From 52b36c51e5bf6d7600fdc6ba115b170b0e78e31d Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sun, 24 Sep 2017 21:36:18 +0930
Subject: [PATCH] PR22197, buffer overflow in bfd_get_debug_link_info_1

	PR 22197
	* opncls.c (bfd_get_debug_link_info_1): Properly check that crc is
	within section bounds.
---
 bfd/ChangeLog | 6 ++++++
 bfd/opncls.c  | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index c465462..92a6c27 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,11 @@
 2017-09-24  Alan Modra  <amodra@gmail.com>
 
+	PR 22197
+	* opncls.c (bfd_get_debug_link_info_1): Properly check that crc is
+	within section bounds.
+
+2017-09-24  Alan Modra  <amodra@gmail.com>
+
 	PR 22191
 	* dwarf2.c (decode_line_info): Properly free line sequences on error.
 
diff --git a/bfd/opncls.c b/bfd/opncls.c
index fa54986..8550623 100644
--- a/bfd/opncls.c
+++ b/bfd/opncls.c
@@ -1200,7 +1200,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)
   /* PR 17597: avoid reading off the end of the buffer.  */
   crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
   crc_offset = (crc_offset + 3) & ~3;
-  if (crc_offset >= bfd_get_section_size (sect))
+  if (crc_offset + 4 > bfd_get_section_size (sect))
     return NULL;
 
   *crc32 = bfd_get_32 (abfd, contents + crc_offset);
-- 
2.7.4