From 2f6ba62ed3825afa0d995e23d5bfe2fd8258bd00 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Wed, 26 Oct 2022 11:26:34 +1030 Subject: [PATCH] som.c buffer overflow Fuzzed object files can put random values in bfd_reloc->address, leading to large som_reloc_skip output. * som.c (som_write_fixups): Allow for maximal som_reloc_skip. --- bfd/som.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/bfd/som.c b/bfd/som.c index 9b0a5513209..b9114e630fe 100644 --- a/bfd/som.c +++ b/bfd/som.c @@ -3005,10 +3005,12 @@ som_write_fixups (bfd *abfd, then dump the current buffer contents now. Also reinitialize the relocation queue. - No single BFD relocation could ever translate into more - than 100 bytes of SOM relocations (20bytes is probably the - upper limit, but leave lots of space for growth). */ - if (p - tmp_space + 100 > SOM_TMP_BUFSIZE) + A single BFD relocation would probably only ever + translate into at most 20 bytes of SOM relocations. + However with fuzzed object files and resulting silly + values for "skip" below, som_reloc_skip can emit 262 + bytes. Leave lots of space for growth. */ + if (p - tmp_space + 512 > SOM_TMP_BUFSIZE) { amt = p - tmp_space; if (bfd_bwrite ((void *) tmp_space, amt, abfd) != amt)