From f55b1e3248e4950464ea120027cc6881003e0ead Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Fri, 15 Mar 2019 15:49:27 +1030
Subject: [PATCH] PR24336, buffer overflow in swap_reloca_in

	PR 24336
	* elflink.c (elf_link_read_relocs_from_section): Handle fuzzed
	object files with sh_size not a multiple of sh_entsize.
---
 bfd/ChangeLog | 6 ++++++
 bfd/elflink.c | 6 ++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index a072ade..b1011b1 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2019-03-15  Alan Modra  <amodra@gmail.com>
+
+	PR 24336
+	* elflink.c (elf_link_read_relocs_from_section): Handle fuzzed
+	object files with sh_size not a multiple of sh_entsize.
+
 2019-03-15  H.J. Lu  <hongjiu.lu@intel.com>
 
 	PR ld/24338
diff --git a/bfd/elflink.c b/bfd/elflink.c
index 3413726..2600c39 100644
--- a/bfd/elflink.c
+++ b/bfd/elflink.c
@@ -2523,9 +2523,11 @@ elf_link_read_relocs_from_section (bfd *abfd,
     }
 
   erela = (const bfd_byte *) external_relocs;
-  erelaend = erela + shdr->sh_size;
+  /* Setting erelaend like this and comparing with <= handles case of
+     a fuzzed object with sh_size not a multiple of sh_entsize.  */
+  erelaend = erela + shdr->sh_size - shdr->sh_entsize;
   irela = internal_relocs;
-  while (erela < erelaend)
+  while (erela <= erelaend)
     {
       bfd_vma r_symndx;
 
-- 
2.7.4