From bb0d867169d7e9743d229804106a8fbcab7f3b3f Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 4 Nov 2014 13:15:37 +0000
Subject: [PATCH] Fix a seg-fault triggered by reading a mal-formed archive.

	PR binutils/17533
	* archive.c (_bfd_slurp_extended_name_table): Handle archives with
	corrupt extended name tables.
---
 bfd/ChangeLog |    6 ++++++
 bfd/archive.c |    9 +++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/bfd/archive.c b/bfd/archive.c
index 40a3395..b905213 100644
--- a/bfd/archive.c
+++ b/bfd/archive.c
@@ -1293,6 +1293,9 @@ _bfd_slurp_extended_name_table (bfd *abfd)
       amt = namedata->parsed_size;
       if (amt + 1 == 0)
 	goto byebye;
+      /* PR binutils/17533: A corrupt archive can contain an invalid size.  */
+      if (amt > (bfd_size_type) bfd_get_size (abfd))
+	goto byebye;
 
       bfd_ardata (abfd)->extended_names_size = amt;
       bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1);
@@ -1308,7 +1313,6 @@ _bfd_slurp_extended_name_table (bfd *abfd)
 	  if (bfd_get_error () != bfd_error_system_call)
 	    bfd_set_error (bfd_error_malformed_archive);
 	  bfd_release (abfd, (bfd_ardata (abfd)->extended_names));
-	  bfd_ardata (abfd)->extended_names = NULL;
 	  goto byebye;
 	}
 
@@ -1316,11 +1320,12 @@ _bfd_slurp_extended_name_table (bfd *abfd)
 	 text, the entries in the list are newline-padded, not null
 	 padded. In SVR4-style archives, the names also have a
 	 trailing '/'.  DOS/NT created archive often have \ in them
-	 We'll fix all problems here..  */
+	 We'll fix all problems here.  */
       {
 	char *ext_names = bfd_ardata (abfd)->extended_names;
 	char *temp = ext_names;
 	char *limit = temp + namedata->parsed_size;
+
 	for (; temp < limit; ++temp)
 	  {
 	    if (*temp == ARFMAG[1])
-- 
1.7.1