= Location = https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/bfd/elf32-avr.c#L4026 https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/bfd/elf32-avr.c#L4027 https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/bfd/elf32-avr.c#L4089 = Description = Large section parameter to avr_elf32_load_records_from_section may cause OOM in heap allocation. Later on, may read section data into contents variable, which may be under-allocated via size variable. Overwriting heap data, likely an adjacent chunks metadata, potentially exploitable A second, restricted heap overwrite can is caused by an off-by-one in the same function. Miscounted number of iterations of for loop for (i = 0; i < record_count; ++i). Should stop at record_count-1. This is overwriting heap data, likely an adjacent chunk’s metadata, and potentially exploitable.
The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=31c711a2b302cf27f2cb4d5dd2c495407b384b94 commit 31c711a2b302cf27f2cb4d5dd2c495407b384b94 Author: Alan Modra <amodra@gmail.com> Date: Thu Feb 11 16:56:22 2021 +1030 PR27294, avr OOM PR 27294 * elf32-avr.c (avr_elf32_load_records_from_section): Use bfd_malloc_and_get_section. Use bfd_byte* vars and remove then unnecessary casts.
Fixed. I don't see a problem in the record_count loop.
My bad, it's not off-by-one. record_count is a user controlled input field, s.t. a malicious user could set the record_count for x counts to y and force a heap overwrite in https://sourcegraph.com/github.com/bminor/binutils-gdb@a7e3d08a26edefa411269636d7dcae7dd2736659/-/blob/bfd/elf32-avr.c#L4089