* srec.c (srec_get_section_contents): Return immediately on

	count zero.  Check that offset and count are within section.
	* libbfd.c (_bfd_generic_get_section_contents): Check that
	offset + count does not overflow.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 9bef708..19a7c49 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,10 @@
 2007-07-26  Alan Modra  <amodra@bigpond.net.au>
 
+       * srec.c (srec_get_section_contents): Return immediately on
+       count zero.  Check that offset and count are within section.
+       * libbfd.c (_bfd_generic_get_section_contents): Check that
+       offset + count does not overflow.
+
        * srec.c (srec_canonicalize_symtab): Don't alloc when symcount
        is zero.  Correct return value on error.
        * mmo.c (mmo_canonicalize_symtab): Likewise.

diff --git a/bfd/libbfd.c b/bfd/libbfd.c
index 33d9c01..bf49a2e 100644 (file)
--- a/bfd/libbfd.c
+++ b/bfd/libbfd.c
@@ -820,7 +820,8 @@ _bfd_generic_get_section_contents (bfd *abfd,
     return TRUE;
 
   sz = section->rawsize ? section->rawsize : section->size;
-  if (offset + count > sz)
+  if (offset + count < count
+      || offset + count > sz)
     {
       bfd_set_error (bfd_error_invalid_operation);
       return FALSE;

diff --git a/bfd/srec.c b/bfd/srec.c
index a5f588c..ebb039b 100644 (file)
--- a/bfd/srec.c
+++ b/bfd/srec.c
@@ -781,10 +781,20 @@ srec_get_section_contents (bfd *abfd,
                           file_ptr offset,
                           bfd_size_type count)
 {
+  if (count == 0)
+    return TRUE;
+
+  if (offset + count < count
+      || offset + count > section->size)
+    {
+      bfd_set_error (bfd_error_invalid_operation);
+      return FALSE;
+    }
+
   if (section->used_by_bfd == NULL)
     {
       section->used_by_bfd = bfd_alloc (abfd, section->size);
-      if (section->used_by_bfd == NULL && section->size != 0)
+      if (section->used_by_bfd == NULL)
        return FALSE;
 
       if (! srec_read_section (abfd, section, section->used_by_bfd))