From ab419ddbb2cdd17ca83618990f2cacf904ce1d61 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 23 Oct 2018 18:29:24 +1030
Subject: [PATCH] PR23804, buffer overflow in sec_merge_hash_lookup

	PR 23804
	* merge.c (_bfd_add_merge_section): Don't attempt to merge
	sections where size is not a multiple of entsize.

Upstream-Status: Backport
CVE: CVE-2018-18605
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 bfd/ChangeLog | 6 ++++++
 bfd/merge.c   | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 31ff3d6..da423b1 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2018-10-23  Alan Modra  <amodra@gmail.com>
+
+	PR 23804
+	* merge.c (_bfd_add_merge_section): Don't attempt to merge
+	sections where size is not a multiple of entsize.
+
 2018-10-13  Alan Modra  <amodra@gmail.com>
 
 	PR 23770
diff --git a/bfd/merge.c b/bfd/merge.c
index 7904552..5e3bba0 100644
--- a/bfd/merge.c
+++ b/bfd/merge.c
@@ -376,6 +376,9 @@ _bfd_add_merge_section (bfd *abfd, void **psinfo, asection *sec,
       || sec->entsize == 0)
     return TRUE;
 
+  if (sec->size % sec->entsize != 0)
+    return TRUE;
+
   if ((sec->flags & SEC_RELOC) != 0)
     {
       /* We aren't prepared to handle relocations in merged sections.  */
-- 
2.9.3