* som.c buffer overflow
@ 2022-10-26 5:08 Alan Modra
0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2022-10-26 5:08 UTC (permalink / raw)
To: binutils
Fuzzed object files can put random values in bfd_reloc->address,
leading to large som_reloc_skip output.
* som.c (som_write_fixups): Allow for maximal som_reloc_skip.
diff --git a/bfd/som.c b/bfd/som.c
index 9b0a5513209..b9114e630fe 100644
--- a/bfd/som.c
+++ b/bfd/som.c
@@ -3005,10 +3005,12 @@ som_write_fixups (bfd *abfd,
then dump the current buffer contents now. Also reinitialize
the relocation queue.
- No single BFD relocation could ever translate into more
- than 100 bytes of SOM relocations (20bytes is probably the
- upper limit, but leave lots of space for growth). */
- if (p - tmp_space + 100 > SOM_TMP_BUFSIZE)
+ A single BFD relocation would probably only ever
+ translate into at most 20 bytes of SOM relocations.
+ However with fuzzed object files and resulting silly
+ values for "skip" below, som_reloc_skip can emit 262
+ bytes. Leave lots of space for growth. */
+ if (p - tmp_space + 512 > SOM_TMP_BUFSIZE)
{
amt = p - tmp_space;
if (bfd_bwrite ((void *) tmp_space, amt, abfd) != amt)
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-10-26 5:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-26 5:08 som.c buffer overflow Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).