From 4e5cb37e7f3403d5398a323566ff9c995f0c9a81 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Thu, 22 Jan 2015 12:06:04 +0000
Subject: [PATCH] Fixes memory access violations triggered by running dlltool
 on fuzzed binaries.

	PR binutils/17512
	* coffcode.h (handle_COMDAT): When searching for the section
	symbol, make sure that there is space left in the symbol table.
	* vms-alpha.c (_bfd_vms_slurp_ehdr): Add range checks.
---
 bfd/ChangeLog   |  7 +++++++
 bfd/coffcode.h  |  7 +++++++
 bfd/vms-alpha.c | 18 ++++++++++++++++++
 3 files changed, 32 insertions(+)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index ceb77ff..bd2f0c1 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2015-01-22  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/17512
+	* coffcode.h (handle_COMDAT): When searching for the section
+	symbol, make sure that there is space left in the symbol table.
+	* vms-alpha.c (_bfd_vms_slurp_ehdr): Add range checks.
+
 2015-01-21  Nick Clifton  <nickc@redhat.com>
 
 	PR binutils/17512
diff --git a/bfd/coffcode.h b/bfd/coffcode.h
index 181f9af..76e5873 100644
--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -1009,6 +1009,13 @@ handle_COMDAT (bfd * abfd,
 
 		seen_state = 1;
 
+		/* PR 17512: file: e2cfe54f.  */
+		if (esym + bfd_coff_symesz (abfd) >= esymend)
+		  {
+		    _bfd_error_handler (_("%B: warning: No symbol for section '%s' found"),
+					abfd, symname);
+		    break;
+		  }
 		/* This is the section symbol.  */
 		bfd_coff_swap_aux_in (abfd, (esym + bfd_coff_symesz (abfd)),
 				      isym.n_type, isym.n_sclass,
diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index faddf7c..9576607 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -859,9 +859,12 @@ _bfd_vms_slurp_ehdr (bfd *abfd)
 {
   unsigned char *ptr;
   unsigned char *vms_rec;
+  unsigned char *end;
   int subtype;
 
   vms_rec = PRIV (recrd.rec);
+  /* PR 17512: file: 62736583.  */
+  end = PRIV (recrd.buf) + PRIV (recrd.buf_size);
 
   vms_debug2 ((2, "HDR/EMH\n"));
 
@@ -873,28 +876,42 @@ _bfd_vms_slurp_ehdr (bfd *abfd)
     {
     case EMH__C_MHD:
       /* Module header.  */
+      if (vms_rec + 21 >= end)
+	goto fail;
       PRIV (hdr_data).hdr_b_strlvl = vms_rec[6];
       PRIV (hdr_data).hdr_l_arch1  = bfd_getl32 (vms_rec + 8);
       PRIV (hdr_data).hdr_l_arch2  = bfd_getl32 (vms_rec + 12);
       PRIV (hdr_data).hdr_l_recsiz = bfd_getl32 (vms_rec + 16);
+      if ((vms_rec + 20 + vms_rec[20] + 1) >= end)
+	goto fail;
       PRIV (hdr_data).hdr_t_name   = _bfd_vms_save_counted_string (vms_rec + 20);
       ptr = vms_rec + 20 + vms_rec[20] + 1;
+      if ((ptr + *ptr + 1) >= end)
+	goto fail;
       PRIV (hdr_data).hdr_t_version =_bfd_vms_save_counted_string (ptr);
       ptr += *ptr + 1;
+      if (ptr + 17 >= end)
+	goto fail;
       PRIV (hdr_data).hdr_t_date = _bfd_vms_save_sized_string (ptr, 17);
       break;
 
     case EMH__C_LNM:
+      if (vms_rec + PRIV (recrd.rec_size - 6) > end)
+	goto fail;
       PRIV (hdr_data).hdr_c_lnm =
         _bfd_vms_save_sized_string (vms_rec, PRIV (recrd.rec_size - 6));
       break;
 
     case EMH__C_SRC:
+      if (vms_rec + PRIV (recrd.rec_size - 6) > end)
+	goto fail;
       PRIV (hdr_data).hdr_c_src =
         _bfd_vms_save_sized_string (vms_rec, PRIV (recrd.rec_size - 6));
       break;
 
     case EMH__C_TTL:
+      if (vms_rec + PRIV (recrd.rec_size - 6) > end)
+	goto fail;
       PRIV (hdr_data).hdr_c_ttl =
         _bfd_vms_save_sized_string (vms_rec, PRIV (recrd.rec_size - 6));
       break;
@@ -905,6 +922,7 @@ _bfd_vms_slurp_ehdr (bfd *abfd)
       break;
 
     default:
+    fail:
       bfd_set_error (bfd_error_wrong_format);
       return FALSE;
     }
-- 
2.7.4