From ffc0f143c74a7d49f6d1ae3f835e404ef4e56772 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 13 Feb 2015 14:17:18 +0000
Subject: [PATCH] Fixes for memory access violations triggered by running
 readelf on fuzzed binaries.

	PR binutils/17531
	* dwarf.c (display_debug_aranges): Add check for an excessive
	ar_length value.
	(process_cu_tu_index): Check for a row * columns sum being too
	large.
---
 binutils/ChangeLog |  6 ++++++
 binutils/dwarf.c   | 17 +++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 4325f3a..4f45265 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -8,6 +8,12 @@
 	available before parsing.
 	(prescan): Likewise.
 
+	PR binutils/17531
+	* dwarf.c (display_debug_aranges): Add check for an excessive
+	ar_length value.
+	(process_cu_tu_index): Check for a row * columns sum being too
+	large.
+
 2015-02-13  Alan Modra  <amodra@gmail.com>
 
 	* dwarf.c: Formatting, whitespace.
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 936f634..272b41f 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -4923,7 +4923,13 @@ display_debug_aranges (struct dwarf_section *section,
       if (excess)
 	addr_ranges += (2 * address_size) - excess;
 
-      start += arange.ar_length + initial_length_size;
+      hdrptr = start + arange.ar_length + initial_length_size;
+      if (hdrptr < start || hdrptr > end)
+	{
+	  error (_("Excessive header length: %lx\n"), (long) arange.ar_length);
+	  break;
+	}
+      start = hdrptr;
 
       while (addr_ranges + 2 * address_size <= start)
 	{
@@ -7084,7 +7090,14 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
 		memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));
 
 	      prow = poffsets + (row - 1) * ncols * 4;
-
+	      /* PR 17531: file: b8ce60a8.  */
+	      if (prow < poffsets || prow > limit)
+		{
+		  warn (_("Row index (%u) * num columns (%u) > space remaining in section\n"),
+			row, ncols);
+		  return 0;
+		}
+ 
 	      if (do_display)
 		printf (_("  [%3d] 0x%s"),
 			i, dwarf_vmatoa64 (signature_high, signature_low,
-- 
2.7.4