diff mbox series

bfd_elf_parse_attr_section_v1 buffer overflow

Message ID Z8wokR3znhFa68ZR@squeak.grove.modra.org
State New
Headers
Series bfd_elf_parse_attr_section_v1 buffer overflow |

Checks

Context Check Description
linaro-tcwg-bot/tcwg_binutils_build--master-arm fail Patch failed to apply
linaro-tcwg-bot/tcwg_binutils_build--master-aarch64 fail Patch failed to apply

Commit Message

Alan Modra March 8, 2025, 11:22 a.m. UTC 
  This function has a misleading parameter "contents", which usually
means an entire section contents is passed.  However in this case the
actual sections contents plus one is passed, leading to miscalculating
the end of the buffer.

	* elf-attrs.c (bfd_elf_parse_attr_section_v1): Delete hdr and
	contents param.  Add p and p_end as params.
	(_bfd_elf_parse_attributes): Adjust to suit.
diff mbox series

Patch

diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c
index a6a72369afd..e80575b9a55 100644
--- a/bfd/elf-attrs.c
+++ b/bfd/elf-attrs.c
@@ -490,12 +490,8 @@  _bfd_elf_obj_attrs_arg_type (bfd *abfd, int vendor, unsigned int tag)
 }
 
 static void
-bfd_elf_parse_attr_section_v1 (bfd *abfd,
-			       Elf_Internal_Shdr * hdr,
-			       bfd_byte *contents)
+bfd_elf_parse_attr_section_v1 (bfd *abfd, bfd_byte *p, bfd_byte *p_end)
 {
-  bfd_byte *p = contents;
-  bfd_byte *p_end = p + hdr->sh_size;
   const char *std_sec = get_elf_backend_data (abfd)->obj_attrs_vendor;
 
   while (p_end - p >= 4)
@@ -651,9 +647,9 @@  _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr)
 
   ++cursor;
 
-  bfd_elf_parse_attr_section_v1 (abfd, hdr, cursor);
+  bfd_elf_parse_attr_section_v1 (abfd, cursor, data + hdr->sh_size);
 
-free_data:
+ free_data:
   free (data);
 }