From 67338173a49204a2097ca1e2c63c6bc1fe972c3e Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Fri, 20 Mar 2020 10:57:38 +1030
Subject: [PATCH] XCOFF uninitialized read

	* coff-rs6000.c (_bfd_xcoff_slurp_armap): Ensure size is large
	enough to read number of symbols.
---
 bfd/ChangeLog     | 5 +++++
 bfd/coff-rs6000.c | 8 ++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 6c2e26d24ef..e04f0087793 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,8 @@
+2020-03-20  Alan Modra  <amodra@gmail.com>
+
+	* coff-rs6000.c (_bfd_xcoff_slurp_armap): Ensure size is large
+	enough to read number of symbols.
+
 2020-03-20  Alan Modra  <amodra@gmail.com>
 
 	* elf.c (_bfd_elf_setup_sections): Don't test known non-NULL
diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c
index 2dd68e08c3b..bf87596a4fe 100644
--- a/bfd/coff-rs6000.c
+++ b/bfd/coff-rs6000.c
@@ -1260,9 +1260,9 @@ _bfd_xcoff_slurp_armap (bfd *abfd)
 	return FALSE;
 
       GET_VALUE_IN_FIELD (sz, hdr.size, 10);
-      if (sz == (bfd_size_type) -1)
+      if (sz + 1 < 5)
 	{
-	  bfd_set_error (bfd_error_no_memory);
+	  bfd_set_error (bfd_error_bad_value);
 	  return FALSE;
 	}
 
@@ -1322,9 +1322,9 @@ _bfd_xcoff_slurp_armap (bfd *abfd)
 	return FALSE;
 
       GET_VALUE_IN_FIELD (sz, hdr.size, 10);
-      if (sz == (bfd_size_type) -1)
+      if (sz + 1 < 9)
 	{
-	  bfd_set_error (bfd_error_no_memory);
+	  bfd_set_error (bfd_error_bad_value);
 	  return FALSE;
 	}
 
-- 
2.30.2