--- /dev/null
+From a608b79f30ab3f670095e14ba3d3b5b24a19fe68 Mon Sep 17 00:00:00 2001
+From: Sandra Loosemore <sandra@codesourcery.com>
+Date: Thu, 25 Apr 2019 07:27:02 -0700
+Subject: [PATCH] Detect invalid length field in debug frame FDE header.
+
+GDB was failing to catch cases where a corrupt ELF or core file
+contained an invalid length value in a Dwarf debug frame FDE header.
+It was checking for buffer overflow but not cases where the length was
+negative or caused pointer wrap-around.
+
+In addition to the additional validity check, this patch cleans up the
+multiple signed/unsigned conversions on the length field so that an
+unsigned representation is used consistently throughout.
+
+This patch fixes CVE-2017-9778 and PR gdb/21600.
+
+2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
+ Kang Li <kanglictf@gmail.com>
+
+ PR gdb/21600
+
+ * dwarf2-frame.c (read_initial_length): Be consistent about using
+ unsigned representation of length.
+ (decode_frame_entry_1): Likewise. Check for wraparound of
+ end pointer as well as buffer overflow.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed]
+CVE: CVE-2017-9778
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ gdb/ChangeLog | 11 +++++++++++
+ gdb/dwarf2-frame.c | 14 +++++++-------
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/gdb/ChangeLog b/gdb/ChangeLog
+index 3711dc7..0a9720b 100644
+--- a/gdb/ChangeLog
++++ b/gdb/ChangeLog
+@@ -1,3 +1,14 @@
++2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
++ Kang Li <kanglictf@gmail.com>
++
++ PR gdb/21600
++
++ * dwarf2-frame.c (read_initial_length): Be consistent about using
++ unsigned representation of length.
++ (decode_frame_entry_1): Likewise. Check for wraparound of
++ end pointer as well as buffer overflow.
++
++
+ 2018-12-23 Joel Brobecker <brobecker@adacore.com>
+
+ * version.in: Set GDB version number to 8.2.1.
+diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
+index 91e16cf..a7b99fd 100644
+--- a/gdb/dwarf2-frame.c
++++ b/gdb/dwarf2-frame.c
+@@ -1477,7 +1477,7 @@ static ULONGEST
+ read_initial_length (bfd *abfd, const gdb_byte *buf,
+ unsigned int *bytes_read_ptr)
+ {
+- LONGEST result;
++ ULONGEST result;
+
+ result = bfd_get_32 (abfd, buf);
+ if (result == 0xffffffff)
+@@ -1780,7 +1780,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ {
+ struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
+ const gdb_byte *buf, *end;
+- LONGEST length;
++ ULONGEST length;
+ unsigned int bytes_read;
+ int dwarf64_p;
+ ULONGEST cie_id;
+@@ -1791,15 +1791,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ buf = start;
+ length = read_initial_length (unit->abfd, buf, &bytes_read);
+ buf += bytes_read;
+- end = buf + length;
+-
+- /* Are we still within the section? */
+- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+- return NULL;
++ end = buf + (size_t) length;
+
+ if (length == 0)
+ return end;
+
++ /* Are we still within the section? */
++ if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
++ return NULL;
++
+ /* Distinguish between 32 and 64-bit encoded frame info. */
+ dwarf64_p = (bytes_read == 12);
+
+--
+2.7.4
+
