Fix illegal memory access triggered when parsing a PE binary with a corrupt data dictionary.

	PR 22373
	* peicode.h (pe_bfd_read_buildid): Check for invalid size and data
	offset values.

2 files changed, 12 insertions, 3 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index d6de8d5..a28769a 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2017-10-31  Nick Clifton  <nickc@redhat.com>
+
+	PR 22373
+	* peicode.h (pe_bfd_read_buildid): Check for invalid size and data
+	offset values.
+
 2017-10-30  Alan Modra  <amodra@gmail.com>
 
 	* elf32-frv.c (ELF_TARGET_ID): Don't define for generic
diff --git a/bfd/peicode.h b/bfd/peicode.h
index 2dffb12..f3b759c 100644
--- a/bfd/peicode.h
+++ b/bfd/peicode.h
@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)
   bfd_byte *data = 0;
   bfd_size_type dataoff;
   unsigned int i;
-
   bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;
   bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;
 
@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)
 
   dataoff = addr - section->vma;
 
-  /* PR 20605: Make sure that the data is really there.  */
-  if (dataoff + size > section->size)
+  /* PR 20605 and 22373: Make sure that the data is really there.
+     Note - since we are dealing with unsigned quantities we have
+     to be careful to check for potential overflows.  */
+  if (dataoff > section->size
+      || size > section->size
+      || dataoff + size > section->size)
     {
       _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),
 			  abfd);