deleted file mode 100644

@@ -1,40 +0,0 @@

-From 6aea08d9f3e3d6475a65454da488a0c51f5dc97d Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Tue, 17 Apr 2018 12:35:55 +0100

-Subject: [PATCH] Fix illegal memory access when parsing corrupt DWARF

- information.

-

-	PR 23064

-	* dwarf.c (process_cu_tu_index): Test for a potential buffer

-	overrun before copying signature pointer.

- binutils/ChangeLog |  6 ++++++

- binutils/dwarf.c   | 13 ++++++++++++-

- 2 files changed, 18 insertions(+), 1 deletion(-)

-

-diff --git a/binutils/dwarf.c b/binutils/dwarf.c

-index 10b4e28..f94f5b2 100644

-+++ b/binutils/dwarf.c

-@@ -9287,7 +9287,18 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)

- 		}

- 

- 	      if (!do_display)

--		memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));

-+		{

-+		  size_t num_copy = sizeof (uint64_t);

-+

-+		  /* PR 23064: Beware of buffer overflow.  */

-+		  if (ph + num_copy < limit)

-+		    memcpy (&this_set[row - 1].signature, ph, num_copy);

-+		  else

-+		    {

-+		      warn (_("Signature (%p) extends beyond end of space in section\n"), ph);

-+		      return 0;

-+		    }

-+		}

- 

- 	      prow = poffsets + (row - 1) * ncols * 4;

- 	      /* PR 17531: file: b8ce60a8.  */

-2.9.3

deleted file mode 100644

@@ -1,15 +0,0 @@

-diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c

-index ca22db7..0f8257f 100644

-+++ b/bfd/dwarf2.c

-@@ -1566,7 +1566,7 @@ concat_filename (struct line_info_table *table, unsigned int file)

- {

-   char *filename;

- 

--  if (file - 1 >= table->num_files)

-+  if (table == NULL || file - 1 >= table->num_files)

-     {

-       /* FILE == 0 means unknown.  */

-       if (file)

-2.9.3

deleted file mode 100644

@@ -1,44 +0,0 @@

-From db0c309f4011ca94a4abc8458e27f3734dab92ac Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Tue, 24 Apr 2018 16:57:04 +0100

-Subject: [PATCH] Fix an illegal memory access when trying to copy an ELF

- binary with corrupt section symbols.

-

-	PR 23113

-	* elf.c (ignore_section_sym): Check for the output_section pointer

-	being NULL before dereferencing it.

- bfd/ChangeLog | 4 ++++

- bfd/elf.c     | 9 ++++++++-

- 2 files changed, 12 insertions(+), 1 deletion(-)

-

-diff --git a/bfd/elf.c b/bfd/elf.c

-index 8ea5a81..092b275 100644

-+++ b/bfd/elf.c

-@@ -4022,15 +4022,22 @@ ignore_section_sym (bfd *abfd, asymbol *sym)

- {

-   elf_symbol_type *type_ptr;

- 

-+  if (sym == NULL)

-+    return FALSE;

-+

-   if ((sym->flags & BSF_SECTION_SYM) == 0)

-     return FALSE;

- 

-+  if (sym->section == NULL)

-+    return TRUE;

-+

-   type_ptr = elf_symbol_from (abfd, sym);

-   return ((type_ptr != NULL

- 	   && type_ptr->internal_elf_sym.st_shndx != 0

- 	   && bfd_is_abs_section (sym->section))

- 	  || !(sym->section->owner == abfd

--	       || (sym->section->output_section->owner == abfd

-+	       || (sym->section->output_section != NULL

-+		   && sym->section->output_section->owner == abfd

- 		   && sym->section->output_offset == 0)

- 	       || bfd_is_abs_section (sym->section)));

- }

-2.9.3

deleted file mode 100644

@@ -1,42 +0,0 @@

-From f2023ce7e8d70b0155cc6206c901e185260918f0 Mon Sep 17 00:00:00 2001

-From: Alan Modra <amodra@gmail.com>

-Date: Thu, 1 Feb 2018 18:01:00 +1030

-Subject: [PATCH] PR22769, crash when running 32-bit objdump on corrupted file

-

-	PR 22769

-	* objdump.c (load_specific_debug_section): Check for overflow

-	when adding one to section size for a string section terminator.

- binutils/ChangeLog | 6 ++++++

- binutils/objdump.c | 7 +++++--

- 2 files changed, 11 insertions(+), 2 deletions(-)

-

-diff --git a/binutils/objdump.c b/binutils/objdump.c

-index 6c4d936..d8dca90 100644

-+++ b/binutils/objdump.c

-@@ -2466,6 +2466,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,

-   struct dwarf_section *section = &debug_displays [debug].section;

-   bfd *abfd = (bfd *) file;

-   bfd_byte *contents;

-+  bfd_size_type amt;

- 

-   if (section->start != NULL)

-     {

-@@ -2480,9 +2481,11 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,

-   section->num_relocs = 0;

-   section->address = bfd_get_section_vma (abfd, sec);

-   section->size = bfd_get_section_size (sec);

--  section->start = contents = malloc (section->size + 1);

-+  amt = section->size + 1;

-+  section->start = contents = malloc (amt);

-   section->user_data = sec;

--  if (section->start == NULL

-+  if (amt == 0

-+      || section->start == NULL

-       || !bfd_get_full_section_contents (abfd, sec, &contents))

-     {

-       free_debug_section (debug);

-2.9.3

-

deleted file mode 100644

@@ -1,89 +0,0 @@

-From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Tue, 6 Feb 2018 15:48:29 +0000

-Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by

- chacking the size of debuglink sections.

-

-	PR 22794

-	* opncls.c (bfd_get_debug_link_info_1): Check the size of the

-	section before attempting to read it in.

-	(bfd_get_alt_debug_link_info): Likewise.

- bfd/ChangeLog |  7 +++++++

- bfd/opncls.c  | 22 +++++++++++++++++-----

- 2 files changed, 24 insertions(+), 5 deletions(-)

-

-diff --git a/bfd/opncls.c b/bfd/opncls.c

-index 458f06e..16b568c 100644

-+++ b/bfd/opncls.c

-@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)

-   bfd_byte *contents;

-   unsigned int crc_offset;

-   char *name;

-+  bfd_size_type size;

- 

-   BFD_ASSERT (abfd);

-   BFD_ASSERT (crc32_out);

-@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)

-   if (sect == NULL)

-     return NULL;

- 

-+  size = bfd_get_section_size (sect);

-+

-+  /* PR 22794: Make sure that the section has a reasonable size.  */

-+  if (size < 8 || size >= bfd_get_size (abfd))

-+    return NULL;

-+

-   if (!bfd_malloc_and_get_section (abfd, sect, &contents))

-     {

-       if (contents != NULL)

-@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)

- 

-   /* CRC value is stored after the filename, aligned up to 4 bytes.  */

-   name = (char *) contents;

--  /* PR 17597: avoid reading off the end of the buffer.  */

--  crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;

-+  /* PR 17597: Avoid reading off the end of the buffer.  */

-+  crc_offset = strnlen (name, size) + 1;

-   crc_offset = (crc_offset + 3) & ~3;

--  if (crc_offset + 4 > bfd_get_section_size (sect))

-+  if (crc_offset + 4 > size)

-     return NULL;

- 

-   *crc32 = bfd_get_32 (abfd, contents + crc_offset);

-@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len,

-   bfd_byte *contents;

-   unsigned int buildid_offset;

-   char *name;

-+  bfd_size_type size;

- 

-   BFD_ASSERT (abfd);

-   BFD_ASSERT (buildid_len);

-@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len,

-   if (sect == NULL)

-     return NULL;

- 

-+  size = bfd_get_section_size (sect);

-+  if (size < 8 || size >= bfd_get_size (abfd))

-+    return NULL;

-+

-   if (!bfd_malloc_and_get_section (abfd, sect, & contents))

-     {

-       if (contents != NULL)

-@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len,

- 

-   /* BuildID value is stored after the filename.  */

-   name = (char *) contents;

--  buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;

-+  buildid_offset = strnlen (name, size) + 1;

-   if (buildid_offset >= bfd_get_section_size (sect))

-     return NULL;

- 

--  *buildid_len = bfd_get_section_size (sect) - buildid_offset;

-+  *buildid_len = size - buildid_offset;

-   *buildid_out = bfd_malloc (*buildid_len);

-   memcpy (*buildid_out, contents + buildid_offset, *buildid_len);

- 

-2.9.3

deleted file mode 100644

@@ -1,29 +0,0 @@

-From ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6 Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Thu, 8 Feb 2018 10:28:25 +0000

-Subject: [PATCH 1/1] Fix a seg-fault in the ELF note parser when a note with

- an excessively large alignment is encountered.

-

-	PR 22788

-	* elf.c (elf_parse_notes): Reject notes with excessuively large

-	alignments.

- bfd/ChangeLog | 6 ++++++

- bfd/elf.c     | 2 ++

- 2 files changed, 8 insertions(+)

-

-diff --git a/bfd/elf.c b/bfd/elf.c

-index dedf35f..db1e076 100644

-+++ b/bfd/elf.c

-@@ -11012,6 +11012,8 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset,

-      align is less than 4, we use 4 byte alignment.   */

-   if (align < 4)

-     align = 4;

-+  if (align != 4 && align != 8)

-+    return FALSE;

- 

-   p = buf;

-   while (p < buf + size)

-2.9.3

deleted file mode 100644

@@ -1,30 +0,0 @@

-From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001

-From: Alan Modra <amodra@gmail.com>

-Date: Sat, 27 Jan 2018 08:19:33 +1030

-Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object

-

-	PR 22741

-	* coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in

-	range before converting to a symbol table pointer.

- bfd/ChangeLog | 6 ++++++

- bfd/coffgen.c | 3 ++-

- 2 files changed, 8 insertions(+), 1 deletion(-)

-

-diff --git a/bfd/coffgen.c b/bfd/coffgen.c

-index b241087..4f90ead 100644

-+++ b/bfd/coffgen.c

-@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,

-     }

-   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can

-      generate one, so we must be careful to ignore it.  */

--  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)

-+  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l

-+      < obj_raw_syment_count (abfd))

-     {

-       auxent->u.auxent.x_sym.x_tagndx.p =

- 	table_base + auxent->u.auxent.x_sym.x_tagndx.l;

-2.9.3

-

deleted file mode 100644

@@ -1,55 +0,0 @@

-From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Wed, 28 Feb 2018 10:13:54 +0000

-Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1

- debug information.

-

-	PR 22894

-	* dwarf1.c (parse_die): Check the length of form blocks before

-	advancing the data pointer.

- bfd/ChangeLog |  6 ++++++

- bfd/dwarf1.c  | 17 +++++++++++++++--

- 2 files changed, 21 insertions(+), 2 deletions(-)

-

-diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c

-index 71bc57b..f272ea8 100644

-+++ b/bfd/dwarf1.c

-@@ -213,6 +213,7 @@ parse_die (bfd *	     abfd,

-   /* Then the attributes.  */

-   while (xptr + 2 <= aDiePtrEnd)

-     {

-+      unsigned int   block_len;

-       unsigned short attr;

- 

-       /* Parse the attribute based on its form.  This section

-@@ -255,12 +256,24 @@ parse_die (bfd *	     abfd,

- 	  break;

- 	case FORM_BLOCK2:

- 	  if (xptr + 2 <= aDiePtrEnd)

--	    xptr += bfd_get_16 (abfd, xptr);

-+	    {

-+	      block_len = bfd_get_16 (abfd, xptr);

-+	      if (xptr + block_len > aDiePtrEnd

-+		  || xptr + block_len < xptr)

-+		return FALSE;

-+	      xptr += block_len;

-+	    }

- 	  xptr += 2;

- 	  break;

- 	case FORM_BLOCK4:

- 	  if (xptr + 4 <= aDiePtrEnd)

--	    xptr += bfd_get_32 (abfd, xptr);

-+	    {

-+	      block_len = bfd_get_32 (abfd, xptr);

-+	      if (xptr + block_len > aDiePtrEnd

-+		  || xptr + block_len < xptr)

-+		return FALSE;

-+	      xptr += block_len;

-+	    }

- 	  xptr += 4;

- 	  break;

- 	case FORM_STRING:

-2.9.3

deleted file mode 100644

@@ -1,96 +0,0 @@

-From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Wed, 28 Feb 2018 11:50:49 +0000

-Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF

- FORM blocks.

-

-	PR 22895

-	PR 22893

-	* dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block

-	pointer.  Drop unused abfd parameter.  Check the size of the block

-	before initialising the data field.  Return the end pointer if the

-	size is invalid.

-	(read_attribute_value): Adjust invocations of read_n_bytes.

- bfd/ChangeLog |  8 ++++++++

- bfd/dwarf2.c  | 36 +++++++++++++++++++++---------------

- 2 files changed, 29 insertions(+), 15 deletions(-)

-

-diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c

-index 2413542..ca22db7 100644

-+++ b/bfd/dwarf2.c

-@@ -623,14 +623,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf, bfd_byte *end)

- }

- 

- static bfd_byte *

--read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,

--	      bfd_byte *buf,

--	      bfd_byte *end,

--	      unsigned int size ATTRIBUTE_UNUSED)

-+read_n_bytes (bfd_byte *           buf,

-+	      bfd_byte *           end,

-+	      struct dwarf_block * block)

- {

--  if (buf + size > end)

--    return NULL;

--  return buf;

-+  unsigned int  size = block->size;

-+  bfd_byte *    block_end = buf + size;

-+

-+  if (block_end > end || block_end < buf)

-+    {

-+      block->data = NULL;

-+      block->size = 0;

-+      return end;

-+    }

-+  else

-+    {

-+      block->data = buf;

-+      return block_end;

-+    }

- }

- 

- /* Scans a NUL terminated string starting at BUF, returning a pointer to it.

-@@ -1128,8 +1138,7 @@ read_attribute_value (struct attribute *  attr,

- 	return NULL;

-       blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);

-       info_ptr += 2;

--      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);

--      info_ptr += blk->size;

-+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);

-       attr->u.blk = blk;

-       break;

-     case DW_FORM_block4:

-@@ -1139,8 +1148,7 @@ read_attribute_value (struct attribute *  attr,

- 	return NULL;

-       blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);

-       info_ptr += 4;

--      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);

--      info_ptr += blk->size;

-+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);

-       attr->u.blk = blk;

-       break;

-     case DW_FORM_data2:

-@@ -1180,8 +1188,7 @@ read_attribute_value (struct attribute *  attr,

-       blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,

- 					 FALSE, info_ptr_end);

-       info_ptr += bytes_read;

--      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);

--      info_ptr += blk->size;

-+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);

-       attr->u.blk = blk;

-       break;

-     case DW_FORM_block1:

-@@ -1191,8 +1198,7 @@ read_attribute_value (struct attribute *  attr,

- 	return NULL;

-       blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);

-       info_ptr += 1;

--      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);

--      info_ptr += blk->size;

-+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);

-       attr->u.blk = blk;

-       break;

-     case DW_FORM_data1:

-2.9.3

deleted file mode 100644

@@ -1,34 +0,0 @@

-From 116acb2c268c89c89186673a7c92620d21825b25 Mon Sep 17 00:00:00 2001

-From: Alan Modra <amodra@gmail.com>

-Date: Wed, 28 Feb 2018 22:09:50 +1030

-Subject: [PATCH] PR22887, null pointer dereference in

- aout_32_swap_std_reloc_out

-

-	PR 22887

-	* aoutx.h (swap_std_reloc_in): Correct r_index bound check.

- bfd/ChangeLog | 5 +++++

- bfd/aoutx.h   | 6 ++++--

- 2 files changed, 9 insertions(+), 2 deletions(-)

-

-diff --git a/bfd/aoutx.h b/bfd/aoutx.h

-index 4cadbfb..525e560 100644

-+++ b/bfd/aoutx.h

-@@ -2289,10 +2289,12 @@ NAME (aout, swap_std_reloc_in) (bfd *abfd,

-   if (r_baserel)

-     r_extern = 1;

- 

--  if (r_extern && r_index > symcount)

-+  if (r_extern && r_index >= symcount)

-     {

-       /* We could arrange to return an error, but it might be useful

--	 to see the file even if it is bad.  */

-+	 to see the file even if it is bad.  FIXME: Of course this

-+	 means that objdump -r *doesn't* see the actual reloc, and

-+	 objcopy silently writes a different reloc.  */

-       r_extern = 0;

-       r_index = N_ABS;

-     }

-2.9.3

deleted file mode 100644

@@ -1,85 +0,0 @@

-From d11ae95ea3403559f052903ab053f43ad7821e37 Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Thu, 1 Mar 2018 16:14:08 +0000

-Subject: [PATCH] Prevent illegal memory accesses triggerd by intger overflow

- when parsing corrupt DWARF information on a 32-bit host.

-

-	PR 22905

-	* dwarf.c (display_debug_ranges): Check that the offset loaded

-	from the range_entry structure is valid.

- binutils/ChangeLog |  6 ++++++

- binutils/dwarf.c   | 15 +++++++++++++++

- 2 files changed, 21 insertions(+)

-

-diff --git a/binutils/dwarf.c b/binutils/dwarf.c

-index 6aca9b7..17896e6 100644

-+++ b/binutils/dwarf.c

-@@ -387,6 +387,9 @@ read_uleb128 (unsigned char * data,

-     }								\

-   while (0)

- 

-+/* Read AMOUNT bytes from PTR and store them in VAL as an unsigned value.

-+   Checks to make sure that the read will not reach or pass END

-+   and that VAL is big enough to hold AMOUNT bytes.  */

- #define SAFE_BYTE_GET(VAL, PTR, AMOUNT, END)	\

-   do						\

-     {						\

-@@ -415,6 +418,7 @@ read_uleb128 (unsigned char * data,

-     }						\

-   while (0)

- 

-+/* Like SAFE_BYTE_GET, but also increments PTR by AMOUNT.  */

- #define SAFE_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END)	\

-   do							\

-     {							\

-@@ -423,6 +427,7 @@ read_uleb128 (unsigned char * data,

-     }							\

-   while (0)

- 

-+/* Like SAFE_BYTE_GET, but reads a signed value.  */

- #define SAFE_SIGNED_BYTE_GET(VAL, PTR, AMOUNT, END)	\

-   do							\

-     {							\

-@@ -441,6 +446,7 @@ read_uleb128 (unsigned char * data,

-     }							\

-   while (0)

- 

-+/* Like SAFE_SIGNED_BYTE_GET, but also increments PTR by AMOUNT.  */

- #define SAFE_SIGNED_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END)	\

-   do								\

-     {								\

-@@ -6543,6 +6549,7 @@ display_debug_ranges_list (unsigned char *start, unsigned char *finish,

- 	break;

-       SAFE_SIGNED_BYTE_GET_AND_INC (end, start, pointer_size, finish);

- 

-+      

-       printf ("    %8.8lx ", offset);

- 

-       if (begin == 0 && end == 0)

-@@ -6810,6 +6817,13 @@ display_debug_ranges (struct dwarf_section *section,

- 	  continue;

- 	}

- 

-+      if (next < section_begin || next >= finish)

-+	{

-+	  warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),

-+		(unsigned long) offset, i);

-+	  continue;

-+	}

-+

-       if (dwarf_check != 0 && i > 0)

- 	{

- 	  if (start < next)

-@@ -6825,6 +6839,7 @@ display_debug_ranges (struct dwarf_section *section,

- 		    (unsigned long) (next - section_begin), section->name);

- 	    }

- 	}

-+

-       start = next;

-       last_start = next;

- 

-2.9.3

-

deleted file mode 100644

@@ -1,51 +0,0 @@

-From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001

-From: Nick Clifton <nickc@redhat.com>

-Date: Tue, 8 May 2018 12:51:06 +0100

-Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a

- fuzzed input file with corrupt string and attribute sections.

-

-	PR 22809

-	* elf.c (bfd_elf_get_str_section): Check for an excessively large

-	string section.

-	* elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the

-	attribute section is larger than the size of the file.

- bfd/ChangeLog   | 8 ++++++++

- bfd/elf-attrs.c | 9 +++++++++

- bfd/elf.c       | 1 +

- 3 files changed, 18 insertions(+)

-

-diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c

-index dfdf1a5..b353309 100644

-+++ b/bfd/elf-attrs.c

-@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr)

-   /* PR 17512: file: 2844a11d.  */

-   if (hdr->sh_size == 0)

-     return;

-+  if (hdr->sh_size > bfd_get_file_size (abfd))

-+    {

-+      /* xgettext:c-format */

-+      _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),

-+			  abfd, hdr->bfd_section, (long long) hdr->sh_size);

-+      bfd_set_error (bfd_error_invalid_operation);

-+      return;

-+    }

-+

-   contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);

-   if (!contents)

-     return;

-diff --git a/bfd/elf.c b/bfd/elf.c

-index 21bc4e7..3e8d510 100644

-+++ b/bfd/elf.c

-@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsigned int shindex)

-       /* Allocate and clear an extra byte at the end, to prevent crashes

- 	 in case the string table is not terminated.  */

-       if (shstrtabsize + 1 <= 1

-+	  || shstrtabsize > bfd_get_file_size (abfd)

- 	  || bfd_seek (abfd, offset, SEEK_SET) != 0

- 	  || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)

- 	shstrtab = NULL;

-2.9.3

@@ -1,26 +1,15 @@

 Summary:        Contains a linker, an assembler, and other tools

 Name:           binutils

-Version:        2.30

-Release:        5%{?dist}

+Version:        2.31

+Release:        1%{?dist}

 License:        GPLv2+

 URL:            http://www.gnu.org/software/binutils

 Group:          System Environment/Base

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz

-%define sha1    binutils=574d3b5650413d6ee65195a4f5ecbddc3a38f718

-Patch0:         binutils-2.30-CVE-2018-6543.patch

-Patch1:         binutils-2.30-CVE-2018-7643.patch

-Patch2:         binutils-2.30-CVE-2018-7208.patch

-Patch3:         binutils-2.30-CVE-2018-10373.patch

-Patch4:         binutils-2.30-CVE-2018-6759.patch

-Patch5:         binutils-2.30-CVE-2018-6872.patch

-Patch6:         binutils-2.30-CVE-2018-7568.patch

-Patch7:         binutils-2.30-CVE-2018-7569.patch

-Patch8:         binutils-2.30-CVE-2018-7642.patch

-Patch9:         binutils-2.30-CVE-2018-8945.patch

-Patch10:        binutils-2.30-CVE-2018-10372.patch

-Patch11:        binutils-2.30-CVE-2018-10535.patch

+%define sha1    binutils=e1a564cd356d2126d2e9a59e8587757634e731aa

+

 %description

 The Binutils package contains a linker, an assembler,

 and other tools for handling object files.

@@ -34,18 +23,6 @@ for handling compiled objects.

 %prep

 %setup -q

-%patch0 -p1

-%patch1 -p1

-%patch2 -p1

-%patch3 -p1

-%patch4 -p1

-%patch5 -p1

-%patch6 -p1

-%patch7 -p1

-%patch8 -p1

-%patch9 -p1

-%patch10 -p1

-%patch11 -p1

 %build

 install -vdm 755 ../binutils-build

@@ -103,7 +80,6 @@ make %{?_smp_mflags} check

 %{_mandir}/man1/windmc.1.gz

 %{_mandir}/man1/ranlib.1.gz

 %{_mandir}/man1/gprof.1.gz

-%{_mandir}/man1/nlmconv.1.gz

 %{_mandir}/man1/strip.1.gz

 %{_mandir}/man1/c++filt.1.gz

 %{_mandir}/man1/as.1.gz

@@ -128,12 +104,15 @@ make %{?_smp_mflags} check

 %{_includedir}/ansidecl.h

 %{_includedir}/bfdlink.h

 %{_includedir}/dis-asm.h

+%{_includedir}/diagnostics.h

 %{_libdir}/libbfd.a

 %{_libdir}/libopcodes.a

 %{_libdir}/libbfd.so

 %{_libdir}/libopcodes.so

 %changelog

+*   Fri Jul 27 2018 Keerthana K <keerthanak@vmware.com> 2.31-1

+-   Update to Version 2.31.

 *   Mon Jun 25 2018 Keerthana K <keerthanak@vmware.com> 2.30-5

 -   Fixes for CVE-2018-6759, CVE-2018-6872, CVE-2018-7568, CVE-2018-7569,

 -   CVE-2018-7642, CVE-2018-8945, CVE-2018-10372, CVE-2018-10535.