From 55325047241cf38dae3c6a577561c740a9024bf3 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 6 Feb 2015 12:59:25 +0000
Subject: [PATCH] Fix an invalid memory access triggered by running readelf on
 a fuzzed binary.

	PR binutils/17531
	* readelf.c (process_mips_specific): Fail if an option has an
	invalid size.
---
 binutils/ChangeLog | 2 ++
 binutils/readelf.c | 5 ++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 9e682c1a90e..803bfa89b84 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -8,6 +8,8 @@
 	* dwarf.c (xcmalloc): Fail if the arguments are too big.
 	(xcrealloc): Likewise.
 	(xcalloc2): Likewise.
+	* readelf.c (process_mips_specific): Fail if an option has an
+	invalid size.
 
 2015-02-05  Alan Modra  <amodra@gmail.com>
 
diff --git a/binutils/readelf.c b/binutils/readelf.c
index a0d6f327896..00bcb1d4bc2 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -13880,9 +13880,8 @@ process_mips_specific (FILE * file)
 	      if (option->size < sizeof (* eopt)
 		  || offset + option->size > sect->sh_size)
 		{
-		  warn (_("Invalid size (%u) for MIPS option\n"), option->size);
-		  option->size = sizeof (* eopt);
-		  break;
+		  error (_("Invalid size (%u) for MIPS option\n"), option->size);
+		  return 0;
 		}
 	      offset += option->size;
 		
-- 
2.30.2