commit cfd14a500e0485374596234de4db10e88ebc7618
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jun 26 15:25:08 2017 +0100

    Fix address violations when atempting to parse fuzzed binaries.
    
    	PR binutils/21665
       	* compress.c (bfd_get_full_section_contents): Check for and reject
    	a section whoes size is greater than the size of the entire file.
    	* elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
    	contain a notes section.
    
    binutils* objdump.c (disassemble_section): Skip any section that is bigger
    	than the entire file.

Upstream-Status: Backport

CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>

Index: git/bfd/compress.c
===================================================================
--- git.orig/bfd/compress.c	2017-09-21 17:32:51.645611404 +0530
+++ git/bfd/compress.c	2017-09-21 17:32:52.965622987 +0530
@@ -239,6 +239,12 @@
       *ptr = NULL;
       return TRUE;
     }
+  else if (bfd_get_file_size (abfd) > 0
+	   && sz > (bfd_size_type) bfd_get_file_size (abfd))
+    {
+      *ptr = NULL;
+      return FALSE;
+    }
 
   switch (sec->compress_status)
     {
Index: git/bfd/elf32-v850.c
===================================================================
--- git.orig/bfd/elf32-v850.c	2017-09-21 17:32:35.053465773 +0530
+++ git/bfd/elf32-v850.c	2017-09-21 17:32:52.965622987 +0530
@@ -2448,7 +2448,9 @@
 	BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont));
 
       if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL)
-	BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont));
+	/* If the output is being stripped then it is possible for
+	   the notes section to disappear.  In this case do nothing.  */
+	return;
 
       /* Copy/overwrite notes from the input to the output.  */
       memcpy (ocont, icont, bfd_section_size (obfd, onotes));
Index: git/binutils/objdump.c
===================================================================
--- git.orig/binutils/objdump.c	2017-09-21 17:32:52.337617476 +0530
+++ git/binutils/objdump.c	2017-09-21 17:32:52.965622987 +0530
@@ -1973,7 +1973,7 @@
     return;
 
   datasize = bfd_get_section_size (section);
-  if (datasize == 0)
+  if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
     return;
 
   if (start_address == (bfd_vma) -1
@@ -2839,7 +2839,7 @@
 static void
 dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED)
 {
-  bfd_byte *data = 0;
+  bfd_byte *data = NULL;
   bfd_size_type datasize;
   bfd_vma addr_offset;
   bfd_vma start_offset;
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog	2017-09-21 17:32:52.909622495 +0530
+++ git/bfd/ChangeLog	2017-09-21 17:35:57.863164167 +0530
@@ -11,6 +11,14 @@
        of end pointer.
        (evax_bfd_print_emh): Check for invalid string lengths.
 
+2017-06-26  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21665
+       * compress.c (bfd_get_full_section_contents): Check for and reject
+       a section whoes size is greater than the size of the entire file.
+       * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
+       contain a notes section.
+
  2017-07-24  Nick Clifton  <nickc@redhat.com>
  
        PR 21813