PR22239 - invalid memory read in display_debug_frames

Pointer comparisons have traps for the unwary.  After adding a large
unknown value to "start", the test "start < end" depends on where
"start" is originally in memory.

	PR 22239
	* dwarf.c (read_cie): Don't compare "start" and "end" pointers
	after adding a possibly wild length to "start", compare the length
	to the difference of the pointers instead.  Remove now redundant
	"negative" length test.

binutils/ChangeLog

@@ -1,3 +1,11 @@
+2017-10-05  Alan Modra  <amodra@gmail.com>
+
+	PR 22239
+	* dwarf.c (read_cie): Don't compare "start" and "end" pointers
+	after adding a possibly wild length to "start", compare the length
+	to the difference of the pointers instead.  Remove now redundant
+	"negative" length test.
+
 2017-10-05  Tristan Gingold  <tgingold@free.fr>
 
 	* MAINTAINERS: Update email address.  Redirect release maintainer

binutils/dwarf.c

@@ -7001,14 +7001,14 @@ read_cie (unsigned char *start, unsigned char *end,
     {
       READ_ULEB (augmentation_data_len);
       augmentation_data = start;
-      start += augmentation_data_len;
       /* PR 17512: file: 11042-2589-0.004.  */
-      if (start > end)
+      if (augmentation_data_len > (size_t) (end - start))
 	{
 	  warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
-		augmentation_data_len, (long)((end - start) + augmentation_data_len));
+		augmentation_data_len, (unsigned long) (end - start));
 	  return end;
 	}
+      start += augmentation_data_len;
     }
 
   if (augmentation_data_len)
@@ -7021,14 +7021,7 @@ read_cie (unsigned char *start, unsigned char *end,
       q = augmentation_data;
       qend = q + augmentation_data_len;
 
-      /* PR 17531: file: 015adfaa.  */
-      if (qend < q)
-	{
-	  warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
-	  augmentation_data_len = 0;
-	}
-
-      while (p < end && q < augmentation_data + augmentation_data_len)
+      while (p < end && q < qend)
 	{
 	  if (*p == 'L')
 	    q++;