asan: som_set_reloc_info heap buffer overflow
authorAlan Modra <amodra@gmail.com>
Mon, 12 Sep 2022 09:45:01 +0000 (19:15 +0930)
committerAlan Modra <amodra@gmail.com>
Wed, 14 Sep 2022 00:49:57 +0000 (10:19 +0930)
Also a bugfix.  The first time the section was read, the contents
didn't supply an addend.

* som.c (som_set_reloc_info): Sanity check offset.  Do process
contents after reading.  Tidy section->contents after freeing.

bfd/som.c

index 38c574a97c850a4e750e521194dd50c45380a161..9b0a55132096441e3eaee9283806e24e5d852830 100644 (file)
--- a/bfd/som.c
+++ b/bfd/som.c
@@ -5251,7 +5251,9 @@ som_set_reloc_info (unsigned char *fixup,
                      section->contents = contents;
                      deallocate_contents = 1;
                    }
-                 else if (rptr->addend == 0)
+                 if (rptr->addend == 0
+                     && offset - var ('L') <= section->size
+                     && section->size - (offset - var ('L')) >= 4)
                    rptr->addend = bfd_get_32 (section->owner,
                                               (section->contents
                                                + offset - var ('L')));
@@ -5269,7 +5271,10 @@ som_set_reloc_info (unsigned char *fixup,
        }
     }
   if (deallocate_contents)
-    free (section->contents);
+    {
+      free (section->contents);
+      section->contents = NULL;
+    }
 
   return count;