From: Alan Modra Date: Tue, 26 May 2026 08:36:30 +0000 (+0930) Subject: buffer overflow in nds32_elf_lo12_reloc X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=a8740b7533b4df34d4d7bc5be9bb2108d019fce5;p=thirdparty%2Fbinutils-gdb.git buffer overflow in nds32_elf_lo12_reloc nds32_elf_lo12_reloc reads the lo reloc word when processing stashed hi relocs. * elf32-nds32.c: Replace bfd_octets_per_byte with OCTETS_PER_BYTE throughout file. (nds32_elf_lo12_reloc): Sanity check reloc offset. --- diff --git a/bfd/elf32-nds32.c b/bfd/elf32-nds32.c index 0f6c676eb94..1912f94caa3 100644 --- a/bfd/elf32-nds32.c +++ b/bfd/elf32-nds32.c @@ -2697,7 +2697,7 @@ nds32_elf_do_9_pcrel_reloc (bfd * abfd, bfd_reloc_status_type status; /* Sanity check the address (offset in section). */ - bfd_vma octet = offset * bfd_octets_per_byte (abfd, input_section); + bfd_vma octet = offset * OCTETS_PER_BYTE (abfd, input_section); if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octet)) return bfd_reloc_outofrange; @@ -2821,7 +2821,7 @@ nds32_elf_hi20_reloc (bfd *abfd, /* Sanity check the address (offset in section). */ bfd_vma octet = (reloc_entry->address - * bfd_octets_per_byte (abfd, input_section)); + * OCTETS_PER_BYTE (abfd, input_section)); if (!bfd_reloc_offset_in_range (reloc_entry->howto, abfd, input_section, octet)) return bfd_reloc_outofrange; @@ -2901,6 +2901,12 @@ nds32_elf_lo12_reloc (bfd *input_bfd, arelent *reloc_entry, asymbol *symbol, return bfd_reloc_ok; } + bfd_vma octet = (reloc_entry->address + * OCTETS_PER_BYTE (input_bfd, input_section)); + if (!bfd_reloc_offset_in_range (reloc_entry->howto, input_bfd, input_section, + octet)) + return bfd_reloc_outofrange; + sdata = nds32_elf_section_data (input_section); if (sdata->nds32_hi20_list != NULL) { @@ -2992,7 +2998,7 @@ nds32_elf_generic_reloc (bfd *input_bfd, arelent *reloc_entry, /* Sanity check the address (offset in section). */ bfd_vma octet = (reloc_entry->address - * bfd_octets_per_byte (input_bfd, input_section)); + * OCTETS_PER_BYTE (input_bfd, input_section)); if (!bfd_reloc_offset_in_range (reloc_entry->howto, input_bfd, input_section, octet)) return bfd_reloc_outofrange; @@ -4753,7 +4759,7 @@ nds32_elf_final_link_relocate (reloc_howto_type *howto, bfd *input_bfd, bfd_vma relocation; /* Sanity check the address. */ - bfd_vma octet = address * bfd_octets_per_byte (input_bfd, input_section); + bfd_vma octet = address * OCTETS_PER_BYTE (input_bfd, input_section); if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, octet)) return bfd_reloc_outofrange;