From: Alan Modra <amodra@gmail.com>
Date: Thu, 9 Jul 2020 03:48:37 +0000 (+0930)
Subject: asan: readelf: heap buffer overflow in slurp_hppa_unwind_table
X-Git-Url: http://drtracing.org/?a=commitdiff_plain;h=e3fdc001d359d6bcd033c1276c772e72d3f49078;p=deliverable%2Fbinutils-gdb.git

asan: readelf: heap buffer overflow in slurp_hppa_unwind_table

This one isn't just a weird corner case requiring multiple
.PARISC.unwind sections in an object file to trigger the buffer
overflow, it's also a simple bug that would prevent relocations being
applied in the normal case of a single .PARISC.unwind section.

	* readelf (slurp_hppa_unwind_table): Set table_len before use
	in relocation sanity checks.
---

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 55a75afab5..a5d6fad92c 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,8 @@
+2020-07-09  Alan Modra  <amodra@gmail.com>
+
+	* readelf (slurp_hppa_unwind_table): Set table_len before use
+	in relocation sanity checks.
+
 2020-07-07  Alan Modra  <amodra@gmail.com>
 
 	* testsuite/binutils-all/ar.exp: Use is_xcoff_format.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index 41547a2594..0feeed9831 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -8253,6 +8253,7 @@ slurp_hppa_unwind_table (Filedata *                  filedata,
   nentries = size / unw_ent_size;
   size = unw_ent_size * nentries;
 
+  aux->table_len = nentries;
   tep = aux->table = (struct hppa_unw_table_entry *)
       xcmalloc (nentries, sizeof (aux->table[0]));
 
@@ -8372,8 +8373,6 @@ slurp_hppa_unwind_table (Filedata *                  filedata,
       free (rela);
     }
 
-  aux->table_len = nentries;
-
   return TRUE;
 }