From 183445093ebd6be285e29f75b877e62a723918c6 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 25 Jan 2019 13:16:06 +0000
Subject: [PATCH] Prevent a potential illegal memory access in readelf when
 parsing a note with a zero name size.

	PR 24131
	* readelf.c (process_notes_at): Prevent an illegal memory access
	when the note's namesize is zero.
	(decode_tic6x_unwind_bytecode): Add code to handle the case where
	no registers are specified in a frame pop instruction.
---
 binutils/ChangeLog |  8 ++++++++
 binutils/readelf.c | 33 ++++++++++++++++++++-------------
 2 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 7653019a37c..a5f9bdef48d 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,11 @@
+2019-01-25  Nick Clifton  <nickc@redhat.com>
+
+	PR 24131
+	* readelf.c (process_notes_at): Prevent an illegal memory access
+	when the note's namesize is zero.
+	(decode_tic6x_unwind_bytecode): Add code to handle the case where
+	no registers are specified in a frame pop instruction.
+
 2019-01-25  Nick Clifton  <nickc@redhat.com>
 
 	* po/bg.po: Updated Bulgarian translation.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index b13eb6a43ba..77acc6a7b42 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -8852,21 +8852,28 @@ decode_tic6x_unwind_bytecode (Filedata *                 filedata,
 	    }
 
 	  printf (_("pop frame {"));
-	  reg = nregs - 1;
-	  for (i = i * 2; i > 0; i--)
+	  if (nregs == 0)
 	    {
-	      if (regpos[reg].offset == i - 1)
+	      printf (_("*corrupt* - no registers specified"));
+	    }
+	  else
+	    {
+	      reg = nregs - 1;
+	      for (i = i * 2; i > 0; i--)
 		{
-		  name = tic6x_unwind_regnames[regpos[reg].reg];
-		  if (reg > 0)
-		    reg--;
-		}
-	      else
-		name = _("[pad]");
+		  if (regpos[reg].offset == i - 1)
+		    {
+		      name = tic6x_unwind_regnames[regpos[reg].reg];
+		      if (reg > 0)
+			reg--;
+		    }
+		  else
+		    name = _("[pad]");
 
-	      fputs (name, stdout);
-	      if (i > 1)
-		printf (", ");
+		  fputs (name, stdout);
+		  if (i > 1)
+		    printf (", ");
+		}
 	    }
 
 	  printf ("}");
@@ -18741,7 +18748,7 @@ process_notes_at (Filedata *           filedata,
 	 one version of Linux (RedHat 6.0) generates corefiles that don't
 	 comply with the ELF spec by failing to include the null byte in
 	 namesz.  */
-      if (inote.namedata[inote.namesz - 1] != '\0')
+      if (inote.namesz > 0 && inote.namedata[inote.namesz - 1] != '\0')
 	{
 	  if ((size_t) (inote.descdata - inote.namedata) == inote.namesz)
 	    {
-- 
2.39.2