asan: heap-buffer-overflow objdump.c:3299 in disassemble_bytes

Fix yet another crash, this one with a fuzzed function symbol size.
The patch also corrects objdump behaviour when both --disassemble=sym
and --stop-address=value are given.  Previously --disassemble=sym
overrode --stop-address, now we take the lower of the stop-address
value and the end of function.

	* objdump.c (disassemble_section): Sanity check ELF st_size.

binutils/objdump.c

@@ -3923,29 +3923,25 @@ disassemble_section (bfd *abfd, asection *section, void *inf)
 		   (*rel_pp)->address - rel_offset < sym_offset)
 			  ++rel_pp;
 
+		  loop_until = next_sym;
 		  if (sym->flags & BSF_FUNCTION)
 		    {
-		      if (bfd_get_flavour (abfd) == bfd_target_elf_flavour
+		      loop_until = function_sym;
-			  && ((elf_symbol_type *) sym)->internal_elf_sym.st_size > 0)
+
+		      if (bfd_get_flavour (abfd) == bfd_target_elf_flavour)
 			{
-			  /* Sym is a function symbol with a size associated
+			  bfd_size_type fsize =
-			     with it.  Turn on automatic disassembly for the
+			    ((elf_symbol_type *) sym)->internal_elf_sym.st_size;
-			     next VALUE bytes.  */
+			  if (addr_offset + fsize > addr_offset
-			  stop_offset = addr_offset
+			      && addr_offset + fsize <= stop_offset)
-			    + ((elf_symbol_type *) sym)->internal_elf_sym.st_size;
+			    {
-			  loop_until = stop_offset_reached;
+			      /* Sym is a function symbol with a valid
+				 size associated with it.  Disassemble
+				 to the end of the function.  */
+			      stop_offset = addr_offset + fsize;
+			      loop_until = stop_offset_reached;
+			    }
 			}
-		      else
-			{
-			  /* Otherwise we need to tell the loop heuristic to
-			     loop until the next function symbol is encountered.  */
-			  loop_until = function_sym;
-			}
-		    }
-		  else
-		    {
-		      /* Otherwise loop until the next symbol is encountered.  */
-		      loop_until = next_sym;
 		    }
 		}