From 8ef22662dcd18c6b069fee3b1a10557cb2c03af4 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Fri, 17 Dec 2021 12:19:54 +1030
Subject: [PATCH] asan: buffer overflow in elfnn-aarch64.c get_plt_type

We can't assume .dynamic is a multiple of ElfNN_External_Dyn, at least
not when presented with fuzzed object files.

	* elfnn-aarch64.c (get_plt_type): Don't access past end of
	improperly sized .dynamic.
---
 bfd/elfnn-aarch64.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/bfd/elfnn-aarch64.c b/bfd/elfnn-aarch64.c
index 4885f417a2a..051aff5c1b0 100644
--- a/bfd/elfnn-aarch64.c
+++ b/bfd/elfnn-aarch64.c
@@ -9762,11 +9762,13 @@ get_plt_type (bfd *abfd)
   aarch64_plt_type ret = PLT_NORMAL;
   bfd_byte *contents, *extdyn, *extdynend;
   asection *sec = bfd_get_section_by_name (abfd, ".dynamic");
-  if (!sec || !bfd_malloc_and_get_section (abfd, sec, &contents))
+  if (!sec
+      || sec->size < sizeof (ElfNN_External_Dyn)
+      || !bfd_malloc_and_get_section (abfd, sec, &contents))
     return ret;
   extdyn = contents;
-  extdynend = contents + sec->size;
-  for (; extdyn < extdynend; extdyn += sizeof (ElfNN_External_Dyn))
+  extdynend = contents + sec->size - sizeof (ElfNN_External_Dyn);
+  for (; extdyn <= extdynend; extdyn += sizeof (ElfNN_External_Dyn))
     {
       Elf_Internal_Dyn dyn;
       bfd_elfNN_swap_dyn_in (abfd, extdyn, &dyn);
-- 
2.30.2