pr22741

# DP: PR22741, objcopy segfault on fuzzed COFF object

From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sat, 27 Jan 2018 08:19:33 +1030
Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object

	PR 22741
	* coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
	range before converting to a symbol table pointer.

Gbp-Pq: Name pr22741.diff

diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index b2410873d0c9fc9ccd6d44870ec8204dcf3bfbc2..4f90eaddd9cf6d5ae77848043493f305a96bb26d 100644 (file)
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
     }
   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
      generate one, so we must be careful to ignore it.  */
-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
+  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
+      < obj_raw_syment_count (abfd))
     {
       auxent->u.auxent.x_sym.x_tagndx.p =
        table_base + auxent->u.auxent.x_sym.x_tagndx.l;