From: Alan Modra Date: Sat, 27 Jun 2026 04:26:11 +0000 (+0930) Subject: asan: buffer overflow in m32r_elf_generic_reloc X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=75dd61930e0fdcadfc6ae6dfe4acb3db4fe69ba1;p=thirdparty%2Fbinutils-gdb.git asan: buffer overflow in m32r_elf_generic_reloc The existing sanity check didn't take into account the size of the reloc field. So a field that started before the end of section, but extended past it, accessed past the end of the contents buffer. * elf32-m32r.c (m32r_elf_generic_reloc): Properly check reloc offset. (m32r_elf_do_10_pcrel_reloc): Likewise. --- diff --git a/bfd/elf32-m32r.c b/bfd/elf32-m32r.c index 80a1b1eaa7a..1219d9b04fc 100644 --- a/bfd/elf32-m32r.c +++ b/bfd/elf32-m32r.c @@ -98,7 +98,7 @@ m32r_elf_do_10_pcrel_reloc (bfd *abfd, bfd_reloc_status_type status; /* Sanity check the address (offset in section). */ - if (offset > bfd_get_section_limit (abfd, input_section)) + if (!bfd_reloc_offset_in_range (howto, abfd, input_section, offset)) return bfd_reloc_outofrange; relocation = symbol_value + addend; @@ -192,7 +192,8 @@ m32r_elf_generic_reloc (bfd *input_bfd, a section relative addend which is wrong. */ /* Sanity check the address (offset in section). */ - if (reloc_entry->address > bfd_get_section_limit (input_bfd, input_section)) + if (!bfd_reloc_offset_in_range (reloc_entry->howto, input_bfd, + input_section, reloc_entry->address)) return bfd_reloc_outofrange; ret = bfd_reloc_ok;