asan: buffer overflow in m32r_elf_generic_reloc

The existing sanity check didn't take into account the size of the
reloc field.  So a field that started before the end of section, but
extended past it, accessed past the end of the contents buffer.

	* elf32-m32r.c (m32r_elf_generic_reloc): Properly check reloc
	offset.
	(m32r_elf_do_10_pcrel_reloc): Likewise.

diff --git a/bfd/elf32-m32r.c b/bfd/elf32-m32r.c
index 80a1b1eaa7af51daeeb0fe563da08fb507e2c671..1219d9b04fcc5245eb8e94cc3b05ea3e1fa479c8 100644 (file)
--- a/bfd/elf32-m32r.c
+++ b/bfd/elf32-m32r.c
@@ -98,7 +98,7 @@ m32r_elf_do_10_pcrel_reloc (bfd *abfd,
   bfd_reloc_status_type status;
 
   /* Sanity check the address (offset in section).  */
-  if (offset > bfd_get_section_limit (abfd, input_section))
+  if (!bfd_reloc_offset_in_range (howto, abfd, input_section, offset))
     return bfd_reloc_outofrange;
 
   relocation = symbol_value + addend;
@@ -192,7 +192,8 @@ m32r_elf_generic_reloc (bfd *input_bfd,
      a section relative addend which is wrong.  */
 
   /* Sanity check the address (offset in section).  */
-  if (reloc_entry->address > bfd_get_section_limit (input_bfd, input_section))
+  if (!bfd_reloc_offset_in_range (reloc_entry->howto, input_bfd,
+                                 input_section, reloc_entry->address))
     return bfd_reloc_outofrange;
 
   ret = bfd_reloc_ok;