From b452493a3dc2a56918209677e82ce4070260289c Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@FreeBSD.org>
Date: Thu, 23 Nov 2017 16:04:52 +0000
Subject: [PATCH] bfd: avoid crash on corrupt binaries

From binutils commits 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 and
7e1e19887abd24aeb15066b141cdff5541e0ec8e, made available under GPLv2
by Nick Clifton.

PR:		198824
MFC after:	1 week
Security:	CVE-2014-8501
Security:	CVE-2014-8502
---
 contrib/binutils/bfd/peXXigen.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/contrib/binutils/bfd/peXXigen.c b/contrib/binutils/bfd/peXXigen.c
index f96825f687e8..954d68ef9037 100644
--- a/contrib/binutils/bfd/peXXigen.c
+++ b/contrib/binutils/bfd/peXXigen.c
@@ -448,6 +448,17 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
   {
     int idx;
 
+    /* PR 17512: Corrupt PE binaries can cause seg-faults.  */
+    if (a->NumberOfRvaAndSizes > 16)
+      {
+       (*_bfd_error_handler)
+	  (_("%B: aout header specifies an invalid number of data-directory entries: %d"),
+	   abfd, a->NumberOfRvaAndSizes);
+	/* Paranoia: If the number is corrupt, then assume that the
+	   actual entries themselves might be corrupt as well.  */
+	a->NumberOfRvaAndSizes = 0;
+      }
+
     for (idx = 0; idx < 16; idx++)
       {
         /* If data directory is empty, rva also should be 0.  */
@@ -1428,6 +1439,15 @@ pe_print_edata (bfd * abfd, void * vfile)
 	}
     }
 
+  /* PR 17512: Handle corrupt PE binaries.  */
+  if (datasize < 36)
+    {
+      fprintf (file,
+	       _("\nThere is an export table in %s, but it is too small (%d)\n"),
+	       section->name, (int) datasize);
+      return TRUE;
+    }
+
   fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"),
 	   section->name, (unsigned long) addr);