From d7f848c3b51f01635557ab765f2ba176618e0bf8 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Thu, 14 Mar 2019 17:21:41 +0000
Subject: [PATCH] Fix a buffer overrun error when attempting to parse corrupt
 DWARF information.

	PR 24334
	* dwarf2.c (struct dwarf2_debug): Add sec_vma_count field.
	(save_section_vma): Initialise field to the number of entries in
	the sec_vma table.
	(section_vma_same): Check that the number of entries in the
	sec_vma table matches the number of sections in the bfd.
---
 bfd/ChangeLog | 9 +++++++++
 bfd/dwarf2.c  | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 7ed3929c0a..1e2681e2e6 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,12 @@
+2019-03-14  Nick Clifton  <nickc@redhat.com>
+
+	PR 24334
+	* dwarf2.c (struct dwarf2_debug): Add sec_vma_count field.
+	(save_section_vma): Initialise field to the number of entries in
+	the sec_vma table.
+	(section_vma_same): Check that the number of entries in the
+	sec_vma table matches the number of sections in the bfd.
+
 2019-03-14  Nick Clifton  <nickc@redhat.com>
 
 	PR 24333
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 56557bbc81..e3c6d6d728 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -169,6 +169,8 @@ struct dwarf2_debug
 
   /* Section VMAs at the time the stash was built.  */
   bfd_vma *sec_vma;
+  /* Number of sections in the SEC_VMA table.  */
+  unsigned int sec_vma_count;
 
   /* Number of sections whose VMA we must adjust.  */
   int adjusted_section_count;
@@ -4269,6 +4271,7 @@ save_section_vma (const bfd *abfd, struct dwarf2_debug *stash)
   stash->sec_vma = bfd_malloc (sizeof (*stash->sec_vma) * abfd->section_count);
   if (stash->sec_vma == NULL)
     return FALSE;
+  stash->sec_vma_count = abfd->section_count;
   for (i = 0, s = abfd->sections; i < abfd->section_count; i++, s = s->next)
     {
       if (s->output_section != NULL)
@@ -4292,6 +4295,12 @@ section_vma_same (const bfd *abfd, const struct dwarf2_debug *stash)
   asection *s;
   unsigned int i;
 
+  /* PR 24334: If the number of sections in ABFD has changed between
+     when the stash was created and now, then we cannot trust the
+     stashed vma information.  */
+  if (abfd->section_count != stash->sec_vma_count)
+    return FALSE;
+     
   for (i = 0, s = abfd->sections; i < abfd->section_count; i++, s = s->next)
     {
       bfd_vma vma;
-- 
2.34.1