asan: som_set_reloc_info heap buffer overflow

Also a bugfix. The first time the section was read, the contents didn't supply an addend. * som.c (som_set_reloc_info): Sanity check offset. Do process contents after reading. Tidy section->contents after freeing.
author: Alan Modra <amodra@gmail.com> 2022-09-12 19:15:01 +0930
committer: Alan Modra <amodra@gmail.com> 2022-09-14 10:19:57 +0930
commit: acfd5524fa47a96bda305ea79c6b77c201930814 (patch)
tree: 59d5e3f0020ee118bc1f828bf300f5b35d861bc9 /bfd
parent: 72e366db620f5b2264290d9ba3b62df74bd0c40b (diff)
download: binutils-acfd5524fa47a96bda305ea79c6b77c201930814.zip
binutils-acfd5524fa47a96bda305ea79c6b77c201930814.tar.gz
binutils-acfd5524fa47a96bda305ea79c6b77c201930814.tar.bz2
1 files changed, 7 insertions, 2 deletions
diff --git a/bfd/som.c b/bfd/som.c
index 38c574a..9b0a551 100644
--- a/bfd/som.c
+++ b/bfd/som.c
@@ -5251,7 +5251,9 @@ som_set_reloc_info (unsigned char *fixup,
 		      section->contents = contents;
 		      deallocate_contents = 1;
 		    }
-		  else if (rptr->addend == 0)
+		  if (rptr->addend == 0
+		      && offset - var ('L') <= section->size
+		      && section->size - (offset - var ('L')) >= 4)
 		    rptr->addend = bfd_get_32 (section->owner,
 					       (section->contents
 						+ offset - var ('L')));
@@ -5269,7 +5271,10 @@ som_set_reloc_info (unsigned char *fixup,
 	}
     }
   if (deallocate_contents)
-    free (section->contents);
+    {
+      free (section->contents);
+      section->contents = NULL;
+    }
 
   return count;
author	Alan Modra <amodra@gmail.com>	2022-09-12 19:15:01 +0930
committer	Alan Modra <amodra@gmail.com>	2022-09-14 10:19:57 +0930
commit	acfd5524fa47a96bda305ea79c6b77c201930814 (patch)
tree	59d5e3f0020ee118bc1f828bf300f5b35d861bc9 /bfd
parent	72e366db620f5b2264290d9ba3b62df74bd0c40b (diff)
download	binutils-acfd5524fa47a96bda305ea79c6b77c201930814.zip binutils-acfd5524fa47a96bda305ea79c6b77c201930814.tar.gz binutils-acfd5524fa47a96bda305ea79c6b77c201930814.tar.bz2