asan: heap buffer overflow in _bfd_elf_parse_attributes

	* elf-attrs.c (_bfd_elf_parse_attributes): Break out of loop if
	subsection length is too small to cover tag and length field.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index fd9721e7809b8b02f9417dab96d670038ac3bf11..7857b70cf06896c07dcde3ac784fdb427df06303 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,8 @@
+2021-06-02  Alan Modra  <amodra@gmail.com>
+
+       * elf-attrs.c (_bfd_elf_parse_attributes): Break out of loop if
+       subsection length is too small to cover tag and length field.
+
 2021-05-31  Nelson Chu  <nelson.chu@sifive.com>
            Lifang Xia  <lifang_xia@c-sky.com>
 

diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c
index 11a81a3ba74ff024bc0285ed0d543c664dcfb443..72c606d9d1c921a405a095ddcc67b2a3600aea54 100644 (file)
--- a/bfd/elf-attrs.c
+++ b/bfd/elf-attrs.c
@@ -548,15 +548,15 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr)
                }
              else
                {
-                 subsection_len = 0;
                  p = p_end;
+                 break;
                }
-             if (subsection_len == 0)
-               break;
              if (subsection_len > section_len)
                subsection_len = section_len;
              section_len -= subsection_len;
              end = orig_p + subsection_len;
+             if (end < p)
+               break;
              switch (tag)
                {
                case Tag_File: