bfd_reloc_offset_in_range overflow

Message ID YQ06cj0LAbP6eJBe@squeak.grove.modra.org
State New
Headers show
Series
  • bfd_reloc_offset_in_range overflow
Related show

Commit Message

Cooper Qu via Binutils Aug. 6, 2021, 1:34 p.m.
This patch is more about the style of bounds checking we ought to use,
rather than a real problem.  An overflow of "octet + reloc_size" can
only happen with huge sections which would certainly cause out of
memory errors.

	* reloc.c (bfd_reloc_offset_in_range): Avoid possible overflow.


-- 
Alan Modra
Australia Development Lab, IBM

Patch

diff --git a/bfd/reloc.c b/bfd/reloc.c
index 6d920e1df06..441ddd8fa2e 100644
--- a/bfd/reloc.c
+++ b/bfd/reloc.c
@@ -547,7 +547,7 @@  bfd_reloc_offset_in_range (reloc_howto_type *howto,
   /* The reloc field must be contained entirely within the section.
      Allow zero length fields (marker relocs or NONE relocs where no
      relocation will be performed) at the end of the section.  */
-  return octet <= octet_end && octet + reloc_size <= octet_end;
+  return octet <= octet_end && reloc_size <= octet_end - octet;
 }
 
 /* Read and return the section contents at DATA converted to a host