From: Alan Modra <amodra@gmail.com>
Date: Sat, 8 Mar 2025 09:19:06 +0000 (+1030)
Subject: bfd_elf_parse_attr_section_v1 buffer overflow
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=684f3e906cc75af90192f11a57364c6462774c3a;p=thirdparty%2Fbinutils-gdb.git

bfd_elf_parse_attr_section_v1 buffer overflow

This function has a misleading parameter "contents", which usually
means an entire section contents is passed.  However in this case the
actual sections contents plus one is passed, leading to miscalculating
the end of the buffer.

	* elf-attrs.c (bfd_elf_parse_attr_section_v1): Delete hdr and
	contents param.  Add p and p_end as params.
	(_bfd_elf_parse_attributes): Adjust to suit.
---

diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c
index a6a72369afd..e80575b9a55 100644
--- a/bfd/elf-attrs.c
+++ b/bfd/elf-attrs.c
@@ -490,12 +490,8 @@ _bfd_elf_obj_attrs_arg_type (bfd *abfd, int vendor, unsigned int tag)
 }
 
 static void
-bfd_elf_parse_attr_section_v1 (bfd *abfd,
-			       Elf_Internal_Shdr * hdr,
-			       bfd_byte *contents)
+bfd_elf_parse_attr_section_v1 (bfd *abfd, bfd_byte *p, bfd_byte *p_end)
 {
-  bfd_byte *p = contents;
-  bfd_byte *p_end = p + hdr->sh_size;
   const char *std_sec = get_elf_backend_data (abfd)->obj_attrs_vendor;
 
   while (p_end - p >= 4)
@@ -651,9 +647,9 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr)
 
   ++cursor;
 
-  bfd_elf_parse_attr_section_v1 (abfd, hdr, cursor);
+  bfd_elf_parse_attr_section_v1 (abfd, cursor, data + hdr->sh_size);
 
-free_data:
+ free_data:
   free (data);
 }