtype_to_howto): Create section_by_index htab.
* coffgen.c (htab_hash_section_target_index),
(htab_eq_section_target_index): Moved here from coffcode.h.
(coff_section_from_bfd_index): Create section_by_target_index
htab. Stash newly created sections in htab.
* libcoff-in.h (struct coff_tdata): Add section_by_index and section_by_target_index hash tables.
* libcoff.h: Regenerate.
* coffcode.h (htab_hash_section_index): New function. (htab_eq_section_index): New function. (htab_hash_section_target_index): New function. (htab_eq_section_target_index): New function. (coff_mkobject_hool): Create the hash tables.
* peicode.h: Add the same new functions. (pe_mkobject_hook): Create the hash tables.
* coff-x86_64.c (coff_amd64_rtype_to_howto): Use the new tables to speed up lookups.
* coffgen.c (coff_section_from_bfd_index): Likewise. (_bfd_coff_close_and_cleanup): Delete the hash tables.
Do I care about out of memory conditions triggered by fuzzers? Not
much. Your operating system ought to be able to handle it by killing
the memory hog. Oh well, this one was an element of a coff-alpha
archive that said it was a little less that 2**64 in size. The
coff-alpha compression scheme expands at most 8 times, so we can do
better in bfd_get_file_size.
* bfdio.c (bfd_get_file_size): Assume elements in compressed
archive can only expand a maximum of eight times.
* coffgen.c (_bfd_coff_get_external_symbols): Sanity check
size of symbol table agains file size.
I'm fairly certain the table_end checks are redundant now. This
patch reverts commit 334d4ced42.
* coffgen.c (coff_pointerize_aux): Remove table_end parameter.
(coff_get_normalized_symtab): Adjust to suit.
long is a poor choice of type to store 32-bit values read from
objects files by H_GET_32. H_GET_32 doesn't sign extend so tests like
that in gdb/coffread.c for "negative" values won't work if long is
larger than 32 bits. If long is 32-bit then code needs to be careful
to not accidentally index negative array elements. (I'd rather see a
segfault on an unmapped 4G array index than silently reading bogus
data.) long is also a poor choice for x_sect.s_scnlen, which might
have 64-bit values. It's better to use unsigned exact width types to
avoid surprises.
I decided to change the field names too, which makes most of this
patch simply renaming. Besides that there are a few places where
casts are no longer needed, and where printf format strings or tests
need adjusting.
include/
* coff/internal.h (union internal_auxent): Use unsigned stdint
types. Rename l fields to u32 and u64 as appropriate.
bfd/
* coff-bfd.c,
* coff-rs6000.c,
* coff64-rs6000.c,
* coffcode.h,
* coffgen.c,
* cofflink.c,
* coffswap.h,
* peXXigen.c,
* xcofflink.c: Adjust to suit internal_auxent changes.
binutils/
* rdcoff.c: Adjust to suit internal_auxent changes.
gas/
* config/obj-coff.h,
* config/tc-ppc.c: Adjust to suit internal_auxent changes.
gdb/
* coffread.c,
* xcoffread.c: Adjust to suit internal_auxent changes.
ld/
* pe-dll.c: Adjust to suit internal_auxent changes.
We can't free "internal" on errors, since bfd_coff_swap_sym_in may
call bfd_alloc. For example, _bfd_XXi_swap_sym_in may even create new
sections, which use bfd_alloc'd memory. If "internal" is freed, all
more recently bfd_alloc'd memory is also freed.
* coffgen.c (coff_get_normalized_symtab): Don't bfd_release on
error.
As far as I can see the only place that sets obj_coff_strings without
setting obj_coff_strings_len is pe_ILF_build_a_bfd. Fix that and we
can simplify the sym string offset check. This is just a tidy.
pe_ILF_build_a_bfd doesn't create bad symbols and
_bfd_coff_read_string_table will always result in non-zero
obj_coff_strings_len when obj_coff_strings is non-NULL.
PR 17910
* coffgen.c (_bfd_coff_internal_syment_name): Always sanity
check sym string offset.
* peicode.h (pe_ILF_build_a_bfd): Set obj_coff_strings_len.
The newer update-copyright.py fixes file encoding too, removing cr/lf
on binutils/bfdtest2.c and ld/testsuite/ld-cygwin/exe-export.exp, and
embedded cr in binutils/testsuite/binutils-all/ar.exp string match.
Also support compressing a few more sections.
* coffgen.c (make_a_section_from_file): Rename return_section
to newsect. Don't try to be clever matching section name.
Compress .gnu.debuglto_.debug_ and .gnu.linkonce.wi. too.
Only rename debug sections when decompressing for linker.
Since commit 4bea06d73c COFF support for compressed debug sections
has been broken due to the "flags" variable not getting SEC_HAS_CONTENTS.
* coffgen.c (make_a_section_from_file): Correct section flags
handling. Delete extraneous condition. Update error messages
to be the same as in elf.c.
Move a couple of elf.c functions to compress.c.
* compress.c (bfd_debug_name_to_zdebug): New inline function.
(bfd_zdebug_name_to_debug): Likewise.
* elf.c (convert_debug_to_zdebug, convert_zdebug_to_debug): Delete.
(_bfd_elf_make_section_from_shdr, elf_fake_sections),
(_bfd_elf_assign_file_positions_for_non_load): Adjust to suit.
* coffgen.c (make_a_section_from_file): Use new inlines here.
The idea here is the stop tools from allocating up to 32G per section
for the arelent pointer array, only to find a little later that the
section reloc count was fuzzed. This usually doesn't hurt much (on
systems that allow malloc overcommit) except when compiled with asan.
We already do this for ELF targets, and while fixing the logic
recently I decided other targets ought to do the same.
* elf64-sparc.c (elf64_sparc_get_reloc_upper_bound): Sanity check
section reloc count against file size.
* mach-o.c (bfd_mach_o_get_reloc_upper_bound): Likewise.
* aoutx.h (get_reloc_upper_bound): Likewise, and don't duplicate
check done in bfd_get_reloc_upper_bound.
* pdp11.c (get_reloc_upper_bound): Likewise.
* coffgen.c (coff_get_reloc_upper_bound): Likewise.
bfd_malloc_and_get_section performs some sanity checks on the section
size before allocating memory. This patch avails the stab
nearest_line code of that sanity checking, and tidies up memory
afterward.
* coffgen.c (_bfd_coff_close_and_cleanup): Call _bfd_stab_cleanup.
* elf.c (_bfd_elf_close_and_cleanup): Likewise.
* syms.c (_bfd_stab_section_find_nearest_line): Set *pinfo earlier.
Use bfd_malloc_and_get_section. Free malloc'd buffers on failure.
Malloc indextable.
(_bfd_stab_cleanup): New function.
* libbfd-in.h (_bfd_stab_cleanup): Declare.
* libbfd.h: Regnerate.
It doesn't make sense to try to compress a section without contents
since those sections take no space on disk. Compression can only
increase the disk image size.
* coffgen.c (make_a_section_from_file): Exclude !SEC_HAS_CONTENTS
sections from compression and decompression.
* elf.c (_bfd_elf_make_section_from_shdr): Likewise.
On coff_slurp_symbol_table printing "unrecognized storage class"
for a symbol error. If the symbol name is the last string in its
section and not terminated, we run off the end of the buffer.
* coffgen.c (build_debug_section): Terminate the section with
an extra 0.
bfd_hostptr_t is defined as a type large enough to hold either a long
or a pointer. It mostly appears in the coff backend code in casts.
include/coff/internal.h struct internal_syment and union
internal_auxent have the only uses in data structures, where
comparison with include/coff/external.h and other code reveals that
the type only needs to be large enough for a 32-bit integer or a
pointer. That should mean replacing with uintptr_t is OK.
Otherwise the string table may grow and hence e.g. change a final binary
(observed with PE/COFF ones) even if really there's no change. Doing so
in fact reduces the overall amount of code, and in particular the number
of places which need to remain in sync.
Afaics there's no real equivalent to the "traditional_format" field used
when linking, so hashing is always enabled when copying / stripping.
XCOFF assembly defines the visibility using an additional argument
on several pseudo-ops: .globl, .weak, .extern and .comm.
This implies that .globl and .weak syntax is different than the
usual GNU syntax. But we want to provide compatibility with AIX
assembler, especially because GCC is generating the visibility
using this XCOFF syntax.
PR 22085
bfd/ChangeLog:
* coffcode.h (coff_write_object_contents): Change XCOFF header
vstamp field to 2.
* coffgen.c (coff_print_symbol): Increase the size for n_type.
gas/ChangeLog:
* config/tc-ppc.c (ppc_xcoff_get_visibility): New function.
(ppc_globl): New function.
(ppc_weak): New function.
(ppc_comm): Add visibility field support.
(ppc_extern): Likewise.
* testsuite/gas/all/cofftag.d: Adjust to new n_type size
providing by objdump.
* testsuite/gas/ppc/test1xcoff32.d: Likewise.
* testsuite/gas/ppc/aix.exp: Add new tests.
* testsuite/gas/ppc/xcoff-visibility-1-32.d: New test.
* testsuite/gas/ppc/xcoff-visibility-1-64.d: New test.
* testsuite/gas/ppc/xcoff-visibility-1.s: New test.
include/ChangeLog:
* coff/internal.h (SYM_V_INTERNAL, SYM_V_HIDDEN,
SYM_V_PROTECTED, SYM_V_EXPORTED, SYM_V_MASK): New defines.
* coff/xcoff.h (struct xcoff_link_hash_entry): Add visibility
field.
ld/ChangeLog:
* testsuite/ld-pe/pr19803.d: Adjust to new n_type size
providing by objdump.
The result of running etc/update-copyright.py --this-year, fixing all
the files whose mode is changed by the script, plus a build with
--enable-maintainer-mode --enable-cgen-maint=yes, then checking
out */po/*.pot which we don't update frequently.
The copy of cgen was with commit d1dd5fcc38ead reverted as that commit
breaks building of bfp opcodes files.
This test was failing here and on another similar symbol:
[ 4](sec 1)(fl 0x00)(ty 0)(scl 143) (nx 0) 0x05d1745d11745d21 .bs
where correct output is
[ 4](sec 1)(fl 0x00)(ty 0)(scl 143) (nx 0) 0x000000000000000a .bs
The problem is caused by a 32-bit host pointer being sign-extended
when stored into a 64-bit bfd_vma, and then that value not being
trimmed back to 32 bits when used. The following belt-and-braces
patch fixes both the store and subsequent reads.
* coffcode.h (coff_slurp_symbol_table): Do not sign extend
when storing a host pointer to syment.n_value.
* coffgen.c (coff_get_symbol_info): Cast syment.n_value to a
bfd_hostptr_t before using in arithmetic.
(coff_print_symbol): Likewise.
Commit e86fc4a5bc ("PR 28447: implement multiple parameters for .file
on XCOFF") introduces C_FILE entries which can store additional
information.
However, some modifications are needed by them but not by the original
C_FILE entries, usually representing the filename.
This patch ensures that filename entries are kept as is, in order to
protect targets not supporting the additional entries.
* coffgen.c (coff_write_symbol): Protect filename entries
(coff_write_symbols): Likewise.
(coff_print_symbol): Likewise.
Sometimes the investigation of a fuzzing bug report leads into areas
you'd rather not go. In this instance by the time I'd figured out the
real cause was a target variant that had never been properly supported
in binutils, the time needed to fix it was less than the time needed
to rip it out.
* coffcode.h (coff_set_alignment_hook): Call bfd_coff_swap_reloc_in
not coff_swap_reloc_in.
(coff_slurp_reloc_table): Likewise. Don't use RELOC type.
(ticoff0_swap_table): Use coff_swap_reloc_v0_out and
coff_swap_reloc_v0_in.
* coffswap.h (coff_swap_reloc_v0_in, coff_swap_reloc_v0_out): New.
* coff-tic54x.c (tic54x_lookup_howto): Don't abort.
* coffgen.c (coff_get_normalized_symtab): Use PTR_ADD.
* bfd-in.h (PTR_ADD, NPTR_ADD): Avoid warnings when passing an
expression.
* bfd-in2.h: Regenerate.
Section reloc_count is an unsigned int. Adding one for a NULL
terminator to an array of arelent pointers can wrap the count to
zero. Avoid that by doing the addition as longs.
* coffgen.c (coff_get_reloc_upper_bound): Don't overflow unsigned
int expression.
* elf.c (_bfd_elf_get_reloc_upper_bound): Likewise.
* elf64-sparc.c (elf64_sparc_get_reloc_upper_bound): Likewise.
* mach-o.c (bfd_mach_o_get_reloc_upper_bound): Likewise.
* vms-alpha.c (alpha_vms_get_reloc_upper_bound): Likewise.
