Fix address violation parsing a corrupt SOM binary.

	PR binutils/21649
	* som.c (setup_sections): NUL terminate the space_strings buffer.
	Check that the space.name field does not index beyond the end of
	the space_strings buffer.

2 files changed, 14 insertions, 2 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index b1cf4f9..57a07a5 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2017-06-22  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/21649
+	* som.c (setup_sections): NUL terminate the space_strings buffer.
+	Check that the space.name field does not index beyond the end of
+	the space_strings buffer.
+
 2017-06-21  Nick Clifton  <nickc@redhat.com>
 
 	PR binutils/21646
diff --git a/bfd/som.c b/bfd/som.c
index 8575c89..98c4124 100644
--- a/bfd/som.c
+++ b/bfd/som.c
@@ -2083,8 +2083,8 @@ setup_sections (bfd *abfd,
 
   /* First, read in space names.  */
   amt = file_hdr->space_strings_size;
-  space_strings = bfd_malloc (amt);
-  if (!space_strings && amt != 0)
+  space_strings = bfd_malloc (amt + 1);
+  if (space_strings == NULL && amt != 0)
     goto error_return;
 
   if (bfd_seek (abfd, current_offset + file_hdr->space_strings_location,
@@ -2092,6 +2092,8 @@ setup_sections (bfd *abfd,
     goto error_return;
   if (bfd_bread (space_strings, amt, abfd) != amt)
     goto error_return;
+  /* Make sure that the string table is NUL terminated.  */
+  space_strings[amt] = 0;
 
   /* Loop over all of the space dictionaries, building up sections.  */
   for (space_index = 0; space_index < file_hdr->space_total; space_index++)
@@ -2119,6 +2121,9 @@ setup_sections (bfd *abfd,
       som_swap_space_dictionary_in (&ext_space, &space);
 
       /* Setup the space name string.  */
+      if (space.name >= file_hdr->space_strings_size)
+	goto error_return;
+
       space_name = space.name + space_strings;
 
       /* Make a section out of it.  */