PR22197, buffer overflow in bfd_get_debug_link_info_1

	PR 22197
	* opncls.c (bfd_get_debug_link_info_1): Properly check that crc is
	within section bounds.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index c465462bcaf3981b90cb3fcbefc0716a290c9b5f..92a6c27ced8a8bd181b0ee07fb2b4a762a8a551b 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2017-09-24  Alan Modra  <amodra@gmail.com>
+
+       PR 22197
+       * opncls.c (bfd_get_debug_link_info_1): Properly check that crc is
+       within section bounds.
+
 2017-09-24  Alan Modra  <amodra@gmail.com>
 
        PR 22191

diff --git a/bfd/opncls.c b/bfd/opncls.c
index fa5498685446d97f070c238c09882019f4ec5943..8550623dfce024125defeaccb181a4387e5fe6a1 100644 (file)
--- a/bfd/opncls.c
+++ b/bfd/opncls.c
@@ -1200,7 +1200,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)
   /* PR 17597: avoid reading off the end of the buffer.  */
   crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
   crc_offset = (crc_offset + 3) & ~3;
-  if (crc_offset >= bfd_get_section_size (sect))
+  if (crc_offset + 4 > bfd_get_section_size (sect))
     return NULL;
 
   *crc32 = bfd_get_32 (abfd, contents + crc_offset);