From acfd5524fa47a96bda305ea79c6b77c201930814 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Mon, 12 Sep 2022 19:15:01 +0930 Subject: [PATCH] asan: som_set_reloc_info heap buffer overflow Also a bugfix. The first time the section was read, the contents didn't supply an addend. * som.c (som_set_reloc_info): Sanity check offset. Do process contents after reading. Tidy section->contents after freeing. --- bfd/som.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/bfd/som.c b/bfd/som.c index 38c574a97c8..9b0a5513209 100644 --- a/bfd/som.c +++ b/bfd/som.c @@ -5251,7 +5251,9 @@ som_set_reloc_info (unsigned char *fixup, section->contents = contents; deallocate_contents = 1; } - else if (rptr->addend == 0) + if (rptr->addend == 0 + && offset - var ('L') <= section->size + && section->size - (offset - var ('L')) >= 4) rptr->addend = bfd_get_32 (section->owner, (section->contents + offset - var ('L'))); @@ -5269,7 +5271,10 @@ som_set_reloc_info (unsigned char *fixup, } } if (deallocate_contents) - free (section->contents); + { + free (section->contents); + section->contents = NULL; + } return count; -- 2.30.2