* resres.c (probe_binary): Fix test for badly formatted headers.

author: Nick Clifton <nickc@redhat.com> 2007-06-18 16:02:45 +0000
committer: Nick Clifton <nickc@redhat.com> 2007-06-18 16:02:45 +0000
commit: 03997556dae335abff76e00a41d1459e4bfa6ed1 (patch)
tree: ae00f396f4307ef7fd0472cd3f7b0027451d990b /binutils/resres.c
parent: 31d99776c73d6fca13163da59c852b0fa99f89b8 (diff)
1 files changed, 11 insertions, 6 deletions
diff --git a/binutils/resres.c b/binutils/resres.c
index 8b75bcf5942..f345da3e5de 100644
--- a/binutils/resres.c
+++ b/binutils/resres.c
@@ -554,10 +554,12 @@ read_unistring (windres_bfd *wrbfd, rc_uint_type *off, rc_uint_type omax,
   rc_uint_type l;
   rc_uint_type soff = off[0];
 
-  do {
-    read_res_data (wrbfd, &soff, omax, d, sizeof (unichar));
-    c = windres_get_16 (wrbfd, d, 2);
-  } while (c != 0);
+  do
+    {
+      read_res_data (wrbfd, &soff, omax, d, sizeof (unichar));
+      c = windres_get_16 (wrbfd, d, 2);
+    }
+  while (c != 0);
   l = ((soff - off[0]) / sizeof (unichar));
 
   /* there are hardly any names longer than 256 characters, but anyway. */
@@ -592,8 +594,11 @@ probe_binary (windres_bfd *wrbfd, rc_uint_type omax)
   if ((off + BIN_RES_HDR_SIZE) >= omax)
     return 1;
   read_res_data_hdr (wrbfd, &off, omax, &reshdr);
-  if ((off + reshdr.data_size + reshdr.header_size) > omax)
-      return 0;
+  /* off is advanced by BIN_RES_HDR_SIZE in read_res_data_hdr()
+     which is part of reshdr.header_size. We shouldn't take it
+     into account twice.  */
+  if ((off - BIN_RES_HDR_SIZE + reshdr.data_size + reshdr.header_size) > omax)
+    return 0;
   return 1;
 }
author	Nick Clifton <nickc@redhat.com>	2007-06-18 16:02:45 +0000
committer	Nick Clifton <nickc@redhat.com>	2007-06-18 16:02:45 +0000
commit	03997556dae335abff76e00a41d1459e4bfa6ed1 (patch)
tree	ae00f396f4307ef7fd0472cd3f7b0027451d990b /binutils/resres.c
parent	31d99776c73d6fca13163da59c852b0fa99f89b8 (diff)