From 76800cba595efc3fe95a446c2d664e42ae4ee869 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Thu, 15 Jun 2017 12:08:57 +0100
Subject: [PATCH] Handle EITR records in VMS Alpha binaries with overlarge
 command length parameters.

	PR binutils/21579
	* vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length.
---
 bfd/ChangeLog   |  5 +++++
 bfd/vms-alpha.c | 16 ++++++++--------
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index bf7447c..f39dd09 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,8 @@
+2017-06-15  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/21579
+	* vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length.
+
 2017-06-14  Max Filippov  <jcmvbkbc@gmail.com>
 
 	* elf32-xtensa.c (elf_xtensa_be_plt_entry,
diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index 0c2b546..38237cd 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -1745,14 +1745,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct bfd_link_info *info)
 
       ptr += 4;
 
-#if VMS_DEBUG
-      _bfd_vms_debug (4, "etir: %s(%d)\n",
-                      _bfd_vms_etir_name (cmd), cmd);
-      _bfd_hexdump (8, ptr, cmd_length - 4, 0);
-#endif
-
-      /* PR 21589: Check for a corrupt ETIR record.  */
-      if (cmd_length < 4)
+      /* PR 21589 and 21579: Check for a corrupt ETIR record.  */
+      if (cmd_length < 4 || (ptr + cmd_length > maxptr + 4))
 	{
 	corrupt_etir:
 	  _bfd_error_handler (_("Corrupt ETIR record encountered"));
@@ -1760,6 +1754,12 @@ _bfd_vms_slurp_etir (bfd *abfd, struct bfd_link_info *info)
 	  return FALSE;
 	}
 
+#if VMS_DEBUG
+      _bfd_vms_debug (4, "etir: %s(%d)\n",
+                      _bfd_vms_etir_name (cmd), cmd);
+      _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+#endif
+
       switch (cmd)
         {
           /* Stack global
-- 
2.7.4