asan: som_set_reloc_info heap buffer overflow

Also a bugfix.  The first time the section was read, the contents
didn't supply an addend.

	* som.c (som_set_reloc_info): Sanity check offset.  Do process
	contents after reading.  Tidy section->contents after freeing.

diff --git a/bfd/som.c b/bfd/som.c
index 38c574a97c850a4e750e521194dd50c45380a161..9b0a55132096441e3eaee9283806e24e5d852830 100644 (file)
--- a/bfd/som.c
+++ b/bfd/som.c
@@ -5251,7 +5251,9 @@ som_set_reloc_info (unsigned char *fixup,
                      section->contents = contents;
                      deallocate_contents = 1;
                    }
-                 else if (rptr->addend == 0)
+                 if (rptr->addend == 0
+                     && offset - var ('L') <= section->size
+                     && section->size - (offset - var ('L')) >= 4)
                    rptr->addend = bfd_get_32 (section->owner,
                                               (section->contents
                                                + offset - var ('L')));
@@ -5269,7 +5271,10 @@ som_set_reloc_info (unsigned char *fixup,
        }
     }
   if (deallocate_contents)
-    free (section->contents);
+    {
+      free (section->contents);
+      section->contents = NULL;
+    }
 
   return count;