Fixes a resource exhaustion problem when running windres on a corrupt binary.

PR binutils/17512
	* resrc.c (write_rc_messagetable): Tighten check for invalid
	message lengths.

binutils/ChangeLog

@@ -1,3 +1,9 @@
+2015-02-26  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/17512
+	* resrc.c (write_rc_messagetable): Tighten check for invalid
+	message lengths.
+
 2015-02-26  Terry Guo  <terry.guo@arm.com>
 
 	* readelf.c (arm_attr_tag_ABI_HardFP_use): Update how we

binutils/resrc.c

@@ -2923,6 +2923,7 @@ write_rc_messagetable (FILE *e, rc_uint_type length, const bfd_byte *data)
 {
   int has_error = 0;
   const struct bin_messagetable *mt;
+
   fprintf (e, "BEGIN\n");
 
   write_rc_datablock (e, length, data, 0, 0, 0);
@@ -2952,6 +2953,7 @@ write_rc_messagetable (FILE *e, rc_uint_type length, const bfd_byte *data)
 	    low = windres_get_32 (&wrtarget, mt->items[i].lowid, 4);
 	    high = windres_get_32 (&wrtarget, mt->items[i].highid, 4);
 	    offset = windres_get_32 (&wrtarget, mt->items[i].offset, 4);
+
 	    while (low <= high)
 	      {
 		rc_uint_type elen, flags;
@@ -2971,16 +2973,20 @@ write_rc_messagetable (FILE *e, rc_uint_type length, const bfd_byte *data)
 		wr_printcomment (e, "MessageId = 0x%x", low);
 		wr_printcomment (e, "");
 
-		/* PR 17512: file: 5c3232dc.  */
-		if (elen)
-		  {
 		if ((flags & MESSAGE_RESOURCE_UNICODE) == MESSAGE_RESOURCE_UNICODE)
+		  {
+		    /* PR 17512: file: 5c3232dc.  */
+		    if (elen > BIN_MESSAGETABLE_ITEM_SIZE * 2)
 		      unicode_print (e, (const unichar *) mti->data,
 				     (elen - BIN_MESSAGETABLE_ITEM_SIZE) / 2);
+		  }
 		else
+		  {
+		    if (elen > BIN_MESSAGETABLE_ITEM_SIZE)
 		      ascii_print (e, (const char *) mti->data,
 				   (elen - BIN_MESSAGETABLE_ITEM_SIZE));
 		  }
+
 		wr_printcomment (e,"");
 		++low;
 		offset += elen;