deleted file mode 100644

@@ -1,50 +0,0 @@

-From 56933f9e3e90eebf1018ed7417d6c1184b91db6b Mon Sep 17 00:00:00 2001

-From: "H.J. Lu" <hjl.tools@gmail.com>

-Date: Fri, 22 Sep 2017 14:15:40 -0700

-Subject: [PATCH 1/1] x86: Guard against corrupted PLT

-

-There should be only one entry in PLT for a given symbol.  Set howto to

-NULL after processing a PLT entry to guard against corrupted PLT so that

-the duplicated PLT entries are skipped.

-

-	PR binutils/22170

-	 * elf32-i386.c (elf_i386_get_synthetic_symtab): Guard against

-	 corrupted PLT.

-	 * elf64-x86-64.c (elf_x86_64_get_synthetic_symtab): Likewise.

-

-(cherry picked from commit 61e3bf5f83f7e505b6bc51ef65426e5b31e6e360)

- bfd/elf32-i386.c   | 4 ++++

- bfd/elf64-x86-64.c | 4 ++++

- 2 files changed, 8 insertions(+)

-

-diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c

-index 9dc2d25..ba50c93 100644

-+++ b/bfd/elf32-i386.c

-@@ -6616,6 +6616,10 @@ bad_return:

- 		  size += sizeof ("+0x") - 1 + 8;

- 		n++;

- 		s++;

-+		/* There should be only one entry in PLT for a given

-+		   symbol.  Set howto to NULL after processing a PLT

-+		   entry to guard against corrupted PLT.  */

-+		p->howto = NULL;

- 	      }

- 	    offset += plt_entry_size;

- 	  }

-diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c

-index 558db98..d9225ad 100644

-+++ b/bfd/elf64-x86-64.c

-@@ -6970,6 +6970,10 @@ bad_return:

- 		  size += sizeof ("+0x") - 1 + 8 + 8 * ABI_64_P (abfd);

- 		n++;

- 		s++;

-+		/* There should be only one entry in PLT for a given

-+		   symbol.  Set howto to NULL after processing a PLT

-+		   entry to guard against corrupted PLT.  */

-+		p->howto = NULL;

- 	      }

- 	    offset += plt_entry_size;

- 	  }

deleted file mode 100644

@@ -1,139 +0,0 @@

-From 1da5c9a485f3dcac4c45e96ef4b7dae5948314b5 Mon Sep 17 00:00:00 2001

-From: Alan Modra <amodra@gmail.com>

-Date: Mon, 25 Sep 2017 20:20:38 +0930

-Subject: [PATCH] PR22202, buffer overflow in parse_die

-

-There was a complete lack of sanity checking in dwarf1.c

-

-	PR 22202

-	* dwarf1.c (parse_die): Sanity check pointer against section limit

-	before dereferencing.

-	(parse_line_table): Likewise.

- bfd/dwarf1.c  | 56 ++++++++++++++++++++++++++++++++++++++------------------

- 1 file changed, 38 insertions(+), 18 deletions(-)

-

-diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c

-index 37d0e82..2d641a7 100644

-+++ b/bfd/dwarf1.c

-@@ -189,11 +189,14 @@ parse_die (bfd *             abfd,

-   memset (aDieInfo, 0, sizeof (* aDieInfo));

- 

-   /* First comes the length.  */

--  aDieInfo->length = bfd_get_32 (abfd, (bfd_byte *) xptr);

-+  if (xptr + 4 > aDiePtrEnd)

-+    return FALSE;

-+  aDieInfo->length = bfd_get_32 (abfd, xptr);

-   xptr += 4;

-   if (aDieInfo->length == 0

--      || (this_die + aDieInfo->length) >= aDiePtrEnd)

-+      || this_die + aDieInfo->length > aDiePtrEnd)

-     return FALSE;

-+  aDiePtrEnd = this_die + aDieInfo->length;

-   if (aDieInfo->length < 6)

-     {

-       /* Just padding bytes.  */

-@@ -202,18 +205,20 @@ parse_die (bfd *             abfd,

-     }

- 

-   /* Then the tag.  */

--  aDieInfo->tag = bfd_get_16 (abfd, (bfd_byte *) xptr);

-+  if (xptr + 2 > aDiePtrEnd)

-+    return FALSE;

-+  aDieInfo->tag = bfd_get_16 (abfd, xptr);

-   xptr += 2;

- 

-   /* Then the attributes.  */

--  while (xptr < (this_die + aDieInfo->length))

-+  while (xptr + 2 <= aDiePtrEnd)

-     {

-       unsigned short attr;

- 

-       /* Parse the attribute based on its form.  This section

-          must handle all dwarf1 forms, but need only handle the

- 	 actual attributes that we care about.  */

--      attr = bfd_get_16 (abfd, (bfd_byte *) xptr);

-+      attr = bfd_get_16 (abfd, xptr);

-       xptr += 2;

- 

-       switch (FORM_FROM_ATTR (attr))

-@@ -223,12 +228,15 @@ parse_die (bfd *             abfd,

- 	  break;

- 	case FORM_DATA4:

- 	case FORM_REF:

--	  if (attr == AT_sibling)

--	    aDieInfo->sibling = bfd_get_32 (abfd, (bfd_byte *) xptr);

--	  else if (attr == AT_stmt_list)

-+	  if (xptr + 4 <= aDiePtrEnd)

- 	    {

--	      aDieInfo->stmt_list_offset = bfd_get_32 (abfd, (bfd_byte *) xptr);

--	      aDieInfo->has_stmt_list = 1;

-+	      if (attr == AT_sibling)

-+		aDieInfo->sibling = bfd_get_32 (abfd, xptr);

-+	      else if (attr == AT_stmt_list)

-+		{

-+		  aDieInfo->stmt_list_offset = bfd_get_32 (abfd, xptr);

-+		  aDieInfo->has_stmt_list = 1;

-+		}

- 	    }

- 	  xptr += 4;

- 	  break;

-@@ -236,22 +244,29 @@ parse_die (bfd *             abfd,

- 	  xptr += 8;

- 	  break;

- 	case FORM_ADDR:

--	  if (attr == AT_low_pc)

--	    aDieInfo->low_pc = bfd_get_32 (abfd, (bfd_byte *) xptr);

--	  else if (attr == AT_high_pc)

--	    aDieInfo->high_pc = bfd_get_32 (abfd, (bfd_byte *) xptr);

-+	  if (xptr + 4 <= aDiePtrEnd)

-+	    {

-+	      if (attr == AT_low_pc)

-+		aDieInfo->low_pc = bfd_get_32 (abfd, xptr);

-+	      else if (attr == AT_high_pc)

-+		aDieInfo->high_pc = bfd_get_32 (abfd, xptr);

-+	    }

- 	  xptr += 4;

- 	  break;

- 	case FORM_BLOCK2:

--	  xptr += 2 + bfd_get_16 (abfd, (bfd_byte *) xptr);

-+	  if (xptr + 2 <= aDiePtrEnd)

-+	    xptr += bfd_get_16 (abfd, xptr);

-+	  xptr += 2;

- 	  break;

- 	case FORM_BLOCK4:

--	  xptr += 4 + bfd_get_32 (abfd, (bfd_byte *) xptr);

-+	  if (xptr + 4 <= aDiePtrEnd)

-+	    xptr += bfd_get_32 (abfd, xptr);

-+	  xptr += 4;

- 	  break;

- 	case FORM_STRING:

- 	  if (attr == AT_name)

- 	    aDieInfo->name = (char *) xptr;

--	  xptr += strlen ((char *) xptr) + 1;

-+	  xptr += strnlen ((char *) xptr, aDiePtrEnd - xptr) + 1;

- 	  break;

- 	}

-     }

-@@ -290,7 +305,7 @@ parse_line_table (struct dwarf1_debug* stash, struct dwarf1_unit* aUnit)

-     }

- 

-   xptr = stash->line_section + aUnit->stmt_list_offset;

--  if (xptr < stash->line_section_end)

-+  if (xptr + 8 <= stash->line_section_end)

-     {

-       unsigned long eachLine;

-       bfd_byte *tblend;

-@@ -318,6 +333,11 @@ parse_line_table (struct dwarf1_debug* stash, struct dwarf1_unit* aUnit)

- 

-       for (eachLine = 0; eachLine < aUnit->line_count; eachLine++)

- 	{

-+	  if (xptr + 10 > stash->line_section_end)

-+	    {

-+	      aUnit->line_count = eachLine;

-+	      break;

-+	    }

- 	  /* A line number.  */

- 	  aUnit->linenumber_table[eachLine].linenumber

- 	    = bfd_get_32 (stash->abfd, (bfd_byte *) xptr);

deleted file mode 100644

@@ -1,30 +0,0 @@

-From a67d66eb97e7613a38ffe6622d837303b3ecd31d Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Wed, 1 Nov 2017 15:21:46 +0000

-Subject: [PATCH] Prevent illegal memory accesses when attempting to read

- excessively large COFF line number tables.

-

-	PR 22376

-	* coffcode.h (coff_slurp_line_table): Check for an excessively

-	large line number count.

-diff --git a/bfd/coffcode.h b/bfd/coffcode.h

-index 21308de..6da0afa 100644

-+++ b/bfd/coffcode.h

-@@ -4578,6 +4578,14 @@ coff_slurp_line_table (bfd *abfd, asection *asect)

- 

-   BFD_ASSERT (asect->lineno == NULL);

- 

-+  if (asect->lineno_count > asect->size)

-+    {

-+      _bfd_error_handler

-+	(_("%B: warning: line number count (%#lx) exceeds section size (%#lx)"),

-+	 abfd, (unsigned long) asect->lineno_count, (unsigned long) asect->size);

-+      return FALSE;

-+    }

-+

-   amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent);

-   lineno_cache = (alent *) bfd_alloc (abfd, amt);

-   if (lineno_cache == NULL)

-2.9.3

deleted file mode 100644

@@ -1,73 +0,0 @@

-From 0301ce1486b1450f219202677f30d0fa97335419 Mon Sep 17 00:00:00 2001

-From: Alan Modra <amodra@gmail.com>

-Date: Tue, 17 Oct 2017 16:43:47 +1030

-Subject: [PATCH] PR22306, Invalid free() in slurp_symtab()

-

-	PR 22306

-	* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,

-	and error for any other size that doesn't cover the header word.

-diff --git a/bfd/aoutx.h b/bfd/aoutx.h

-index 3d38fda..d096ed5 100644

-+++ b/bfd/aoutx.h

-@@ -1351,27 +1351,42 @@ aout_get_external_symbols (bfd *abfd)

- 	  || bfd_bread ((void *) string_chars, amt, abfd) != amt)

- 	return FALSE;

-       stringsize = GET_WORD (abfd, string_chars);

-+      if (stringsize == 0)

-+	stringsize = 1;

-+      else if (stringsize < BYTES_IN_WORD

-+	       || (size_t) stringsize != stringsize)

-+	{

-+	  bfd_set_error (bfd_error_bad_value);

-+	  return FALSE;

-+	}

- 

- #ifdef USE_MMAP

--      if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,

--				 &obj_aout_string_window (abfd), TRUE))

--	return FALSE;

--      strings = (char *) obj_aout_string_window (abfd).data;

--#else

--      strings = (char *) bfd_malloc (stringsize + 1);

--      if (strings == NULL)

--	return FALSE;

--

--      /* Skip space for the string count in the buffer for convenience

--	 when using indexes.  */

--      amt = stringsize - BYTES_IN_WORD;

--      if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)

-+      if (stringsize >= BYTES_IN_WORD)

- 	{

--	  free (strings);

--	  return FALSE;

-+	  if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,

-+				     &obj_aout_string_window (abfd), TRUE))

-+	    return FALSE;

-+	  strings = (char *) obj_aout_string_window (abfd).data;

- 	}

-+      else

- #endif

-+	{

-+	  strings = (char *) bfd_malloc (stringsize);

-+	  if (strings == NULL)

-+	    return FALSE;

- 

-+	  if (stringsize >= BYTES_IN_WORD)

-+	    {

-+	      /* Keep the string count in the buffer for convenience

-+		 when indexing with e_strx.  */

-+	      amt = stringsize - BYTES_IN_WORD;

-+	      if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)

-+		{

-+		  free (strings);

-+		  return FALSE;

-+		}

-+	    }

-+	}

-       /* Ensure that a zero index yields an empty string.  */

-       strings[0] = '\0';

- 

-2.9.3

-

deleted file mode 100644

@@ -1,182 +0,0 @@

-diff -rup binutils-2.29.1/binutils/dwarf.c binutils-2.29.1-new/binutils/dwarf.c

-+++ binutils-2.29.1-new/binutils/dwarf.c	2017-12-05 16:42:59.548836797 -0800

-@@ -6225,7 +6225,7 @@ typedef struct Frame_Chunk

-   int data_factor;

-   dwarf_vma pc_begin;

-   dwarf_vma pc_range;

--  int cfa_reg;

-+  unsigned int cfa_reg;

-   dwarf_vma cfa_offset;

-   unsigned int ra;

-   unsigned char fde_encoding;

-@@ -6568,13 +6568,13 @@ frame_display_row (Frame_Chunk *fc, int

- static unsigned char *

- read_cie (unsigned char *start, unsigned char *end,

- 	  Frame_Chunk **p_cie, int *p_version,

--	  unsigned long *p_aug_len, unsigned char **p_aug)

-+	  bfd_size_type *p_aug_len, unsigned char **p_aug)

- {

-   int version;

-   Frame_Chunk *fc;

-   unsigned int length_return;

-   unsigned char *augmentation_data = NULL;

--  unsigned long augmentation_data_len = 0;

-+  bfd_size_type augmentation_data_len = 0;

- 

-   * p_cie = NULL;

-   /* PR 17512: file: 001-228113-0.004.  */

-@@ -6643,14 +6643,15 @@ read_cie (unsigned char *start, unsigned

-     {

-       READ_ULEB (augmentation_data_len);

-       augmentation_data = start;

--      start += augmentation_data_len;

-       /* PR 17512: file: 11042-2589-0.004.  */

--      if (start > end)

-+      if (augmentation_data_len > (bfd_size_type) (end - start))

- 	{

--	  warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),

--		augmentation_data_len, (long)((end - start) + augmentation_data_len));

-+	  warn (_("Augmentation data too long: 0x%s, expected at most %#lx\n"),

-+		dwarf_vmatoa ("x", augmentation_data_len),

-+		(unsigned long) (end - start));

- 	  return end;

- 	}

-+      start += augmentation_data_len;

-     }

- 

-   if (augmentation_data_len)

-@@ -6663,14 +6664,7 @@ read_cie (unsigned char *start, unsigned

-       q = augmentation_data;

-       qend = q + augmentation_data_len;

- 

--      /* PR 17531: file: 015adfaa.  */

--      if (qend < q)

--	{

--	  warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);

--	  augmentation_data_len = 0;

--	}

--

--      while (p < end && q < augmentation_data + augmentation_data_len)

-+      while (p < end && q < qend)

- 	{

- 	  if (*p == 'L')

- 	    q++;

-@@ -6699,6 +6693,31 @@ read_cie (unsigned char *start, unsigned

-   return start;

- }

- 

-+/* Prints out the contents on the augmentation data array.

-+   If do_wide is not enabled, then formats the output to fit into 80 columns.  */

-+

-+static void

-+display_augmentation_data (const unsigned char * data, const bfd_size_type len)

-+{

-+  bfd_size_type i;

-+

-+  i = printf (_("  Augmentation data:    "));

-+

-+  if (do_wide || len < ((80 - i) / 3))

-+    for (i = 0; i < len; ++i)

-+      printf (" %02x", data[i]);

-+  else

-+    {

-+      for (i = 0; i < len; ++i)

-+	{

-+	  if (i % (80 / 3) == 0)

-+	    putchar ('\n');

-+	  printf (" %02x", data[i]);

-+	}

-+    }

-+  putchar ('\n');

-+}

-+

- static int

- display_debug_frames (struct dwarf_section *section,

- 		      void *file ATTRIBUTE_UNUSED)

-@@ -6727,7 +6746,7 @@ display_debug_frames (struct dwarf_secti

-       Frame_Chunk *cie;

-       int need_col_headers = 1;

-       unsigned char *augmentation_data = NULL;

--      unsigned long augmentation_data_len = 0;

-+      bfd_size_type augmentation_data_len = 0;

-       unsigned int encoded_ptr_size = saved_eh_addr_size;

-       unsigned int offset_size;

-       unsigned int initial_length_size;

-@@ -6821,16 +6840,8 @@ display_debug_frames (struct dwarf_secti

- 	      printf ("  Return address column: %d\n", fc->ra);

- 

- 	      if (augmentation_data_len)

--		{

--		  unsigned long i;

-+		display_augmentation_data (augmentation_data, augmentation_data_len);

- 

--		  printf ("  Augmentation data:    ");

--		  for (i = 0; i < augmentation_data_len; ++i)

--		    /* FIXME: If do_wide is FALSE, then we should

--		       add carriage returns at 80 columns...  */

--		    printf (" %02x", augmentation_data[i]);

--		  putchar ('\n');

--		}

- 	      putchar ('\n');

- 	    }

- 	}

-@@ -6986,11 +6997,13 @@ display_debug_frames (struct dwarf_secti

- 	      READ_ULEB (augmentation_data_len);

- 	      augmentation_data = start;

- 	      start += augmentation_data_len;

--	      /* PR 17512: file: 722-8446-0.004.  */

--	      if (start >= end || ((signed long) augmentation_data_len) < 0)

-+	      /* PR 17512 file: 722-8446-0.004 and PR 22386.  */

-+	      if (start >= end

-+		  || ((bfd_signed_vma) augmentation_data_len) < 0

-+		  || augmentation_data > start)

- 		{

--		  warn (_("Corrupt augmentation data length: %lx\n"),

--			augmentation_data_len);

-+		  warn (_("Corrupt augmentation data length: 0x%s\n"),

-+			dwarf_vmatoa ("x", augmentation_data_len));

- 		  start = end;

- 		  augmentation_data = NULL;

- 		  augmentation_data_len = 0;

-@@ -7012,12 +7025,7 @@ display_debug_frames (struct dwarf_secti

- 

- 	  if (! do_debug_frames_interp && augmentation_data_len)

- 	    {

--	      unsigned long i;

--

--	      printf ("  Augmentation data:    ");

--	      for (i = 0; i < augmentation_data_len; ++i)

--		printf (" %02x", augmentation_data[i]);

--	      putchar ('\n');

-+	      display_augmentation_data (augmentation_data, augmentation_data_len);

- 	      putchar ('\n');

- 	    }

- 	}

-@@ -7449,7 +7457,7 @@ display_debug_frames (struct dwarf_secti

- 	      break;

- 

- 	    case DW_CFA_def_cfa:

--	      READ_SLEB (fc->cfa_reg);

-+	      READ_ULEB (fc->cfa_reg);

- 	      READ_ULEB (fc->cfa_offset);

- 	      fc->cfa_exp = 0;

- 	      if (! do_debug_frames_interp)

-@@ -7458,7 +7466,7 @@ display_debug_frames (struct dwarf_secti

- 	      break;

- 

- 	    case DW_CFA_def_cfa_register:

--	      READ_SLEB (fc->cfa_reg);

-+	      READ_ULEB (fc->cfa_reg);

- 	      fc->cfa_exp = 0;

- 	      if (! do_debug_frames_interp)

- 		printf ("  DW_CFA_def_cfa_register: %s\n",

-@@ -7577,7 +7585,7 @@ display_debug_frames (struct dwarf_secti

- 	      break;

- 

- 	    case DW_CFA_def_cfa_sf:

--	      READ_SLEB (fc->cfa_reg);

-+	      READ_ULEB (fc->cfa_reg);

- 	      READ_ULEB (fc->cfa_offset);

- 	      fc->cfa_offset = fc->cfa_offset * fc->data_factor;

- 	      fc->cfa_exp = 0;

deleted file mode 100644

@@ -1,59 +0,0 @@

-From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001

-From: Alan Modra <amodra@gmail.com>

-Date: Tue, 17 Oct 2017 21:57:29 +1030

-Subject: [PATCH] PR22307, Heap out of bounds read in

- _bfd_elf_parse_gnu_properties

-

-When adding an unbounded increment to a pointer, you can't just check

-against the end of the buffer but also must check that overflow

-doesn't result in "negative" pointer movement.  Pointer comparisons

-are signed.  Better, check the increment against the space left using

-an unsigned comparison.

-

-	PR 22307

-	* elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz

-	against size left rather than comparing pointers.  Reorganise loop.

-diff --git a/bfd/elf-properties.c b/bfd/elf-properties.c

-index f367aa6..bfb106e 100644

-+++ b/bfd/elf-properties.c

-@@ -93,15 +93,20 @@ bad_size:

-       return FALSE;

-     }

- 

--  while (1)

-+  while (ptr != ptr_end)

-     {

--      unsigned int type = bfd_h_get_32 (abfd, ptr);

--      unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4);

-+      unsigned int type;

-+      unsigned int datasz;

-       elf_property *prop;

- 

-+      if ((size_t) (ptr_end - ptr) < 8)

-+	goto bad_size;

-+

-+      type = bfd_h_get_32 (abfd, ptr);

-+      datasz = bfd_h_get_32 (abfd, ptr + 4);

-       ptr += 8;

- 

--      if ((ptr + datasz) > ptr_end)

-+      if (datasz > (size_t) (ptr_end - ptr))

- 	{

- 	  _bfd_error_handler

- 	    (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"),

-@@ -183,11 +188,6 @@ bad_size:

- 

- next:

-       ptr += (datasz + (align_size - 1)) & ~ (align_size - 1);

--      if (ptr == ptr_end)

--	break;

--

--      if (ptr > (ptr_end - 8))

--	goto bad_size;

-     }

- 

-   return TRUE;

-2.9.3

-

deleted file mode 100644

@@ -1,69 +0,0 @@

-From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001

-From: Mingi Cho <mgcho.minic@gmail.com>

-Date: Thu, 2 Nov 2017 17:01:08 +0000

-Subject: [PATCH] Work around integer overflows when readelf is checking for

- corrupt ELF notes when run on a 32-bit host.

-

-	PR 22384

-	* readelf.c (print_gnu_property_note): Improve overflow checks so

-	that they will work on a 32-bit host.

-diff --git a/binutils/readelf.c b/binutils/readelf.c

-index 9af5d42..cfd37eb 100644

-+++ b/binutils/readelf.c

-@@ -16519,15 +16519,24 @@ print_gnu_property_note (Elf_Internal_Note * pnote)

-       return;

-     }

- 

--  while (1)

-+  while (ptr < ptr_end)

-     {

-       unsigned int j;

--      unsigned int type = byte_get (ptr, 4);

--      unsigned int datasz = byte_get (ptr + 4, 4);

-+      unsigned int type;

-+      unsigned int datasz;

-+

-+      if ((size_t) (ptr_end - ptr) < 8)

-+	{

-+	  printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);

-+	  break;

-+	}

-+

-+      type = byte_get (ptr, 4);

-+      datasz = byte_get (ptr + 4, 4);

- 

-       ptr += 8;

- 

--      if ((ptr + datasz) > ptr_end)

-+      if (datasz > (size_t) (ptr_end - ptr))

- 	{

- 	  printf (_("<corrupt type (%#x) datasz: %#x>\n"),

- 		  type, datasz);

-@@ -16608,19 +16617,11 @@ next:

-       ptr += ((datasz + (size - 1)) & ~ (size - 1));

-       if (ptr == ptr_end)

- 	break;

--      else

--	{

--	  if (do_wide)

--	    printf (", ");

--	  else

--	    printf ("\n\t");

--	}

- 

--      if (ptr > (ptr_end - 8))

--	{

--	  printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);

--	  break;

--	}

-+      if (do_wide)

-+	printf (", ");

-+      else

-+	printf ("\n\t");

-     }

- 

-   printf ("\n");

-2.9.3

-

deleted file mode 100644

@@ -1,39 +0,0 @@

-diff -rup binutils-2.29.1/bfd/coffgen.c binutils-2.29.1-new/bfd/coffgen.c

-+++ binutils-2.29.1-new/bfd/coffgen.c	2017-12-05 17:03:17.232545359 -0800

-@@ -1640,13 +1640,23 @@ _bfd_coff_get_external_symbols (bfd *abf

-   size = obj_raw_syment_count (abfd) * symesz;

-   if (size == 0)

-     return TRUE;

-+  /* Check for integer overflow and for unreasonable symbol counts.  */

-+  if (size < obj_raw_syment_count (abfd)

-+      || (bfd_get_file_size (abfd) > 0

-+	  && size > bfd_get_file_size (abfd)))

-+    

-+    {

-+      _bfd_error_handler (_("%B: corrupt symbol count: %#Lx"),

-+			  abfd, obj_raw_syment_count (abfd));

-+      return FALSE;

-+    }

- 

-   syms = bfd_malloc (size);

-   if (syms == NULL)

-     {

-       /* PR 21013: Provide an error message when the alloc fails.  */

--      _bfd_error_handler (_("%B: Not enough memory to allocate space for %lu symbols"),

--			  abfd, size);

-+      _bfd_error_handler (_("%B: not enough memory to allocate space for %#Lx symbols of size %#Lx"),

-+			  abfd, obj_raw_syment_count (abfd), symesz);

-       return FALSE;

-     }

- 

-@@ -1790,6 +1800,9 @@ coff_get_normalized_symtab (bfd *abfd)

-     return NULL;

- 

-   size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type);

-+  /* Check for integer overflow.  */

-+  if (size < obj_raw_syment_count (abfd))

-+    return NULL;

-   internal = (combined_entry_type *) bfd_zalloc (abfd, size);

-   if (internal == NULL && size != 0)

-     return NULL;

deleted file mode 100644

@@ -1,39 +0,0 @@

-From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Tue, 31 Oct 2017 14:29:40 +0000

-Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary

- with a corrupt data dictionary.

-

-	PR 22373

-	* peicode.h (pe_bfd_read_buildid): Check for invalid size and data

-	offset values.

-diff --git a/bfd/peicode.h b/bfd/peicode.h

-index 2dffb12..f3b759c 100644

-+++ b/bfd/peicode.h

-@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)

-   bfd_byte *data = 0;

-   bfd_size_type dataoff;

-   unsigned int i;

--

-   bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;

-   bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;

- 

-@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)

- 

-   dataoff = addr - section->vma;

- 

--  /* PR 20605: Make sure that the data is really there.  */

--  if (dataoff + size > section->size)

-+  /* PR 20605 and 22373: Make sure that the data is really there.

-+     Note - since we are dealing with unsigned quantities we have

-+     to be careful to check for potential overflows.  */

-+  if (dataoff > section->size

-+      || size > section->size

-+      || dataoff + size > section->size)

-     {

-       _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),

- 			  abfd);

-2.9.3

-

deleted file mode 100644

@@ -1,337 +0,0 @@

-From b23dc97fe237a1d9e850d7cbeee066183a00630b Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Tue, 28 Nov 2017 13:20:31 +0000

-Subject: [PATCH] Fix a memory access violation when attempting to parse a

- corrupt COFF binary with a relocation that points beyond the end of the

- section to be relocated.

-

-	PR 22506

-	* reloc.c (reloc_offset_in_range): Rename to

-	bfd_reloc_offset_in_range and export.

-	(bfd_perform_relocation): Rename function invocation.

-	(bfd_install_relocation): Likewise.

-	(bfd_final_link_relocate): Likewise.

-	* bfd-in2.h: Regenerate.

-	* coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range.

-	* coff-i386.c (coff_i386_reloc): Likewise.

-	* coff-i860.c (coff_i860_reloc): Likewise.

-	* coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise.

-	* coff-m88k.c (m88k_special_reloc): Likewise.

-	* coff-mips.c (mips_reflo_reloc): Likewise.

-	* coff-x86_64.c (coff_amd64_reloc): Likewise.

- bfd/bfd-in2.h     |  6 +++++

- bfd/coff-arm.c    | 65 ++++++++++++++++++++++++++++++-------------------------

- bfd/coff-i386.c   |  5 +++++

- bfd/coff-i860.c   |  5 +++++

- bfd/coff-m68k.c   |  5 +++++

- bfd/coff-m88k.c   |  9 +++++++-

- bfd/coff-mips.c   |  6 +++++

- bfd/coff-x86_64.c | 16 +++++---------

- bfd/reloc.c       | 40 +++++++++++++++++++++++++++++-----

-

-diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h

-index 1b483bd..db1c480 100644

-+++ b/bfd/bfd-in2.h

-@@ -2662,6 +2662,12 @@ bfd_reloc_status_type bfd_check_overflow

-     unsigned int addrsize,

-     bfd_vma relocation);

- 

-+bfd_boolean bfd_reloc_offset_in_range

-+   (reloc_howto_type *howto,

-+    bfd *abfd,

-+    asection *section,

-+    bfd_size_type offset);

-+

- bfd_reloc_status_type bfd_perform_relocation

-    (bfd *abfd,

-     arelent *reloc_entry,

-diff --git a/bfd/coff-arm.c b/bfd/coff-arm.c

-index 8a2fe1a..1e66cbc 100644

-+++ b/bfd/coff-arm.c

-@@ -109,41 +109,46 @@ coff_arm_reloc (bfd *abfd,

-   x = ((x & ~howto->dst_mask)					\

-        | (((x & howto->src_mask) + diff) & howto->dst_mask))

- 

--    if (diff != 0)

--      {

--	reloc_howto_type *howto = reloc_entry->howto;

--	unsigned char *addr = (unsigned char *) data + reloc_entry->address;

-+  if (diff != 0)

-+    {

-+      reloc_howto_type *howto = reloc_entry->howto;

-+      unsigned char *addr = (unsigned char *) data + reloc_entry->address;

- 

--	switch (howto->size)

--	  {

--	  case 0:

--	    {

--	      char x = bfd_get_8 (abfd, addr);

--	      DOIT (x);

--	      bfd_put_8 (abfd, x, addr);

--	    }

--	    break;

-+      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,

-+				       reloc_entry->address

-+				       * bfd_octets_per_byte (abfd)))

-+	return bfd_reloc_outofrange;

- 

--	  case 1:

--	    {

--	      short x = bfd_get_16 (abfd, addr);

--	      DOIT (x);

--	      bfd_put_16 (abfd, (bfd_vma) x, addr);

--	    }

--	    break;

-+      switch (howto->size)

-+	{

-+	case 0:

-+	  {

-+	    char x = bfd_get_8 (abfd, addr);

-+	    DOIT (x);

-+	    bfd_put_8 (abfd, x, addr);

-+	  }

-+	  break;

- 

--	  case 2:

--	    {

--	      long x = bfd_get_32 (abfd, addr);

--	      DOIT (x);

--	      bfd_put_32 (abfd, (bfd_vma) x, addr);

--	    }

--	    break;

-+	case 1:

-+	  {

-+	    short x = bfd_get_16 (abfd, addr);

-+	    DOIT (x);

-+	    bfd_put_16 (abfd, (bfd_vma) x, addr);

-+	  }

-+	  break;

- 

--	  default:

--	    abort ();

-+	case 2:

-+	  {

-+	    long x = bfd_get_32 (abfd, addr);

-+	    DOIT (x);

-+	    bfd_put_32 (abfd, (bfd_vma) x, addr);

- 	  }

--      }

-+	  break;

-+

-+	default:

-+	  abort ();

-+	}

-+    }

- 

-   /* Now let bfd_perform_relocation finish everything up.  */

-   return bfd_reloc_continue;

-diff --git a/bfd/coff-i386.c b/bfd/coff-i386.c

-index b6ef597..91371d8 100644

-+++ b/bfd/coff-i386.c

-@@ -144,6 +144,11 @@ coff_i386_reloc (bfd *abfd,

-       reloc_howto_type *howto = reloc_entry->howto;

-       unsigned char *addr = (unsigned char *) data + reloc_entry->address;

- 

-+      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,

-+				       reloc_entry->address

-+				       * bfd_octets_per_byte (abfd)))

-+	return bfd_reloc_outofrange;

-+

-       switch (howto->size)

- 	{

- 	case 0:

-diff --git a/bfd/coff-i860.c b/bfd/coff-i860.c

-index a3c22c6..e2e49f9 100644

-+++ b/bfd/coff-i860.c

-@@ -95,6 +95,11 @@ coff_i860_reloc (bfd *abfd,

- 	reloc_howto_type *howto = reloc_entry->howto;

- 	unsigned char *addr = (unsigned char *) data + reloc_entry->address;

- 

-+	if (! bfd_reloc_offset_in_range (howto, abfd, input_section,

-+					 reloc_entry->address

-+					 * bfd_octets_per_byte (abfd)))

-+	  return bfd_reloc_outofrange;

-+

- 	switch (howto->size)

- 	  {

- 	  case 0:

-diff --git a/bfd/coff-m68k.c b/bfd/coff-m68k.c

-index dff6e1d..1730c11 100644

-+++ b/bfd/coff-m68k.c

-@@ -305,6 +305,11 @@ m68kcoff_common_addend_special_fn (bfd *abfd,

-       reloc_howto_type *howto = reloc_entry->howto;

-       unsigned char *addr = (unsigned char *) data + reloc_entry->address;

- 

-+      if (! bfd_reloc_offset_in_range (howto, abfd, input_section,

-+				       reloc_entry->address

-+				       * bfd_octets_per_byte (abfd)))

-+	return bfd_reloc_outofrange;

-+

-       switch (howto->size)

- 	{

- 	case 0:

-diff --git a/bfd/coff-m88k.c b/bfd/coff-m88k.c

-index ebe4fd3..6314bd3 100644

-+++ b/bfd/coff-m88k.c

-@@ -72,10 +72,17 @@ m88k_special_reloc (bfd *abfd,

- 	{

- 	  bfd_vma output_base = 0;

- 	  bfd_vma addr = reloc_entry->address;

--	  bfd_vma x = bfd_get_16 (abfd, (bfd_byte *) data + addr);

-+	  bfd_vma x;

- 	  asection *reloc_target_output_section;

- 	  long relocation = 0;

-