Fix memory access problems exposed by fuzzed binaries.

	PR binutils/17512
	* objdump.c (free_debug_section): Reset the compress_status as
	well.

	* compress.c (bfd_get_full_section_contents): Fail if there are no
	section contents available when the compress_status is
	COMPRESS_SECTION_DONE.
	* libbfd.c (bfd_malloc): Refuse to allocate a negative size.
	(bfd_malloc2): Use bfd_malloc.
	(bfd_realloc): Refuse to reallocate a negative size.
	(bfd_realloc2): Use bfd_realloc.
	(bfd_realloc_or_free): Use bfd_realloc.
	(bfd_zmalloc): Use bfd_malloc.
	(bfd_zmalloc): Use bfd_malloc2.
	* opncls.c (bfd_alloc): Refuse to allocate a negative size.

1 files changed, 9 insertions, 5 deletions

diff --git a/bfd/opncls.c b/bfd/opncls.c
index 75af627..404b944 100644
--- a/bfd/opncls.c
+++ b/bfd/opncls.c
@@ -940,15 +940,19 @@ bfd_alloc (bfd *abfd, bfd_size_type size)
   unsigned long ul_size = (unsigned long) size;
 
   if (size != ul_size
-      /* A small negative size can result in objalloc_alloc allocating just
-	 1 byte of memory, but the caller will be expecting more.  So catch
-	 this case here.  */
-      || (size != 0 && (((ul_size + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1)) == 0)))
+      /* Note - although objalloc_alloc takes an unsigned long as its
+	 argument, internally the size is treated as a signed long.  This can
+	 lead to problems where, for example, a request to allocate -1 bytes
+	 can result in just 1 byte being allocated, rather than
+	 ((unsigned long) -1) bytes.  Also memory checkers will often
+	 complain about attempts to allocate a negative amount of memory.
+	 So to stop these problems we fail if the size is negative.  */
+      || ((signed long) ul_size) < 0)
     {
       bfd_set_error (bfd_error_no_memory);
       return NULL;
     }
-							
+
   ret = objalloc_alloc ((struct objalloc *) abfd->memory, ul_size);
   if (ret == NULL)
     bfd_set_error (bfd_error_no_memory);