From b966f55ffa570a05081b2030577b2158e8116c5a Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Thu, 19 Mar 2020 12:19:50 +1030
Subject: [PATCH] Invalid read in process_netbsd_elf_note

	* readelf.c (process_netbsd_elf_note): Validate descsz before
	accessing descdata.  Formatting.
---
 binutils/ChangeLog |  5 +++++
 binutils/readelf.c | 17 ++++++++++-------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index bfaeaf0e8f..7522653315 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,8 @@
+2020-03-19  Alan Modra  <amodra@gmail.com>
+
+	* readelf.c (process_netbsd_elf_note): Validate descsz before
+	accessing descdata.  Formatting.
+
 2020-03-19  Alan Modra  <amodra@gmail.com>
 
 	* elfcomm.c (setup_archive): Make file_size an off_t.  Comment.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index a11297845e..c8ca66e52c 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -18402,15 +18402,17 @@ process_netbsd_elf_note (Elf_Internal_Note * pnote)
   switch (pnote->type)
     {
     case NT_NETBSD_IDENT:
+      if (pnote->descsz < 1)
+	break;
       version = byte_get ((unsigned char *) pnote->descdata, sizeof (version));
       if ((version / 10000) % 100)
-        printf ("  NetBSD\t\t0x%08lx\tIDENT %u (%u.%u%s%c)\n", pnote->descsz,
+	printf ("  NetBSD\t\t0x%08lx\tIDENT %u (%u.%u%s%c)\n", pnote->descsz,
 		version, version / 100000000, (version / 1000000) % 100,
 		(version / 10000) % 100 > 26 ? "Z" : "",
 		'A' + (version / 10000) % 26);
       else
 	printf ("  NetBSD\t\t0x%08lx\tIDENT %u (%u.%u.%u)\n", pnote->descsz,
-	        version, version / 100000000, (version / 1000000) % 100,
+		version, version / 100000000, (version / 1000000) % 100,
 		(version / 100) % 100);
       return TRUE;
 
@@ -18421,6 +18423,8 @@ process_netbsd_elf_note (Elf_Internal_Note * pnote)
 
 #ifdef   NT_NETBSD_PAX
     case NT_NETBSD_PAX:
+      if (pnote->descsz < 1)
+	break;
       version = byte_get ((unsigned char *) pnote->descdata, sizeof (version));
       printf ("  NetBSD\t\t0x%08lx\tPaX <%s%s%s%s%s%s>\n", pnote->descsz,
 	      ((version & NT_NETBSD_PAX_MPROTECT) ? "+mprotect" : ""),
@@ -18431,12 +18435,11 @@ process_netbsd_elf_note (Elf_Internal_Note * pnote)
 	      ((version & NT_NETBSD_PAX_NOASLR) ? "-ASLR" : ""));
       return TRUE;
 #endif
-
-    default:
-      printf ("  NetBSD\t0x%08lx\tUnknown note type: (0x%08lx)\n", pnote->descsz,
-	      pnote->type);
-      return FALSE;
     }
+
+  printf ("  NetBSD\t0x%08lx\tUnknown note type: (0x%08lx)\n",
+	  pnote->descsz, pnote->type);
+  return FALSE;
 }
 
 static const char *
-- 
2.34.1