From 04f963fd489cae724a60140e13984415c205f4ac Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 14 Jun 2017 10:35:16 +0100
Subject: [PATCH] Fix seg-faults in objdump when disassembling a corrupt
 versados binary.

	PR binutils/21591
	* versados.c (versados_mkobject): Zero the allocated tdata structure.
	(process_otr): Check for an invalid offset in the otr structure.

Upstream-Status: Backport
CVE: CVE-2017-9753
CVE: CVE-2017-9754
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 bfd/ChangeLog  |  6 ++++++
 bfd/versados.c | 12 ++++++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

Index: git/bfd/versados.c
===================================================================
--- git.orig/bfd/versados.c
+++ git/bfd/versados.c
@@ -149,7 +149,7 @@ versados_mkobject (bfd *abfd)
   if (abfd->tdata.versados_data == NULL)
     {
       bfd_size_type amt = sizeof (tdata_type);
-      tdata_type *tdata = bfd_alloc (abfd, amt);
+      tdata_type *tdata = bfd_zalloc (abfd, amt);
 
       if (tdata == NULL)
 	return FALSE;
@@ -345,13 +345,13 @@ reloc_howto_type versados_howto_table[]
 };
 
 static int
-get_offset (int len, unsigned char *ptr)
+get_offset (unsigned int len, unsigned char *ptr)
 {
   int val = 0;
 
   if (len)
     {
-      int i;
+      unsigned int i;
 
       val = *ptr++;
       if (val & 0x80)
@@ -394,9 +394,13 @@ process_otr (bfd *abfd, struct ext_otr *
 	  int flag = *srcp++;
 	  int esdids = (flag >> 5) & 0x7;
 	  int sizeinwords = ((flag >> 3) & 1) ? 2 : 1;
-	  int offsetlen = flag & 0x7;
+	  unsigned int offsetlen = flag & 0x7;
 	  int j;
 
+	  /* PR 21591: Check for invalid lengths.  */
+	  if (srcp + esdids + offsetlen >= endp)
+	    return;
+
 	  if (esdids == 0)
 	    {
 	      /* A zero esdid means the new pc is the offset given.  */
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -8,6 +8,10 @@
        (ieee_archive_p): Likewise.
 
 2017-06-14  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21591
+       * versados.c (versados_mkobject): Zero the allocated tdata structure.
+       (process_otr): Check for an invalid offset in the otr structure.
  
        PR binutils/21589
        * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the