From 6077de0645ce12a9c4e99f8839a846b42a535b0a Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 20 Jun 2018 16:30:05 +0100
Subject: [PATCH] Fix potential illegal memroy access when using a build-id
 note with a negative size.

	PR 23316
	* opncls.c (get_build_id): Check for a negative or excessive data
	size in the build-id note.
---
 bfd/ChangeLog | 6 ++++++
 bfd/opncls.c  | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 110115c..bdbdf69 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -12,6 +12,12 @@
 
 2018-06-20  Nick Clifton  <nickc@redhat.com>
 
+	PR 23316
+	* opncls.c (get_build_id): Check for a negative or excessive data
+	size in the build-id note.
+
+2018-06-20  Nick Clifton  <nickc@redhat.com>
+
 	PR 23299
 	* mach-o.c (cputype): New function.
 	(cpusubtype): New function.
diff --git a/bfd/opncls.c b/bfd/opncls.c
index 16b568c..e275045 100644
--- a/bfd/opncls.c
+++ b/bfd/opncls.c
@@ -1877,10 +1877,11 @@ get_build_id (bfd *abfd)
   inote.descdata = inote.namedata + BFD_ALIGN (inote.namesz, 4);
   /* FIXME: Should we check for extra notes in this section ?  */
 
-  if (inote.descsz == 0
+  if (inote.descsz <= 0
       || inote.type != NT_GNU_BUILD_ID
       || inote.namesz != 4 /* sizeof "GNU"  */
       || strncmp (inote.namedata, "GNU", 4) != 0
+      || inote.descsz > 0x7ffffffe
       || size < (12 + BFD_ALIGN (inote.namesz, 4) + inote.descsz))
     {
       free (contents);
-- 
2.7.4