From 906799036a9bcc2b6f27fbcf894092bdc03f6da9 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 7 Aug 2019 11:50:28 +0930
Subject: [PATCH] PR24876, readelf: heap-buffer-overflow in dump_ia64_unwind

	PR 24876
	* readelf.c (dump_ia64_unwind): Check that buffer is large
	enough for "stamp" before reading.
---
 binutils/ChangeLog | 6 ++++++
 binutils/readelf.c | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 411f835..f60d5ff 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2019-08-07  Alan Modra  <amodra@gmail.com>
+
+	PR 24876
+	* readelf.c (dump_ia64_unwind): Check that buffer is large
+	enough for "stamp" before reading.
+
 2019-08-05  Nick Clifton  <nickc@redhat.com>
 
 	PR 24874
diff --git a/binutils/readelf.c b/binutils/readelf.c
index e785fde..5e18734 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -7574,7 +7574,8 @@ dump_ia64_unwind (Filedata * filedata, struct ia64_unw_aux_info * aux)
 	}
       offset -= aux->info_addr;
       /* PR 17531: file: 0997b4d1.  */
-      if (offset >= aux->info_size)
+      if (offset >= aux->info_size
+	  || aux->info_size - offset < 8)
 	{
 	  warn (_("Invalid offset %lx in table entry %ld\n"),
 		(long) tp->info.offset, (long) (tp - aux->table));
-- 
2.7.4