asan: heap buffer overflow in _bfd_elf_parse_attributes

Message ID 20210602053836.GA4193@bubble.grove.modra.org
State New
Headers show
Series
  • asan: heap buffer overflow in _bfd_elf_parse_attributes
Related show

Commit Message

Libor Bukata via Binutils June 2, 2021, 5:38 a.m.
It's fine to use pointer comparisons here, no need to do something
like (subsection_len < (size_t) (p - orig_p)) since both "end" and "p"
are within their bounds.

	* elf-attrs.c (_bfd_elf_parse_attributes): Break out of loop if
	subsection length is too small to cover tag and length field.


-- 
Alan Modra
Australia Development Lab, IBM

Patch

diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c
index 11a81a3ba74..72c606d9d1c 100644
--- a/bfd/elf-attrs.c
+++ b/bfd/elf-attrs.c
@@ -548,15 +548,15 @@  _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr)
 		}
 	      else
 		{
-		  subsection_len = 0;
 		  p = p_end;
+		  break;
 		}
-	      if (subsection_len == 0)
-		break;
 	      if (subsection_len > section_len)
 		subsection_len = section_len;
 	      section_len -= subsection_len;
 	      end = orig_p + subsection_len;
+	      if (end < p)
+		break;
 	      switch (tag)
 		{
 		case Tag_File: