From a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 5 Nov 2014 17:57:54 +0000
Subject: [PATCH] More fixes for memory problems uncovered by file fuzzers.

	PR binutils/17512
	* coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT.
	Replace another abort with an error message.
	(coff_slurp_line_table): Add more range checking.
	* peXXigen.c (pe_print_debugdata): Add range checking.
---
 bfd/ChangeLog  |  8 ++++++++
 bfd/coffcode.h | 21 ++++++++++++++-------
 bfd/peXXigen.c |  6 ++++++
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 721db9b..16724b3 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2014-11-04  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/17512
+	* coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT.
+	Replace another abort with an error message.
+	(coff_slurp_line_table): Add more range checking.
+	* peXXigen.c (pe_print_debugdata): Add range checking.
+
 2014-11-05  James Cowgill  <james.cowgill@imgtec.com>
 
 	* elfxx-mips.c (_bfd_mips_elf_finish_dynamic_sections): Fix segfault
diff --git a/bfd/coffcode.h b/bfd/coffcode.h
index ab76083..1ca28b8 100644
--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -928,12 +928,7 @@ handle_COMDAT (bfd * abfd,
 
       bfd_coff_swap_sym_in (abfd, esym, & isym);
 
-      if (sizeof (internal_s->s_name) > SYMNMLEN)
-	{
-	  /* This case implies that the matching
-	     symbol name will be in the string table.  */
-	  abort ();
-	}
+      BFD_ASSERT (sizeof (internal_s->s_name) <= SYMNMLEN);
 
       if (isym.n_scnum == section->target_index)
 	{
@@ -964,8 +959,12 @@ handle_COMDAT (bfd * abfd,
 	  /* All 3 branches use this.  */
 	  symname = _bfd_coff_internal_syment_name (abfd, &isym, buf);
 
+	  /* PR 17512 file: 078-11867-0.004  */ 
 	  if (symname == NULL)
-	    abort ();
+	    {
+	      _bfd_error_handler (_("%B: unable to load COMDAT section name"), abfd);
+	      break;
+	    }
 
 	  switch (seen_state)
 	    {
@@ -4578,6 +4577,13 @@ coff_slurp_line_table (bfd *abfd, asection *asect)
 	  sym = ((coff_symbol_type *)
 		 ((symndx + obj_raw_syments (abfd))
 		  ->u.syment._n._n_n._n_zeroes));
+
+	  /* PR 17512 file: 078-10659-0.004  */
+	  if (sym < obj_symbols (abfd)
+	      || sym > obj_symbols (abfd)
+	      + obj_raw_syment_count (abfd) * sizeof (coff_symbol_type))
+	    sym = NULL;
+
 	  cache_ptr->u.sym = (asymbol *) sym;
 	  if (sym == NULL)
 	      continue;
@@ -4599,6 +4605,7 @@ coff_slurp_line_table (bfd *abfd, asection *asect)
       cache_ptr++;
       src++;
     }
+
   cache_ptr->line_number = 0;
   bfd_release (abfd, native_lineno);
 
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index d031430..25f7273 100644
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -2573,6 +2573,12 @@ pe_print_debugdata (bfd * abfd, void * vfile)
 
   dataoff = addr - section->vma;
 
+  if (size > (section->size - dataoff))
+    {
+      fprintf (file, _("The debug data size field in the data directory is too big for the section"));
+      return FALSE;
+    }
+
   fprintf (file,
 	   _("Type                Size     Rva      Offset\n"));
 
-- 
2.7.4