* asan: som_set_reloc_info heap buffer overflow
@ 2022-09-14 0:45 Alan Modra
0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2022-09-14 0:45 UTC (permalink / raw)
To: binutils
Also a bugfix. The first time the section was read, the contents
didn't supply an addend.
* som.c (som_set_reloc_info): Sanity check offset. Do process
contents after reading. Tidy section->contents after freeing.
diff --git a/bfd/som.c b/bfd/som.c
index 38c574a97c8..9b0a5513209 100644
--- a/bfd/som.c
+++ b/bfd/som.c
@@ -5251,7 +5251,9 @@ som_set_reloc_info (unsigned char *fixup,
section->contents = contents;
deallocate_contents = 1;
}
- else if (rptr->addend == 0)
+ if (rptr->addend == 0
+ && offset - var ('L') <= section->size
+ && section->size - (offset - var ('L')) >= 4)
rptr->addend = bfd_get_32 (section->owner,
(section->contents
+ offset - var ('L')));
@@ -5269,7 +5271,10 @@ som_set_reloc_info (unsigned char *fixup,
}
}
if (deallocate_contents)
- free (section->contents);
+ {
+ free (section->contents);
+ section->contents = NULL;
+ }
return count;
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-09-14 0:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-14 0:45 asan: som_set_reloc_info heap buffer overflow Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).