From 2f6ba62ed3825afa0d995e23d5bfe2fd8258bd00 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 26 Oct 2022 11:26:34 +1030
Subject: som.c buffer overflow

Fuzzed object files can put random values in bfd_reloc->address,
leading to large som_reloc_skip output.

	* som.c (som_write_fixups): Allow for maximal som_reloc_skip.
---
 bfd/som.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'bfd')

diff --git a/bfd/som.c b/bfd/som.c
index 9b0a551..b9114e6 100644
--- a/bfd/som.c
+++ b/bfd/som.c
@@ -3005,10 +3005,12 @@ som_write_fixups (bfd *abfd,
 		 then dump the current buffer contents now.  Also reinitialize
 		 the relocation queue.
 
-		 No single BFD relocation could ever translate into more
-		 than 100 bytes of SOM relocations (20bytes is probably the
-		 upper limit, but leave lots of space for growth).  */
-	      if (p - tmp_space + 100 > SOM_TMP_BUFSIZE)
+		 A single BFD relocation would probably only ever
+		 translate into at most 20 bytes of SOM relocations.
+		 However with fuzzed object files and resulting silly
+		 values for "skip" below, som_reloc_skip can emit 262
+		 bytes.  Leave lots of space for growth.  */
+	      if (p - tmp_space + 512 > SOM_TMP_BUFSIZE)
 		{
 		  amt = p - tmp_space;
 		  if (bfd_bwrite ((void *) tmp_space, amt, abfd) != amt)
-- 
cgit v1.1