Fix memory access violations triggered by running sysdump on fuzzed binaries.

PR binutils/17512
	* sysdump.c (getINT): Fail if reading off the end of the buffer.
	Replace call to abort with a call to fatal.
	(getCHARS): Prevetn reading off the end of the buffer.

binutils/ChangeLog

@@ -1,6 +1,10 @@
 2015-01-08  Nick Clifton  <nickc@redhat.com>
 
 	PR binutils/17512
+	* sysdump.c (getINT): Fail if reading off the end of the buffer.
+	Replace call to abort with a call to fatal.
+	(getCHARS): Prevetn reading off the end of the buffer.
+
 	* nlmconv.c (i386_mangle_relocs): Skip relocs without an
 	associated symbol.
 	(powerpc_mangle_relocs): Skip unrecognised relocs.  Check address

binutils/sysdump.c

@@ -66,6 +66,9 @@ getCHARS (unsigned char *ptr, int *idx, int size, int max)
 
   if (b == 0)
     {
+      /* PR 17512: file: 13caced2.  */
+      if (oc >= max)
+	return _("*corrupt*");
       /* Got to work out the length of the string from self.  */
       b = ptr[oc++];
       (*idx) += 8;
@@ -166,7 +169,12 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
   int byte = *idx / 8;
 
   if (byte >= max)
-    return 0;
+    {
+      /* PR 17512: file: id:000001,src:000002,op:flip1,pos:45.  */
+      /* Prevent infinite loops re-reading beyond the end of the buffer.  */
+      fatal (_("ICE: getINT: Out of buffer space"));
+      return 0;
+    }
 
   if (size == -2)
     size = addrsize;
@@ -188,7 +196,7 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
       n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
       break;
     default:
-      abort ();
+      fatal (_("Unsupported read size: %d"), size);
     }
 
   *idx += size * 8;
@@ -615,6 +623,8 @@ module (void)
   do
     {
       c = getc (file);
+      if (c == EOF)
+	break;
       ungetc (c, file);
 
       c &= 0x7f;