PR22741, objcopy segfault on fuzzed COFF object

	PR 22741
	* coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
	range before converting to a symbol table pointer.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 83532c0f60c98cd8479cc8d641a4bbc9e772491d..95661980211f42927527cb1ef269b05694b42138 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2018-01-29  Alan Modra  <amodra@gmail.com>
+
+       PR 22741
+       * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
+       range before converting to a symbol table pointer.
+
 2018-01-27  Nick Clifton  <nickc@redhat.com>
 
        * po/ru.po: Updated Russian translation.

diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index b2410873d0c9fc9ccd6d44870ec8204dcf3bfbc2..4f90eaddd9cf6d5ae77848043493f305a96bb26d 100644 (file)
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
     }
   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
      generate one, so we must be careful to ignore it.  */
-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
+  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
+      < obj_raw_syment_count (abfd))
     {
       auxent->u.auxent.x_sym.x_tagndx.p =
        table_base + auxent->u.auxent.x_sym.x_tagndx.l;