[lld][macho] Error out gracefully when offset is outside literal section

int3 · int3 · commit 9a70a868483a · 2025-10-22T13:00:23.000-04:00
We typically shouldn't get this, but when we do (e.g. in #139439) we should error out gracefully instead of crashing. Note that we are stricter than ld64 here; ld64 appears to be able to handle section offsets that point outside literal sections if the end result is a valid pointer to another section in the input object file. Supporting this would probably be a pain given our current design, and it seems like enough of an edge case that it's onot worth it.
diff --git a/lld/MachO/InputSection.cpp b/lld/MachO/InputSection.cpp
@@ -348,6 +348,9 @@ WordLiteralInputSection::WordLiteralInputSection(const Section &section,
 }
 
 uint64_t WordLiteralInputSection::getOffset(uint64_t off) const {
+  if (off >= data.size())
+    fatal(toString(this) + ": offset is outside the section");
+
   auto *osec = cast<WordLiteralSection>(parent);
   const uintptr_t buf = reinterpret_cast<uintptr_t>(data.data());
   switch (sectionType(getFlags())) {
diff --git a/lld/test/MachO/invalid/bad-offsets.s b/lld/test/MachO/invalid/bad-offsets.s
@@ -0,0 +1,41 @@
+## Test that we properly detect and report out-of-bounds offsets in literal sections.
+## We're intentionally testing fatal errors (for malformed input files), and
+## fatal errors aren't supported for testing when main is run twice.
+# XFAIL: main-run-twice
+
+# REQUIRES: x86
+# RUN: rm -rf %t; split-file %s %t
+
+## Test WordLiteralInputSection bounds checking
+# RUN: llvm-mc -filetype=obj -triple=x86_64-apple-darwin %t/word-literal.s -o %t/word-literal.o
+# RUN: not %lld -dylib %t/word-literal.o -o /dev/null 2>&1 | FileCheck %s --check-prefix=WORD
+
+## Test CStringInputSection bounds checking
+# RUN: llvm-mc -filetype=obj -triple=x86_64-apple-darwin %t/cstring.s -o %t/cstring.o
+# RUN: not %lld -dylib %t/cstring.o -o /dev/null 2>&1 | FileCheck %s --check-prefix=CSTRING
+
+# WORD: error: {{.*}}word-literal.o:(__literal4): offset is outside the section
+# CSTRING: error: {{.*}}cstring.o:(__cstring): offset is outside the section
+
+#--- word-literal.s
+## Create a 4-byte literal section with a reference that points past the end
+.section __TEXT,__literal4,4byte_literals
+_literal:
+  .word 0x01020304
+
+.text
+.globl _main
+_main:
+  .long _literal + 4
+
+#--- cstring.s
+## Create a cstring section with a reference that points past the end
+.cstring
+_str:
+  .asciz "foo"
+
+.text
+.globl _main
+_main:
+  ## Reference past the null terminator (offset 4 in a 4-byte string including null)
+  .long _str + 4

Original file line number	Diff line number	Diff line change
`@@ -348,6 +348,9 @@ WordLiteralInputSection::WordLiteralInputSection(const Section &section,`
`348`	`348`	`}`
`349`	`349`
`350`	`350`	`uint64_t WordLiteralInputSection::getOffset(uint64_t off) const {`
	`351`	`+ if (off >= data.size())`
	`352`	`+ fatal(toString(this) + ": offset is outside the section");`
	`353`	`+`
`351`	`354`	`auto *osec = cast<WordLiteralSection>(parent);`
`352`	`355`	`const uintptr_t buf = reinterpret_cast<uintptr_t>(data.data());`
`353`	`356`	`switch (sectionType(getFlags())) {`