From 201159ecec7e17600df4153e5d4e7a145f0c7cfe Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 11 Nov 2014 15:34:27 +0000
Subject: More fixes for invalid memory accesses, uncovered by valgrind and
 binary fuzzers.

	PR binutils/17512
	* coffcode.h (coff_slurp_line_table): Initialise the parts of the
	line number cache that would not be initialised by the copy from
	the new line number table.
	(coff_classify_symbol): Allow for _bfd_coff_internal_syment_name
	returning NULL.
	* coffgen.c (coff_get_normalized_symbols): Get the external
	symbols before allocating space for the internal symbols, in case
	the get fails.
	* elf.c (_bfd_elf_slurp_version_tables): Only allocate a verref
	array if one is needed.  Likewise with the verdef array.
	* peXXigen.c (_bfd_XXi_swap_sym_in): Replace abort()'s with error
	messages.
	(_bfd_XXi_swap_aux_in): Make sure that all fields of the aux
	structure are initialised.
	(pe_print_edata): Avoid reading off the end of the data buffer.
---
 bfd/coffcode.h | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

(limited to 'bfd/coffcode.h')

diff --git a/bfd/coffcode.h b/bfd/coffcode.h
index f10654e..4bc80bd 100644
--- a/bfd/coffcode.h
+++ b/bfd/coffcode.h
@@ -4453,11 +4453,11 @@ buy_and_read (bfd *abfd, file_ptr where, bfd_size_type size)
   void * area = bfd_alloc (abfd, size);
 
   if (!area)
-    return (NULL);
+    return NULL;
   if (bfd_seek (abfd, where, SEEK_SET) != 0
       || bfd_bread (area, size, abfd) != size)
-    return (NULL);
-  return (area);
+    return NULL;
+  return area;
 }
 
 /*
@@ -4637,13 +4637,20 @@ coff_slurp_line_table (bfd *abfd, asection *asect)
 		  /* PR binutils/17512: Point the lineno to where
 		     this entry will be after the memcpy below.  */
 		  sym->lineno = lineno_cache + (n_cache_ptr - n_lineno_cache);
-
 		  /* Copy the function and line number entries.  */
 		  do
 		    *n_cache_ptr++ = *old_ptr++;
 		  while (old_ptr->line_number != 0);
 		}
-	      memcpy (lineno_cache, n_lineno_cache, amt);
+	      /* PR 17521: file: 078-10659-0.004.  */
+	      if (n_cache_ptr < n_lineno_cache + asect->lineno_count)
+		{
+		  amt = n_cache_ptr - n_lineno_cache;
+		  memcpy (lineno_cache, n_lineno_cache, amt * sizeof (alent));
+		  memset (lineno_cache + amt, 0, (asect->lineno_count - amt) * sizeof (alent));
+		}
+	      else
+		memcpy (lineno_cache, n_lineno_cache, amt);
 	    }
 	  bfd_release (abfd, func_table);
 	}
@@ -5074,13 +5081,13 @@ coff_classify_symbol (bfd *abfd,
       if (syment->n_value == 0)
 	{
 	  asection *sec;
-	  char buf[SYMNMLEN + 1];
-
-	  sec = coff_section_from_bfd_index (abfd, syment->n_scnum);
-	  if (sec != NULL
-	      && (strcmp (bfd_get_section_name (abfd, sec),
-			  _bfd_coff_internal_syment_name (abfd, syment, buf))
-		  == 0))
+	  char * name;
+ 	  char buf[SYMNMLEN + 1];
+ 
+	  name = _bfd_coff_internal_syment_name (abfd, syment, buf)
+ 	  sec = coff_section_from_bfd_index (abfd, syment->n_scnum);
+	  if (sec != NULL && name != NULL
+	      && (strcmp (bfd_get_section_name (abfd, sec), name) == 0))
 	    return COFF_SYMBOL_PE_SECTION;
 	}
 #endif
-- 
cgit v1.1