From df81536f2e53abf521a05eb1e482a076f5849c21 Mon Sep 17 00:00:00 2001
From: Moritz Angermann <moritz.angermann@gmail.com>
Date: Mon, 9 Oct 2023 17:51:05 +0800
Subject: [PATCH] [PEi386 linker] Bounds check and null-deref guard

We should resonably be able to expect that we won't exceed the number of
sections if we assume to be dealing with legal object files. We can however
not guarantee that we get some negative values, and while we try to
special case most, we should exclude negative indexing into the sections
array.

We also need to ensure that we do not try to derefences targetSection,
if it is NULL, due to the switch statement.
---
 rts/linker/PEi386.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/rts/linker/PEi386.c b/rts/linker/PEi386.c
index c30957b75098..4ede63c1d35c 100644
--- a/rts/linker/PEi386.c
+++ b/rts/linker/PEi386.c
@@ -1775,9 +1775,13 @@ ocGetNames_PEi386 ( ObjectCode* oc )
               targetSection = NULL;
               break;
             default:
-              targetSection = &oc->sections[targetSecNumber-1];
+              // targetSecNumber is a uint32_t, and the 0 case should be caught by PE_SECTION_UNDEFINED.
+              // The compiler should be smart enough to eliminate the guard, we'll keep it in as fail
+              // safe nontheless.
+              targetSection = targetSecNumber > 0 ? &oc->sections[targetSecNumber-1] : NULL;
           }
-          addr = (SymbolAddr*) ((size_t) targetSection->start + getSymValue(info, targetSym));
+          if(NULL != targetSection)
+              addr = (SymbolAddr*) ((size_t) targetSection->start + getSymValue(info, targetSym));
       }
       else if (  secNumber == IMAGE_SYM_UNDEFINED && symValue > 0) {
          /* This symbol isn't in any section at all, ie, global bss.
-- 
GitLab