From 4d5acb1ea570f04f8020338bad6918dfe76b785c Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Mon, 11 May 2020 18:00:31 +0930
Subject: PR25961, buffer overflow in coff_swap_aux_in

	PR 25961
	* coffgen.c (coff_get_normalized_symtab): Check that buffer
	contains required number of auxents before processing any auxent.
	* coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended
	file name from auxents for PE.
---
 bfd/ChangeLog  |  8 ++++++++
 bfd/coffgen.c  | 14 +++++++-------
 bfd/coffswap.h |  2 +-
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 19ecf89..38ff455 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2020-05-11  Alan Modra  <amodra@gmail.com>
+
+	PR 25961
+	* coffgen.c (coff_get_normalized_symtab): Check that buffer
+	contains required number of auxents before processing any auxent.
+	* coffswap.h (coff_swap_aux_in <C_FILE>): Only swap in extended
+	file name from auxents for PE.
+
 2020-05-04  Gunther Nikl  <gnikl@justmail.de>
 
 	* aout-cris.c (DEFAULT_ARCH): Delete define.
diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index 6d84d51..96140e0 100644
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1818,6 +1818,13 @@ coff_get_normalized_symtab (bfd *abfd)
       symbol_ptr = internal_ptr;
       internal_ptr->is_sym = TRUE;
 
+      /* PR 17512: Prevent buffer overrun.  */
+      if (symbol_ptr->u.syment.n_numaux > (raw_end - raw_src) / symesz)
+	{
+	  bfd_release (abfd, internal);
+	  return NULL;
+	}
+
       for (i = 0;
 	   i < symbol_ptr->u.syment.n_numaux;
 	   i++)
@@ -1825,13 +1832,6 @@ coff_get_normalized_symtab (bfd *abfd)
 	  internal_ptr++;
 	  raw_src += symesz;
 
-	  /* PR 17512: Prevent buffer overrun.  */
-	  if (raw_src >= raw_end || internal_ptr >= internal_end)
-	    {
-	      bfd_release (abfd, internal);
-	      return NULL;
-	    }
-
 	  bfd_coff_swap_aux_in (abfd, (void *) raw_src,
 				symbol_ptr->u.syment.n_type,
 				symbol_ptr->u.syment.n_sclass,
diff --git a/bfd/coffswap.h b/bfd/coffswap.h
index 7c0be22..f75001e 100644
--- a/bfd/coffswap.h
+++ b/bfd/coffswap.h
@@ -399,7 +399,7 @@ coff_swap_aux_in (bfd *abfd,
 #if FILNMLEN != E_FILNMLEN
 #error we need to cope with truncating or extending FILNMLEN
 #else
-	  if (numaux > 1)
+	  if (numaux > 1 && coff_data (abfd)->pe)
 	    {
 	      if (indx == 0)
 		memcpy (in->x_file.x_fname, ext->x_file.x_fname,
-- 
cgit v1.1