--- /dev/null
+From 38e64b0ecc7f4ee64a02514b8d532782ac057fa2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 25 Jan 2018 21:47:41 +1030
+Subject: [PATCH] PR22746, crash when running 32-bit objdump on corrupted file
+
+Avoid unsigned int overflow by performing bfd_size_type multiplication.
+
+ PR 22746
+ * elfcode.h (elf_object_p): Avoid integer overflow.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2018-6323
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/elfcode.h | 4 ++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+Index: git/bfd/elfcode.h
+===================================================================
+--- git.orig/bfd/elfcode.h
++++ git/bfd/elfcode.h
+@@ -680,7 +680,7 @@ elf_object_p (bfd *abfd)
+ if (i_ehdrp->e_shnum > ((bfd_size_type) -1) / sizeof (*i_shdrp))
+ goto got_wrong_format_error;
+ #endif
+- amt = sizeof (*i_shdrp) * i_ehdrp->e_shnum;
++ amt = sizeof (*i_shdrp) * (bfd_size_type) i_ehdrp->e_shnum;
+ i_shdrp = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
+ if (!i_shdrp)
+ goto got_no_match;
+@@ -776,7 +776,7 @@ elf_object_p (bfd *abfd)
+ if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
+ goto got_wrong_format_error;
+ #endif
+- amt = i_ehdrp->e_phnum * sizeof (*i_phdr);
++ amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr);
+ elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
+ if (elf_tdata (abfd)->phdr == NULL)
+ goto got_no_match;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2018-01-25 Alan Modra <amodra@gmail.com>
++
++ PR 22746
++ * elfcode.h (elf_object_p): Avoid integer overflow.
++
+ 2018-05-08 Nick Clifton <nickc@redhat.com>
+
+ PR 22809
