* elf.c (bfd_section_from_shdr): Fail if sh_entsize is bogus for

	symbol, relocation, group or versym sections.

	* coffcode.h (coff_slurp_reloc_table): Don't crash if native_relocs
	is NULL.
	* peXXigen.c (pe_print_idata): Don't crash if dll_name or start_address
	doesn't point into the section.

1 files changed, 11 insertions, 1 deletions

diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index 6597312adb..1be08466b2 100644
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -1103,7 +1103,7 @@ pe_print_idata (bfd * abfd, void * vfile)
       bfd_vma toc_address;
       bfd_vma start_address;
       bfd_byte *data;
-      int offset;
+      bfd_vma offset;
 
       if (!bfd_malloc_and_get_section (abfd, rel_section, &data))
 	{
@@ -1114,6 +1114,13 @@ pe_print_idata (bfd * abfd, void * vfile)
 
       offset = abfd->start_address - rel_section->vma;
 
+      if (offset >= rel_section->size || offset + 8 > rel_section->size)
+        {
+          if (data != NULL)
+            free (data);
+          return FALSE;
+        }
+
       start_address = bfd_get_32 (abfd, data + offset);
       loadable_toc_address = bfd_get_32 (abfd, data + offset + 4);
       toc_address = loadable_toc_address - 32768;
@@ -1182,6 +1189,9 @@ pe_print_idata (bfd * abfd, void * vfile)
       if (hint_addr == 0 && first_thunk == 0)
 	break;
 
+      if (dll_name - adj >= section->size)
+        break;
+
       dll = (char *) data + dll_name - adj;
       fprintf (file, _("\n\tDLL Name: %s\n"), dll);