From e3ee40059d4a4e04d10e2b5c46bacd2a810355ca Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Thu, 26 Feb 2015 12:23:18 +0000
Subject: [PATCH] Fixes a resource exhaustion problem when running windres on a
 corrupt binary.

	PR binutils/17512
	* resrc.c (write_rc_messagetable): Tighten check for invalid
	message lengths.
---
 binutils/ChangeLog |  6 ++++++
 binutils/resrc.c   | 18 ++++++++++++------
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 2d707609bb..8657b1d256 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2015-02-26  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/17512
+	* resrc.c (write_rc_messagetable): Tighten check for invalid
+	message lengths.
+
 2015-02-26  Terry Guo  <terry.guo@arm.com>
 
 	* readelf.c (arm_attr_tag_ABI_HardFP_use): Update how we
diff --git a/binutils/resrc.c b/binutils/resrc.c
index f0cacd16b1..b4edba992f 100644
--- a/binutils/resrc.c
+++ b/binutils/resrc.c
@@ -2923,6 +2923,7 @@ write_rc_messagetable (FILE *e, rc_uint_type length, const bfd_byte *data)
 {
   int has_error = 0;
   const struct bin_messagetable *mt;
+
   fprintf (e, "BEGIN\n");
 
   write_rc_datablock (e, length, data, 0, 0, 0);
@@ -2952,6 +2953,7 @@ write_rc_messagetable (FILE *e, rc_uint_type length, const bfd_byte *data)
 	    low = windres_get_32 (&wrtarget, mt->items[i].lowid, 4);
 	    high = windres_get_32 (&wrtarget, mt->items[i].highid, 4);
 	    offset = windres_get_32 (&wrtarget, mt->items[i].offset, 4);
+
 	    while (low <= high)
 	      {
 		rc_uint_type elen, flags;
@@ -2971,16 +2973,20 @@ write_rc_messagetable (FILE *e, rc_uint_type length, const bfd_byte *data)
 		wr_printcomment (e, "MessageId = 0x%x", low);
 		wr_printcomment (e, "");
 
-		/* PR 17512: file: 5c3232dc.  */
-		if (elen)
+		if ((flags & MESSAGE_RESOURCE_UNICODE) == MESSAGE_RESOURCE_UNICODE)
 		  {
-		    if ((flags & MESSAGE_RESOURCE_UNICODE) == MESSAGE_RESOURCE_UNICODE)
+		    /* PR 17512: file: 5c3232dc.  */
+		    if (elen > BIN_MESSAGETABLE_ITEM_SIZE * 2)
 		      unicode_print (e, (const unichar *) mti->data,
 				     (elen - BIN_MESSAGETABLE_ITEM_SIZE) / 2);
-		    else
+		  }
+		else
+		  {
+		    if (elen > BIN_MESSAGETABLE_ITEM_SIZE)
 		      ascii_print (e, (const char *) mti->data,
 				   (elen - BIN_MESSAGETABLE_ITEM_SIZE));
 		  }
+
 		wr_printcomment (e,"");
 		++low;
 		offset += elen;
@@ -3005,7 +3011,7 @@ write_rc_datablock (FILE *e, rc_uint_type length, const bfd_byte *data, int has_
     fprintf (e, "BEGIN\n");
 
   if (show_comment == -1)
-	  {
+    {
       if (test_rc_datablock_text(length, data))
 	{
 	  rc_uint_type i, c;
@@ -3018,7 +3024,7 @@ write_rc_datablock (FILE *e, rc_uint_type length, const bfd_byte *data, int has_
 		;
 	      if (i < length && data[i] == '\n')
 		++i, ++c;
-	      ascii_print (e, (const char *) &data[i - c], c);
+	      ascii_print(e, (const char *) &data[i - c], c);
 	    fprintf (e, "\"");
 	      if (i < length)
 		fprintf (e, "\n");
-- 
2.34.1