commit bc21b167eb0106eb31d946a0eb5acfb7e4d5d8a1
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jun 19 14:52:36 2017 +0100

    Fix address violations when reading corrupt VMS records.
    
    	PR binutils/21618
    	* vms-alpha.c (evax_bfd_print_emh): Check for insufficient record
    	length.
    	(evax_bfd_print_eeom): Likewise.
    	(evax_bfd_print_egsd): Check for an overlarge record length.
    	(evax_bfd_print_etir): Likewise.

Upstream-Status: Backport

CVE: CVE-2017-12449_12455_12457
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>

Index: git/bfd/vms-alpha.c
===================================================================
--- git.orig/bfd/vms-alpha.c	2017-08-30 17:08:27.408159234 +0530
+++ git/bfd/vms-alpha.c	2017-08-30 17:12:07.289044702 +0530
@@ -5567,6 +5567,13 @@
 
   fprintf (file, _("  EMH %u (len=%u): "), subtype, rec_len);
 
+  /* PR 21618: Check for invalid lengths.  */
+  if (rec_len < sizeof (* emh))
+    {
+      fprintf (file, _("   Error: The length is less than the length of an EMH record\n"));
+      return;
+    }
+  
   switch (subtype)
     {
     case EMH__C_MHD:
@@ -5630,6 +5637,14 @@
   struct vms_eeom *eeom = (struct vms_eeom *)rec;
 
   fprintf (file, _("  EEOM (len=%u):\n"), rec_len);
+
+  /* PR 21618: Check for invalid lengths.  */
+  if (rec_len < sizeof (* eeom))
+    {
+      fprintf (file, _("   Error: The length is less than the length of an EEOM record\n"));
+      return;
+    }
+  
   fprintf (file, _("   number of cond linkage pairs: %u\n"),
            (unsigned)bfd_getl32 (eeom->total_lps));
   fprintf (file, _("   completion code: %u\n"),
@@ -5718,6 +5733,12 @@
                n, type, len);
       n++;
 
+      if (off + len > rec_len || off + len < off)
+	{
+	  fprintf (file, _("   Error: length larger than remaining space in record\n"));
+	  return;
+	}
+
       switch (type)
         {
         case EGSD__C_PSC:
@@ -5958,6 +5979,12 @@
       size = bfd_getl16 (etir->size);
       buf = rec + off + sizeof (struct vms_etir);
 
+      if (off + size > rec_len || off + size < off)
+       {
+         fprintf (file, _("   Error: length larger than remaining space in record\n"));
+         return;
+       }
+
       fprintf (file, _("   (type: %3u, size: 4+%3u): "), type, size - 4);
       switch (type)
         {
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog	2017-08-30 17:08:43.612213596 +0530
+++ git/bfd/ChangeLog	2017-08-30 17:13:27.217438742 +0530
@@ -5,6 +5,15 @@
        correct magic bytes at the start, set the error to wrong format
        and clear the format selector before returning NULL.
 
+ 2017-06-19  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21618
+       * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record
+       length.
+       (evax_bfd_print_eeom): Likewise.
+       (evax_bfd_print_egsd): Check for an overlarge record length.
+       (evax_bfd_print_etir): Likewise.
+
 2017-04-25  Maciej W. Rozycki  <macro@imgtec.com>
 
        * readelf.c (process_mips_specific): Remove error reporting from