XCOFF uninitialized read

	* coff-rs6000.c (_bfd_xcoff_slurp_armap): Ensure size is large
	enough to read number of symbols.

2 files changed, 9 insertions, 4 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 6c2e26d..e04f008 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,10 @@
 2020-03-20  Alan Modra  <amodra@gmail.com>
 
+	* coff-rs6000.c (_bfd_xcoff_slurp_armap): Ensure size is large
+	enough to read number of symbols.
+
+2020-03-20  Alan Modra  <amodra@gmail.com>
+
 	* elf.c (_bfd_elf_setup_sections): Don't test known non-NULL
 	backend functions for NULL before calling.
 	(copy_special_section_fields, _bfd_elf_copy_private_bfd_data),
diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c
index 2dd68e0..bf87596 100644
--- a/bfd/coff-rs6000.c
+++ b/bfd/coff-rs6000.c
@@ -1260,9 +1260,9 @@ _bfd_xcoff_slurp_armap (bfd *abfd)
 	return FALSE;
 
       GET_VALUE_IN_FIELD (sz, hdr.size, 10);
-      if (sz == (bfd_size_type) -1)
+      if (sz + 1 < 5)
 	{
-	  bfd_set_error (bfd_error_no_memory);
+	  bfd_set_error (bfd_error_bad_value);
 	  return FALSE;
 	}
 
@@ -1322,9 +1322,9 @@ _bfd_xcoff_slurp_armap (bfd *abfd)
 	return FALSE;
 
       GET_VALUE_IN_FIELD (sz, hdr.size, 10);
-      if (sz == (bfd_size_type) -1)
+      if (sz + 1 < 9)
 	{
-	  bfd_set_error (bfd_error_no_memory);
+	  bfd_set_error (bfd_error_bad_value);
 	  return FALSE;
 	}