Fix seg-faults in objdump when disassembling a corrupt versados binary.

	PR binutils/21591
	* versados.c (versados_mkobject): Zero the allocated tdata structure.
	(process_otr): Check for an invalid offset in the otr structure.

2 files changed, 14 insertions, 4 deletions

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 67fd18a102a..a035ab54e2c 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2017-06-14  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/21591
+	* versados.c (versados_mkobject): Zero the allocated tdata structure.
+	(process_otr): Check for an invalid offset in the otr structure.
+
 2017-06-14  Sebastian Huber  <sebastian.huber@embedded-brains.de>
 
 	* config.bfd (epiphany-*-elf): Accept epiphany-*-*.
diff --git a/bfd/versados.c b/bfd/versados.c
index 2efbcff5e94..f0c5fdf87d7 100644
--- a/bfd/versados.c
+++ b/bfd/versados.c
@@ -149,7 +149,7 @@ versados_mkobject (bfd *abfd)
   if (abfd->tdata.versados_data == NULL)
     {
       bfd_size_type amt = sizeof (tdata_type);
-      tdata_type *tdata = bfd_alloc (abfd, amt);
+      tdata_type *tdata = bfd_zalloc (abfd, amt);
 
       if (tdata == NULL)
 	return FALSE;
@@ -345,13 +345,13 @@ reloc_howto_type versados_howto_table[] =
 };
 
 static int
-get_offset (int len, unsigned char *ptr)
+get_offset (unsigned int len, unsigned char *ptr)
 {
   int val = 0;
 
   if (len)
     {
-      int i;
+      unsigned int i;
 
       val = *ptr++;
       if (val & 0x80)
@@ -394,9 +394,13 @@ process_otr (bfd *abfd, struct ext_otr *otr, int pass)
 	  int flag = *srcp++;
 	  int esdids = (flag >> 5) & 0x7;
 	  int sizeinwords = ((flag >> 3) & 1) ? 2 : 1;
-	  int offsetlen = flag & 0x7;
+	  unsigned int offsetlen = flag & 0x7;
 	  int j;
 
+	  /* PR 21591: Check for invalid lengths.  */
+	  if (srcp + esdids + offsetlen >= endp)
+	    return;
+
 	  if (esdids == 0)
 	    {
 	      /* A zero esdid means the new pc is the offset given.  */