From c6c4136c200baaee07c69573fe30282fc0c9d106 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Oct 29 2014 10:36:37 +0000
Subject: Fix memory corruption bug introduced by the previous patch.


---

diff --git a/binutils-2.24-corrupt-elf.2.patch b/binutils-2.24-corrupt-elf.2.patch
new file mode 100644
index 0000000..0ad40dd
--- /dev/null
+++ b/binutils-2.24-corrupt-elf.2.patch
@@ -0,0 +1,91 @@
+diff -cpr ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
+*** ../binutils-2.24.orig/bfd/elf.c	2014-10-28 16:02:16.233549448 +0000
+--- bfd/elf.c	2014-10-28 16:02:36.754653055 +0000
+*************** bfd_section_from_shdr (bfd *abfd, unsign
+*** 1584,1589 ****
+--- 1584,1590 ----
+    const char *name;
+    bfd_boolean ret = TRUE;
+    static bfd_boolean * sections_being_created = NULL;
++   static bfd * sections_being_created_abfd = NULL;
+    static unsigned int nesting = 0;
+  
+    if (shindex >= elf_numsections (abfd))
+*************** bfd_section_from_shdr (bfd *abfd, unsign
+*** 1596,1608 ****
+  	 loop.  Detect this here, by refusing to load a section that we are
+  	 already in the process of loading.  We only trigger this test if
+  	 we have nested at least three sections deep as normal ELF binaries
+! 	 can expect to recurse at least once.  */
+!       
+        if (sections_being_created == NULL)
+  	{
+  	  /* FIXME: It would be more efficient to attach this array to the bfd somehow.  */
+  	  sections_being_created = (bfd_boolean *)
+  	    bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
+  	}
+        if (sections_being_created [shindex])
+  	{
+--- 1597,1615 ----
+  	 loop.  Detect this here, by refusing to load a section that we are
+  	 already in the process of loading.  We only trigger this test if
+  	 we have nested at least three sections deep as normal ELF binaries
+! 	 can expect to recurse at least once.
+! 
+! 	 FIXME: It would be better if this array was attached to the bfd,
+! 	 rather than being held in a static pointer.  */
+! 
+!       if (sections_being_created_abfd != abfd)
+! 	sections_being_created = NULL;
+        if (sections_being_created == NULL)
+  	{
+  	  /* FIXME: It would be more efficient to attach this array to the bfd somehow.  */
+  	  sections_being_created = (bfd_boolean *)
+  	    bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
++ 	  sections_being_created_abfd = abfd;
+  	}
+        if (sections_being_created [shindex])
+  	{
+*************** bfd_section_from_shdr (bfd *abfd, unsign
+*** 2106,2112 ****
+    if (sections_being_created)
+      sections_being_created [shindex] = FALSE;
+    if (-- nesting == 0)
+!     sections_being_created = NULL;
+    return ret;
+  }
+  
+--- 2113,2122 ----
+    if (sections_being_created)
+      sections_being_created [shindex] = FALSE;
+    if (-- nesting == 0)
+!     {
+!       sections_being_created = NULL;
+!       sections_being_created_abfd = abfd;
+!     }
+    return ret;
+  }
+  
+Only in bfd: elf.c.orig
+diff -cpr ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
+*** ../binutils-2.24.orig/bfd/peXXigen.c	2014-10-28 16:02:16.251549538 +0000
+--- bfd/peXXigen.c	2014-10-28 16:02:36.755653060 +0000
+*************** pe_print_edata (bfd * abfd, void * vfile
+*** 1444,1449 ****
+--- 1444,1458 ----
+  	}
+      }
+  
++   /* PR 17512: Handle corrupt PE binaries.  */
++   if (datasize < 36)
++     {
++       fprintf (file,
++ 	       _("\nThere is an export table in %s, but it is too small (%d)\n"),
++ 	       section->name, (int) datasize);
++       return TRUE;
++     }
++ 
+    fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"),
+  	   section->name, (unsigned long) addr);
+  
+Only in bfd: peXXigen.c.orig
diff --git a/binutils.spec b/binutils.spec
index 2d886d8..0876262 100644
--- a/binutils.spec
+++ b/binutils.spec
@@ -19,7 +19,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.24
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv3+
 Group: Development/Tools
 URL: http://sources.redhat.com/binutils
@@ -75,6 +75,7 @@ Patch30: binutils-HEAD-change-ld-notice-interface.patch
 Patch31: binutils-2.24-corrupt-srec.patch
 Patch32: binutils-2.24-corrupt-groups.patch
 Patch33: binutils-2.24-corrupt-elf.patch
+Patch34: binutils-2.24-corrupt-elf.2.patch
 
 Provides: bundled(libiberty)
 
@@ -212,6 +213,7 @@ using libelf instead of BFD.
 %patch31 -p0 -b .corrupt-srec~
 %patch32 -p0 -b .corrupt-groups~
 %patch33 -p0 -b .corrupt-elf~
+%patch34 -p0 -b .corrupt-elf2~
 
 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 
@@ -526,6 +528,9 @@ exit 0
 %endif # %{isnative}
 
 %changelog
+* Wed Oct 29 2014 Nick Clifton <nickc@redhat.com> - 2.24-27
+- Fix memory corruption bug introduced by the previous patch.
+
 * Tue Oct 28 2014 Nick Clifton <nickc@redhat.com> - 2.24-26
 - Import patches for PR/17510 and PR/17512 to fix reading corrupt ELF binaries.
   Resolves: BZ #1157276, #1157277