From 7a5dd76f3c0ed63883726e8758856a226551e873 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Mon, 31 Aug 2020 14:31:55 +0930
Subject: [PATCH] PR26468 UBSAN: tc-mep.c:1684 left shift of negative value

	PR 26468
	* config/tc-mep.c (md_convert_frag): Use uint32_t for addend and
	other variables.
---
 gas/ChangeLog       | 6 ++++++
 gas/config/tc-mep.c | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/gas/ChangeLog b/gas/ChangeLog
index 9336a6152b..7b6b28dcf0 100644
--- a/gas/ChangeLog
+++ b/gas/ChangeLog
@@ -1,3 +1,9 @@
+2020-08-31  Alan Modra  <amodra@gmail.com>
+
+	PR 26468
+	* config/tc-mep.c (md_convert_frag): Use uint32_t for addend and
+	other variables.
+
 2020-08-31  Alan Modra  <amodra@gmail.com>
 
 	PR 26493
diff --git a/gas/config/tc-mep.c b/gas/config/tc-mep.c
index 6b52841fa9..e588a30afc 100644
--- a/gas/config/tc-mep.c
+++ b/gas/config/tc-mep.c
@@ -1617,7 +1617,7 @@ md_convert_frag (bfd *abfd  ATTRIBUTE_UNUSED,
 		 segT seg ATTRIBUTE_UNUSED,
 		 fragS *fragP)
 {
-  int addend, rn, bit = 0;
+  uint32_t addend, rn, bit = 0;
   int operand;
   int where = fragP->fr_opcode - fragP->fr_literal;
   int e = target_big_endian ? 0 : 1;
@@ -1697,7 +1697,7 @@ md_convert_frag (bfd *abfd  ATTRIBUTE_UNUSED,
 	/* The default relax_frag doesn't change the state if there is no
 	   growth, so we must manually handle converting out-of-range BEQ
 	   instructions to JMP.  */
-	if (addend <= 65535 && addend >= -65536)
+	if (addend + 65536 < 131071)
 	  {
 	    if (core_mode)
 	      fragP->fr_fix += 2;
-- 
2.34.1