From 4fd8d5856435ff84de1f181381fc51754285af6f Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 15 Jul 2020 11:09:59 +0100
Subject: Fix an illegal memory access in the BFD library which can be
 triggered by attempting to parse a corrupt PE format file.

	PR26240
	* coffgen.c (coff_get_normalized_symtab): Fix off-by-one error in
	check for aux entries that overflow the buufer.
---
 bfd/ChangeLog | 6 ++++++
 bfd/coffgen.c | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 321e2e060bd..1337645a731 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2020-07-15  Nick Clifton  <nickc@redhat.com>
+
+	PR26240
+	* coffgen.c (coff_get_normalized_symtab): Fix off-by-one error in
+	check for aux entries that overflow the buufer.
+
 2020-07-15  Hans-Peter Nilsson  <hp@bitrange.com>
 
 	* elf64-mmix.c (mmix_elf_relax_section): Improve accounting for
diff --git a/bfd/coffgen.c b/bfd/coffgen.c
index d49b2ff201e..0a2697268e9 100644
--- a/bfd/coffgen.c
+++ b/bfd/coffgen.c
@@ -1814,7 +1814,7 @@ coff_get_normalized_symtab (bfd *abfd)
       internal_ptr->is_sym = TRUE;
 
       /* PR 17512: Prevent buffer overrun.  */
-      if (symbol_ptr->u.syment.n_numaux > (raw_end - raw_src) / symesz)
+      if (symbol_ptr->u.syment.n_numaux > ((raw_end - 1) - raw_src) / symesz)
 	{
 	  bfd_release (abfd, internal);
 	  return NULL;
-- 
cgit v1.2.1