Blame SOURCES/binutils-CVE-2018-6759.patch

381f6c
--- binutils.orig/bfd/opncls.c	2018-05-01 11:42:03.266424248 +0100
381f6c
+++ binutils-2.30/bfd/opncls.c	2018-05-01 12:52:36.792579838 +0100
381f6c
@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
381f6c
   bfd_byte *contents;
381f6c
   unsigned int crc_offset;
381f6c
   char *name;
381f6c
+  bfd_size_type size;
381f6c
 
381f6c
   BFD_ASSERT (abfd);
381f6c
   BFD_ASSERT (crc32_out);
381f6c
@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
381f6c
   if (sect == NULL)
381f6c
     return NULL;
381f6c
 
381f6c
+  size = bfd_get_section_size (sect);
381f6c
+
381f6c
+  /* PR 22794: Make sure that the section has a reasonable size.  */
381f6c
+  if (size < 8 || size >= bfd_get_size (abfd))
381f6c
+    return NULL;
381f6c
+
381f6c
   if (!bfd_malloc_and_get_section (abfd, sect, &contents))
381f6c
     {
381f6c
       if (contents != NULL)
381f6c
@@ -1198,9 +1205,9 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
381f6c
   /* CRC value is stored after the filename, aligned up to 4 bytes.  */
381f6c
   name = (char *) contents;
381f6c
   /* PR 17597: avoid reading off the end of the buffer.  */
381f6c
-  crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
381f6c
+  crc_offset = strnlen (name, size) + 1;
381f6c
   crc_offset = (crc_offset + 3) & ~3;
381f6c
-  if (crc_offset + 4 > bfd_get_section_size (sect))
381f6c
+  if (crc_offset + 4 > size)
381f6c
     return NULL;
381f6c
 
381f6c
   *crc32 = bfd_get_32 (abfd, contents + crc_offset);
381f6c
@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
381f6c
   bfd_byte *contents;
381f6c
   unsigned int buildid_offset;
381f6c
   char *name;
381f6c
+  bfd_size_type size;
381f6c
 
381f6c
   BFD_ASSERT (abfd);
381f6c
   BFD_ASSERT (buildid_len);
381f6c
@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
381f6c
   if (sect == NULL)
381f6c
     return NULL;
381f6c
 
381f6c
+  size = bfd_get_section_size (sect);
381f6c
+  if (size < 8 || size >= bfd_get_size (abfd))
381f6c
+    return NULL;
381f6c
+
381f6c
   if (!bfd_malloc_and_get_section (abfd, sect, & contents))
381f6c
     {
381f6c
       if (contents != NULL)
381f6c
@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
381f6c
 
381f6c
   /* BuildID value is stored after the filename.  */
381f6c
   name = (char *) contents;
381f6c
-  buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
381f6c
-  if (buildid_offset >= bfd_get_section_size (sect))
381f6c
+  buildid_offset = strnlen (name, size) + 1;
381f6c
+  if (buildid_offset >= size)
381f6c
     return NULL;
381f6c
 
381f6c
-  *buildid_len = bfd_get_section_size (sect) - buildid_offset;
381f6c
+  *buildid_len = size - buildid_offset;
381f6c
   *buildid_out = bfd_malloc (*buildid_len);
381f6c
   memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
381f6c