Small correction for the command line in my previous email: the readelf option uses two ASCII hyphen characters before sframe.
Exact representative command: ./build/binutils/readelf –sframe=.sframe hello.sframeoob The attached REPRO.md in the previous email has the same ASCII command. Thanks, Chen Zhaoyang On Wed, 3 Jun 2026 00:24:12 -0700, zhaoyang chen [email protected] wrote: Hello GNU binutils maintainers, I found several AddressSanitizer heap-buffer-overflow reads in readelf when decoding malformed .sframe sections with –sframe=.sframe. Tested version: GNU Binutils 2.46.50.20260522 Commit: aeced13e Tool: readelf Component: libsframe/sframe.c Environment: macOS ARM64, Apple Clang 17.0.0, ASan Representative reproduction: ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 \ ./build/binutils/readelf –sframe=.sframe hello.sframeoob Observed ASan summary: ERROR: AddressSanitizer: heap-buffer-overflow READ of size 256 1 sframe_decode sframe.c:1511 2 display_sframe dwarf.c:8989 3 display_debug_section readelf.c:18082 allocated by: 1 get_data readelf.c:555 SUMMARY: AddressSanitizer: heap-buffer-overflow sframe.c:1511 in sframe_decode Additional malformed SFrame inputs in the attached package exercise related boundary paths around FDE/FRE offsets and attributes: - hello.sframe_fde_oob - hello.sframe_fattr_oob - hello.sframe_v2_fde_oob - hello.sframe_fres_oob - hello.sframe_freinfo_oob - hello.sframe_offsets_oob - hello.sframe_addr4_oob The attached zip contains all inputs and a REPRO.md with exact commands. Attachment SHA-256: 4a6a18b23967d9383c5c1de88d9a472fb132812a33bb5bd2e772f3a52fcfa399 binutils_readelf_sframe_poc.zip Conservative impact: denial of service when a user or automation inspects a crafted ELF file with readelf. Suggested fix direction: validate all SFrame offsets and entry sizes against the section buffer length before dereferencing or copying. Reject malformed FDE/FRE offsets that leave the get_data() allocation. I also requested a Sourceware Bugzilla account today so I can file this in Bugzilla once the account is created. Thanks, Chen Zhaoyang
