From daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Mon, 5 Dec 2016 12:25:34 +0000
Subject: [PATCH] Fix seg-fault in linker parsing a corrupt input file.

	PR ld/20924
	(aout_link_add_symbols): Fix off by one error checking for
	overflow of string offset.
---
 bfd/ChangeLog | 4 ++++
 bfd/aoutx.h   | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index dbb90e7007..3d9cd9e95a 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -4,6 +4,10 @@
 	* aoutx.h (aout_link_add_symbols): Replace BFD_ASSERT with return
 	FALSE.
 
+	PR ld/20924
+	(aout_link_add_symbols): Fix off by one error checking for
+	overflow of string offset.
+
 2016-12-03  Alan Modra  <amodra@gmail.com>
 
 	* elf64-ppc.c (struct ppc_link_hash_entry): Delete "was_undefined".
diff --git a/bfd/aoutx.h b/bfd/aoutx.h
index fb7041abb3..4de02e2619 100644
--- a/bfd/aoutx.h
+++ b/bfd/aoutx.h
@@ -3094,7 +3094,7 @@ aout_link_add_symbols (bfd *abfd, struct bfd_link_info *info)
 	    return FALSE;
 	  ++p;
 	  /* PR 19629: Corrupt binaries can contain illegal string offsets.  */
-	  if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd))
+	  if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd))
 	    return FALSE;
 	  string = strings + GET_WORD (abfd, p->e_strx);
 	  section = bfd_ind_section_ptr;
@@ -3130,7 +3130,7 @@ aout_link_add_symbols (bfd *abfd, struct bfd_link_info *info)
 	  ++p;
 	  string = name;
 	  /* PR 19629: Corrupt binaries can contain illegal string offsets.  */
-	  if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd))
+	  if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd))
 	    return FALSE;
 	  name = strings + GET_WORD (abfd, p->e_strx);
 	  section = bfd_und_section_ptr;