commit cb06d03ad92ffcfaa09c3f065837cb39e9e1486d
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jun 21 11:13:49 2017 +0100

    Fix address violation parsing a corrupt IEEE Alpha binary.
    
    	PR binutils/21637
    	* vms-alpha.c (_bfd_vms_slurp_egsd): Check for an empty section
    	list.
    	(image_set_ptr): Likewise.
    	(alpha_vms_fix_sec_rel): Likewise.
    	(alpha_vms_slurp_relocs): Likewise.

Upstream-Status: Backport

CVE: CVE-2017-12450, CVE-2017-12452, CVE-2017-12453, CVE-2017-12454, CVE-2017-12456
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>

Index: git/bfd/vms-alpha.c
===================================================================
--- git.orig/bfd/vms-alpha.c	2017-08-31 18:01:00.742098130 +0530
+++ git/bfd/vms-alpha.c	2017-08-31 18:01:06.000000000 +0530
@@ -1257,6 +1257,8 @@
                 struct vms_esdf *esdf = (struct vms_esdf *)vms_rec;
 
 		entry->value = bfd_getl64 (esdf->value);
+		if (PRIV (sections) == NULL)
+		  return FALSE;
 		entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)];
 
                 if (old_flags & EGSY__V_NORM)
@@ -1291,7 +1293,11 @@
             entry->symbol_vector = bfd_getl32 (egst->value);
 
             if (old_flags & EGSY__V_REL)
-              entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
+	      {
+		if (PRIV (sections) == NULL)
+		  return FALSE;
+		entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
+	      }
             else
               entry->section = bfd_abs_section_ptr;
 
@@ -1379,6 +1385,8 @@
 
   vms_debug2 ((4, "image_set_ptr (0x%08x, sect=%d)\n", (unsigned)vma, sect));
 
+  if (PRIV (sections) == NULL)
+    return;
   sec = PRIV (sections)[sect];
 
   if (info)
@@ -1691,7 +1699,12 @@
 alpha_vms_fix_sec_rel (bfd *abfd, struct bfd_link_info *info,
                        unsigned int rel, bfd_vma vma)
 {
-  asection *sec = PRIV (sections)[rel & RELC_MASK];
+  asection *sec;
+
+  if (PRIV (sections) == NULL)
+    return 0;
+
+  sec = PRIV (sections)[rel & RELC_MASK];
 
   if (info)
     {
@@ -5000,6 +5013,8 @@
                 return FALSE;
               }
 
+	    if (PRIV (sections) == NULL)
+	      return FALSE;
             sec = PRIV (sections)[cur_psect];
             if (sec == bfd_abs_section_ptr)
               {
@@ -5058,8 +5073,12 @@
                   reloc->sym_ptr_ptr = sym;
               }
             else if (cur_psidx >= 0)
-              reloc->sym_ptr_ptr =
-                PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
+	      {
+		if (PRIV (sections) == NULL)
+		  return FALSE;
+		reloc->sym_ptr_ptr =
+		  PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
+	      }
             else
               reloc->sym_ptr_ptr = NULL;
 
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog	2017-08-31 18:01:06.000000000 +0530
+++ git/bfd/ChangeLog	2017-08-31 18:01:49.114384620 +0530
@@ -31,7 +31,16 @@
        correct magic bytes at the start, set the error to wrong format
        and clear the format selector before returning NULL.
 
- 2017-06-19  Nick Clifton  <nickc@redhat.com>
+ 2017-06-21  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21637
+       * vms-alpha.c (_bfd_vms_slurp_egsd): Check for an empty section
+       list.
+       (image_set_ptr): Likewise.
+       (alpha_vms_fix_sec_rel): Likewise.
+       (alpha_vms_slurp_relocs): Likewise.
+
+2017-06-19  Nick Clifton  <nickc@redhat.com>
  
        PR binutils/21618
        * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record