From b0029dce6867de1a2828293177b0e030d2f0f03c Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 28 Nov 2017 18:00:29 +0000
Subject: Prevent a memory exhaustion problem when trying to read in strings
 from a COFF binary with a corrupt string table size.

	PR 22507
	* coffgen.c (_bfd_coff_read_string_table): Check for an excessive
	size of the external string table.
---
 bfd/ChangeLog | 6 ++++++
 bfd/coffgen.c | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 13ff8ad..e8d7563 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,5 +1,11 @@
 2017-11-28  Nick Clifton  <nickc@redhat.com>
 
+	PR 22507
+	* coffgen.c (_bfd_coff_read_string_table): Check for an excessive
+	size of the external string table.
+
+2017-11-28  Nick Clifton  <nickc@redhat.com>
+
 	PR 22506
 	* reloc.c (reloc_offset_in_range): Rename to
 	bfd_reloc_offset_in_range and export.
diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index 81efd9b..7798dfc 100644
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1718,7 +1718,7 @@ _bfd_coff_read_string_table (bfd *abfd)
 #endif
     }
 
-  if (strsize < STRING_SIZE_SIZE)
+  if (strsize < STRING_SIZE_SIZE || strsize > bfd_get_file_size (abfd))
     {
       _bfd_error_handler
 	/* xgettext: c-format */
@@ -1726,7 +1726,7 @@ _bfd_coff_read_string_table (bfd *abfd)
       bfd_set_error (bfd_error_bad_value);
       return NULL;
     }
-
+  
   strings = (char *) bfd_malloc (strsize + 1);
   if (strings == NULL)
     return NULL;
-- 
cgit v1.1