Avoid needless resource usage when processing a corrupt DWARF directory or file name table.

	PR 22210
	* dwarf2.c (read_formatted_entries): Fail early if we know that
	the loop parsing data entries will overflow the end of the
	section.

2 files changed, 17 insertions, 0 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index b6f7381..a1c1616 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2017-09-26  Nick Clifton  <nickc@redhat.com>
+
+	PR 22210
+	* dwarf2.c (read_formatted_entries): Fail early if we know that
+	the loop parsing data entries will overflow the end of the
+	section.
+
 2017-09-26  Alan Modra  <amodra@gmail.com>
 
 	PR 22209
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index ad06120..dd5ac8f 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -1938,6 +1938,16 @@ read_formatted_entries (struct comp_unit *unit, bfd_byte **bufp,
       return FALSE;
     }
 
+  /* PR 22210.  Paranoia check.  Don't bother running the loop
+     if we know that we are going to run out of buffer.  */
+  if (data_count > (bfd_vma) (buf_end - buf))
+    {
+      _bfd_error_handler (_("Dwarf Error: data count (%Lx) larger than buffer size."),
+			  data_count);
+      bfd_set_error (bfd_error_bad_value);
+      return FALSE;
+    }
+
   for (datai = 0; datai < data_count; datai++)
     {
       bfd_byte *format = format_header_data;