Change-Id: Id5437a2991cef8f57c9781b05fcd2e0585dc504b
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3503
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
11 | 12 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,20 @@ |
0 |
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Farchive.c;h=885bf489c024a7a24444bb82740987dd20aff184;hp=f209babe149f3f5b302da64f593e039c9c79ea8c;hb=909e4e716c4d77e33357bbe9bc902bfaf2e1af24;hpb=62a5222fdab2acdc129b7c7d3713e7f349e26029 |
|
1 |
+ |
|
2 |
+diff --git a/bfd/archive.c b/bfd/archive.c |
|
3 |
+index f209bab..885bf48 100644 |
|
4 |
+--- a/bfd/archive.c |
|
5 |
+@@ -834,7 +834,12 @@ bfd_generic_archive_p (bfd *abfd) |
|
6 |
+ if (strncmp (armag, ARMAG, SARMAG) != 0 |
|
7 |
+ && strncmp (armag, ARMAGB, SARMAG) != 0 |
|
8 |
+ && ! bfd_is_thin_archive (abfd)) |
|
9 |
+- return NULL; |
|
10 |
++ { |
|
11 |
++ bfd_set_error (bfd_error_wrong_format); |
|
12 |
++ if (abfd->format == bfd_archive) |
|
13 |
++ abfd->format = bfd_unknown; |
|
14 |
++ return NULL; |
|
15 |
++ } |
|
16 |
+ |
|
17 |
+ tdata_hold = bfd_ardata (abfd); |
|
18 |
+ |
0 | 19 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,233 @@ |
0 |
+From 8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Nick Clifton <nickc@redhat.com> |
|
2 |
+Date: Thu, 27 Jul 2017 12:04:50 +0100 |
|
3 |
+Subject: [PATCH 1/1] Fix address violation issues encountered when parsing |
|
4 |
+ corrupt binaries. |
|
5 |
+ |
|
6 |
+ PR 21840 |
|
7 |
+ * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab |
|
8 |
+ size is -1. |
|
9 |
+ * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion |
|
10 |
+ with error return. |
|
11 |
+ * section.c (bfd_make_section_with_flags): Fail if the name or bfd |
|
12 |
+ are NULL. |
|
13 |
+ * vms-alpha.c (bfd_make_section_with_flags): Correct computation |
|
14 |
+ of end pointer. |
|
15 |
+ (evax_bfd_print_emh): Check for invalid string lengths. |
|
16 |
+--- |
|
17 |
+ bfd/mach-o.c | 3 ++ |
|
18 |
+ bfd/nlmcode.h | 4 ++- |
|
19 |
+ bfd/section.c | 2 +- |
|
20 |
+ bfd/vms-alpha.c | 91 ++++++++++++++++++++++++++++++++++++--------------------- |
|
21 |
+ bfd/vms-misc.c | 8 ++--- |
|
22 |
+ 6 files changed, 82 insertions(+), 39 deletions(-) |
|
23 |
+ |
|
24 |
+diff --git a/bfd/mach-o.c b/bfd/mach-o.c |
|
25 |
+index 1807391..9fe6326 100644 |
|
26 |
+--- a/bfd/mach-o.c |
|
27 |
+@@ -3749,6 +3749,9 @@ bfd_mach_o_read_symtab_strtab (bfd *abfd) |
|
28 |
+ } |
|
29 |
+ else |
|
30 |
+ { |
|
31 |
++ /* See PR 21840 for a reproducer. */ |
|
32 |
++ if ((sym->strsize + 1) == 0) |
|
33 |
++ return FALSE; |
|
34 |
+ sym->strtab = bfd_alloc (abfd, sym->strsize + 1); |
|
35 |
+ if (sym->strtab == NULL) |
|
36 |
+ return FALSE; |
|
37 |
+diff --git a/bfd/nlmcode.h b/bfd/nlmcode.h |
|
38 |
+index 6d6aed0..350c83e 100644 |
|
39 |
+--- a/bfd/nlmcode.h |
|
40 |
+@@ -351,7 +351,9 @@ nlm_swap_auxiliary_headers_in (bfd *abfd) |
|
41 |
+ bfd_byte *contents; |
|
42 |
+ bfd_byte *p, *pend; |
|
43 |
+ |
|
44 |
+- BFD_ASSERT (hdrLength == 0 && hdr == NULL); |
|
45 |
++ /* See PR 21840 for a reproducer. */ |
|
46 |
++ if (hdrLength != 0 || hdr != NULL) |
|
47 |
++ return FALSE; |
|
48 |
+ |
|
49 |
+ pos = bfd_tell (abfd); |
|
50 |
+ if (bfd_seek (abfd, dataOffset, SEEK_SET) != 0) |
|
51 |
+diff --git a/bfd/section.c b/bfd/section.c |
|
52 |
+index 28eee7f..811d42a 100644 |
|
53 |
+--- a/bfd/section.c |
|
54 |
+@@ -1240,7 +1240,7 @@ bfd_make_section_with_flags (bfd *abfd, const char *name, |
|
55 |
+ struct section_hash_entry *sh; |
|
56 |
+ asection *newsect; |
|
57 |
+ |
|
58 |
+- if (abfd->output_has_begun) |
|
59 |
++ if (abfd == NULL || name == NULL || abfd->output_has_begun) |
|
60 |
+ { |
|
61 |
+ bfd_set_error (bfd_error_invalid_operation); |
|
62 |
+ return NULL; |
|
63 |
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c |
|
64 |
+index 610b034..5595b61 100644 |
|
65 |
+--- a/bfd/vms-alpha.c |
|
66 |
+@@ -903,7 +903,7 @@ _bfd_vms_slurp_ehdr (bfd *abfd) |
|
67 |
+ |
|
68 |
+ vms_rec = PRIV (recrd.rec); |
|
69 |
+ /* PR 17512: file: 62736583. */ |
|
70 |
+- end = vms_rec + PRIV (recrd.buf_size); |
|
71 |
++ end = PRIV (recrd.buf) + PRIV (recrd.buf_size); |
|
72 |
+ |
|
73 |
+ vms_debug2 ((2, "HDR/EMH\n")); |
|
74 |
+ |
|
75 |
+@@ -5737,8 +5737,9 @@ evax_bfd_print_emh (FILE *file, unsigned char *rec, unsigned int rec_len) |
|
76 |
+ { |
|
77 |
+ struct vms_emh_common *emh = (struct vms_emh_common *)rec; |
|
78 |
+ unsigned int subtype; |
|
79 |
++ int extra; |
|
80 |
+ |
|
81 |
+- subtype = (unsigned)bfd_getl16 (emh->subtyp); |
|
82 |
++ subtype = (unsigned) bfd_getl16 (emh->subtyp); |
|
83 |
+ |
|
84 |
+ /* xgettext:c-format */ |
|
85 |
+ fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len); |
|
86 |
+@@ -5749,58 +5750,82 @@ evax_bfd_print_emh (FILE *file, unsigned char *rec, unsigned int rec_len) |
|
87 |
+ fprintf (file, _(" Error: The length is less than the length of an EMH record\n")); |
|
88 |
+ return; |
|
89 |
+ } |
|
90 |
+- |
|
91 |
++ extra = rec_len - sizeof (struct vms_emh_common); |
|
92 |
++ |
|
93 |
+ switch (subtype) |
|
94 |
+ { |
|
95 |
+ case EMH__C_MHD: |
|
96 |
+ { |
|
97 |
+- struct vms_emh_mhd *mhd = (struct vms_emh_mhd *)rec; |
|
98 |
+- const char *name; |
|
99 |
++ struct vms_emh_mhd *mhd = (struct vms_emh_mhd *) rec; |
|
100 |
++ const char * name; |
|
101 |
++ const char * nextname; |
|
102 |
++ const char * maxname; |
|
103 |
+ |
|
104 |
++ /* PR 21840: Check for invalid lengths. */ |
|
105 |
++ if (rec_len < sizeof (* mhd)) |
|
106 |
++ { |
|
107 |
++ fprintf (file, _(" Error: The record length is less than the size of an EMH_MHD record\n")); |
|
108 |
++ return; |
|
109 |
++ } |
|
110 |
+ fprintf (file, _("Module header\n")); |
|
111 |
+ fprintf (file, _(" structure level: %u\n"), mhd->strlvl); |
|
112 |
+ fprintf (file, _(" max record size: %u\n"), |
|
113 |
+- (unsigned)bfd_getl32 (mhd->recsiz)); |
|
114 |
++ (unsigned) bfd_getl32 (mhd->recsiz)); |
|
115 |
+ name = (char *)(mhd + 1); |
|
116 |
++ maxname = (char *) rec + rec_len; |
|
117 |
++ if (name > maxname - 2) |
|
118 |
++ { |
|
119 |
++ fprintf (file, _(" Error: The module name is missing\n")); |
|
120 |
++ return; |
|
121 |
++ } |
|
122 |
++ nextname = name + name[0] + 1; |
|
123 |
++ if (nextname >= maxname) |
|
124 |
++ { |
|
125 |
++ fprintf (file, _(" Error: The module name is too long\n")); |
|
126 |
++ return; |
|
127 |
++ } |
|
128 |
+ fprintf (file, _(" module name : %.*s\n"), name[0], name + 1); |
|
129 |
+- name += name[0] + 1; |
|
130 |
++ name = nextname; |
|
131 |
++ if (name > maxname - 2) |
|
132 |
++ { |
|
133 |
++ fprintf (file, _(" Error: The module version is missing\n")); |
|
134 |
++ return; |
|
135 |
++ } |
|
136 |
++ nextname = name + name[0] + 1; |
|
137 |
++ if (nextname >= maxname) |
|
138 |
++ { |
|
139 |
++ fprintf (file, _(" Error: The module version is too long\n")); |
|
140 |
++ return; |
|
141 |
++ } |
|
142 |
+ fprintf (file, _(" module version : %.*s\n"), name[0], name + 1); |
|
143 |
+- name += name[0] + 1; |
|
144 |
+- fprintf (file, _(" compile date : %.17s\n"), name); |
|
145 |
++ name = nextname; |
|
146 |
++ if ((maxname - name) < 17 && maxname[-1] != 0) |
|
147 |
++ fprintf (file, _(" Error: The compile date is truncated\n")); |
|
148 |
++ else |
|
149 |
++ fprintf (file, _(" compile date : %.17s\n"), name); |
|
150 |
+ } |
|
151 |
+ break; |
|
152 |
++ |
|
153 |
+ case EMH__C_LNM: |
|
154 |
+- { |
|
155 |
+- fprintf (file, _("Language Processor Name\n")); |
|
156 |
+- fprintf (file, _(" language name: %.*s\n"), |
|
157 |
+- (int)(rec_len - sizeof (struct vms_emh_common)), |
|
158 |
+- (char *)rec + sizeof (struct vms_emh_common)); |
|
159 |
+- } |
|
160 |
++ fprintf (file, _("Language Processor Name\n")); |
|
161 |
++ fprintf (file, _(" language name: %.*s\n"), extra, (char *)(emh + 1)); |
|
162 |
+ break; |
|
163 |
++ |
|
164 |
+ case EMH__C_SRC: |
|
165 |
+- { |
|
166 |
+- fprintf (file, _("Source Files Header\n")); |
|
167 |
+- fprintf (file, _(" file: %.*s\n"), |
|
168 |
+- (int)(rec_len - sizeof (struct vms_emh_common)), |
|
169 |
+- (char *)rec + sizeof (struct vms_emh_common)); |
|
170 |
+- } |
|
171 |
++ fprintf (file, _("Source Files Header\n")); |
|
172 |
++ fprintf (file, _(" file: %.*s\n"), extra, (char *)(emh + 1)); |
|
173 |
+ break; |
|
174 |
++ |
|
175 |
+ case EMH__C_TTL: |
|
176 |
+- { |
|
177 |
+- fprintf (file, _("Title Text Header\n")); |
|
178 |
+- fprintf (file, _(" title: %.*s\n"), |
|
179 |
+- (int)(rec_len - sizeof (struct vms_emh_common)), |
|
180 |
+- (char *)rec + sizeof (struct vms_emh_common)); |
|
181 |
+- } |
|
182 |
++ fprintf (file, _("Title Text Header\n")); |
|
183 |
++ fprintf (file, _(" title: %.*s\n"), extra, (char *)(emh + 1)); |
|
184 |
+ break; |
|
185 |
++ |
|
186 |
+ case EMH__C_CPR: |
|
187 |
+- { |
|
188 |
+- fprintf (file, _("Copyright Header\n")); |
|
189 |
+- fprintf (file, _(" copyright: %.*s\n"), |
|
190 |
+- (int)(rec_len - sizeof (struct vms_emh_common)), |
|
191 |
+- (char *)rec + sizeof (struct vms_emh_common)); |
|
192 |
+- } |
|
193 |
++ fprintf (file, _("Copyright Header\n")); |
|
194 |
++ fprintf (file, _(" copyright: %.*s\n"), extra, (char *)(emh + 1)); |
|
195 |
+ break; |
|
196 |
++ |
|
197 |
+ default: |
|
198 |
+ fprintf (file, _("unhandled emh subtype %u\n"), subtype); |
|
199 |
+ break; |
|
200 |
+diff --git a/bfd/vms-misc.c b/bfd/vms-misc.c |
|
201 |
+index 7497f02..91e2ec7 100644 |
|
202 |
+--- a/bfd/vms-misc.c |
|
203 |
+@@ -135,8 +135,8 @@ _bfd_hexdump (int level, unsigned char *ptr, int size, int offset) |
|
204 |
+ #endif |
|
205 |
+ |
|
206 |
+ |
|
207 |
+-/* Copy sized string (string with fixed size) to new allocated area |
|
208 |
+- size is string size (size of record) */ |
|
209 |
++/* Copy sized string (string with fixed size) to new allocated area. |
|
210 |
++ Size is string size (size of record). */ |
|
211 |
+ |
|
212 |
+ char * |
|
213 |
+ _bfd_vms_save_sized_string (unsigned char *str, unsigned int size) |
|
214 |
+@@ -151,8 +151,8 @@ _bfd_vms_save_sized_string (unsigned char *str, unsigned int size) |
|
215 |
+ return newstr; |
|
216 |
+ } |
|
217 |
+ |
|
218 |
+-/* Copy counted string (string with size at first byte) to new allocated area |
|
219 |
+- ptr points to size byte on entry */ |
|
220 |
++/* Copy counted string (string with size at first byte) to new allocated area. |
|
221 |
++ PTR points to size byte on entry. */ |
|
222 |
+ |
|
223 |
+ char * |
|
224 |
+ _bfd_vms_save_counted_string (unsigned char *ptr, unsigned int maxlen) |
|
225 |
+-- |
|
226 |
+2.9.3 |
|
227 |
+ |
0 | 228 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,29 @@ |
0 |
+From 8a2df5e2df374289e00ecd8f099eb46d76ef982e Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Nick Clifton <nickc@redhat.com> |
|
2 |
+Date: Mon, 24 Jul 2017 14:04:04 +0100 |
|
3 |
+Subject: [PATCH] Fix another memory access error triggered by attempting to |
|
4 |
+ parse a corrupt binary. |
|
5 |
+ |
|
6 |
+ PR 21813 |
|
7 |
+ (alpha_vms_object_p): Check for a truncated record. |
|
8 |
+--- |
|
9 |
+ bfd/vms-alpha.c | 3 +++ |
|
10 |
+ 2 files changed, 5 insertions(+) |
|
11 |
+ |
|
12 |
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c |
|
13 |
+index 5e9170d..610b034 100644 |
|
14 |
+--- a/bfd/vms-alpha.c |
|
15 |
+@@ -2679,6 +2679,9 @@ alpha_vms_object_p (bfd *abfd) |
|
16 |
+ PRIV (recrd.buf_size) = PRIV (recrd.rec_size); |
|
17 |
+ } |
|
18 |
+ |
|
19 |
++ /* PR 21813: Check for a truncated record. */ |
|
20 |
++ if (PRIV (recrd.rec_size < test_len)) |
|
21 |
++ goto error_ret; |
|
22 |
+ /* Read the remaining record. */ |
|
23 |
+ remaining = PRIV (recrd.rec_size) - test_len; |
|
24 |
+ to_read = MIN (VMS_BLOCK_SIZE - test_len, remaining); |
|
25 |
+-- |
|
26 |
+2.9.3 |
|
27 |
+ |
0 | 28 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,289 @@ |
0 |
+From 29866fa186ee3ebda5242221607dba360b2e541e Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Nick Clifton <nickc@redhat.com> |
|
2 |
+Date: Wed, 19 Jul 2017 11:07:43 +0100 |
|
3 |
+Subject: [PATCH] Fix address violation when attempting to read a corrupt field |
|
4 |
+ in a COFF archive header structure. |
|
5 |
+ |
|
6 |
+ PR 21786 |
|
7 |
+ * coff-rs6000.c (_bfd_strntol): New function. |
|
8 |
+ (_bfd_strntoll): New function. |
|
9 |
+ (GET_VALUE_IN_FIELD): New macro. |
|
10 |
+ (EQ_VALUE_IN_FIELD): new macro. |
|
11 |
+ (_bfd_xcoff_slurp_armap): Use new macros. |
|
12 |
+ (_bfd_xcoff_archive_p): Likewise. |
|
13 |
+ (_bfd_xcoff_read_ar_hdr): Likewise. |
|
14 |
+ (_bfd_xcoff_openr_next_archived_file): Likewise. |
|
15 |
+ (_bfd_xcoff_stat_arch_elt): Likewise. |
|
16 |
+--- |
|
17 |
+ bfd/coff-rs6000.c | 126 ++++++++++++++++++++++++++++++++---------------------- |
|
18 |
+ 2 files changed, 89 insertions(+), 50 deletions(-) |
|
19 |
+ |
|
20 |
+diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c |
|
21 |
+index 025c424..c72d0db 100644 |
|
22 |
+--- a/bfd/coff-rs6000.c |
|
23 |
+@@ -203,7 +203,8 @@ bfd_boolean (*xcoff_complain_overflow[XCOFF_MAX_COMPLAIN_OVERFLOW]) |
|
24 |
+ }; |
|
25 |
+ |
|
26 |
+ /* Information about one member of an archive. */ |
|
27 |
+-struct member_layout { |
|
28 |
++struct member_layout |
|
29 |
++{ |
|
30 |
+ /* The archive member that this structure describes. */ |
|
31 |
+ bfd *member; |
|
32 |
+ |
|
33 |
+@@ -237,7 +238,8 @@ struct member_layout { |
|
34 |
+ }; |
|
35 |
+ |
|
36 |
+ /* A structure used for iterating over the members of an archive. */ |
|
37 |
+-struct archive_iterator { |
|
38 |
++struct archive_iterator |
|
39 |
++{ |
|
40 |
+ /* The archive itself. */ |
|
41 |
+ bfd *archive; |
|
42 |
+ |
|
43 |
+@@ -654,8 +656,6 @@ _bfd_xcoff_swap_aux_out (bfd *abfd, void * inp, int type, int in_class, |
|
44 |
+ end: |
|
45 |
+ return bfd_coff_auxesz (abfd); |
|
46 |
+ } |
|
47 |
+- |
|
48 |
+- |
|
49 |
+ |
|
50 |
+ /* The XCOFF reloc table. Actually, XCOFF relocations specify the |
|
51 |
+ bitsize and whether they are signed or not, along with a |
|
52 |
+@@ -663,7 +663,6 @@ end: |
|
53 |
+ different algorithms for putting in the reloc. Many of these |
|
54 |
+ relocs need special_function entries, which I have not written. */ |
|
55 |
+ |
|
56 |
+- |
|
57 |
+ reloc_howto_type xcoff_howto_table[] = |
|
58 |
+ { |
|
59 |
+ /* 0x00: Standard 32 bit relocation. */ |
|
60 |
+@@ -1185,6 +1184,51 @@ bfd_xcoff_ar_archive_set_magic (bfd *abfd ATTRIBUTE_UNUSED, |
|
61 |
+ /* bfd_xcoff_archive_set_magic (abfd, magic); */ |
|
62 |
+ } |
|
63 |
+ |
|
64 |
++/* PR 21786: The PE/COFF standard does not require NUL termination for any of |
|
65 |
++ the ASCII fields in the archive headers. So in order to be able to extract |
|
66 |
++ numerical values we provide our own versions of strtol and strtoll which |
|
67 |
++ take a maximum length as an additional parameter. Also - just to save space, |
|
68 |
++ we omit the endptr return parameter, since we know that it is never used. */ |
|
69 |
++ |
|
70 |
++static long |
|
71 |
++_bfd_strntol (const char * nptr, int base, unsigned int maxlen) |
|
72 |
++{ |
|
73 |
++ char buf[24]; /* Should be enough. */ |
|
74 |
++ |
|
75 |
++ BFD_ASSERT (maxlen < (sizeof (buf) - 1)); |
|
76 |
++ |
|
77 |
++ memcpy (buf, nptr, maxlen); |
|
78 |
++ buf[maxlen] = 0; |
|
79 |
++ return strtol (buf, NULL, base); |
|
80 |
++} |
|
81 |
++ |
|
82 |
++static long long |
|
83 |
++_bfd_strntoll (const char * nptr, int base, unsigned int maxlen) |
|
84 |
++{ |
|
85 |
++ char buf[32]; /* Should be enough. */ |
|
86 |
++ |
|
87 |
++ BFD_ASSERT (maxlen < (sizeof (buf) - 1)); |
|
88 |
++ |
|
89 |
++ memcpy (buf, nptr, maxlen); |
|
90 |
++ buf[maxlen] = 0; |
|
91 |
++ return strtoll (buf, NULL, base); |
|
92 |
++} |
|
93 |
++ |
|
94 |
++/* Macro to read an ASCII value stored in an archive header field. */ |
|
95 |
++#define GET_VALUE_IN_FIELD(VAR, FIELD) \ |
|
96 |
++ do \ |
|
97 |
++ { \ |
|
98 |
++ (VAR) = sizeof (VAR) > sizeof (long) \ |
|
99 |
++ ? _bfd_strntoll (FIELD, 10, sizeof FIELD) \ |
|
100 |
++ : _bfd_strntol (FIELD, 10, sizeof FIELD); \ |
|
101 |
++ } \ |
|
102 |
++ while (0) |
|
103 |
++ |
|
104 |
++#define EQ_VALUE_IN_FIELD(VAR, FIELD) \ |
|
105 |
++ (sizeof (VAR) > sizeof (long) \ |
|
106 |
++ ? (VAR) ==_bfd_strntoll (FIELD, 10, sizeof FIELD) \ |
|
107 |
++ : (VAR) == _bfd_strntol (FIELD, 10, sizeof FIELD)) |
|
108 |
++ |
|
109 |
+ /* Read in the armap of an XCOFF archive. */ |
|
110 |
+ |
|
111 |
+ bfd_boolean |
|
112 |
+@@ -1209,7 +1253,7 @@ _bfd_xcoff_slurp_armap (bfd *abfd) |
|
113 |
+ /* This is for the old format. */ |
|
114 |
+ struct xcoff_ar_hdr hdr; |
|
115 |
+ |
|
116 |
+- off = strtol (xcoff_ardata (abfd)->symoff, (char **) NULL, 10); |
|
117 |
++ GET_VALUE_IN_FIELD (off, xcoff_ardata (abfd)->symoff); |
|
118 |
+ if (off == 0) |
|
119 |
+ { |
|
120 |
+ bfd_has_map (abfd) = FALSE; |
|
121 |
+@@ -1225,12 +1269,12 @@ _bfd_xcoff_slurp_armap (bfd *abfd) |
|
122 |
+ return FALSE; |
|
123 |
+ |
|
124 |
+ /* Skip the name (normally empty). */ |
|
125 |
+- namlen = strtol (hdr.namlen, (char **) NULL, 10); |
|
126 |
++ GET_VALUE_IN_FIELD (namlen, hdr.namlen); |
|
127 |
+ off = ((namlen + 1) & ~ (size_t) 1) + SXCOFFARFMAG; |
|
128 |
+ if (bfd_seek (abfd, off, SEEK_CUR) != 0) |
|
129 |
+ return FALSE; |
|
130 |
+ |
|
131 |
+- sz = strtol (hdr.size, (char **) NULL, 10); |
|
132 |
++ GET_VALUE_IN_FIELD (sz, hdr.size); |
|
133 |
+ |
|
134 |
+ /* Read in the entire symbol table. */ |
|
135 |
+ contents = (bfd_byte *) bfd_alloc (abfd, sz); |
|
136 |
+@@ -1264,7 +1308,7 @@ _bfd_xcoff_slurp_armap (bfd *abfd) |
|
137 |
+ /* This is for the new format. */ |
|
138 |
+ struct xcoff_ar_hdr_big hdr; |
|
139 |
+ |
|
140 |
+- off = strtol (xcoff_ardata_big (abfd)->symoff, (char **) NULL, 10); |
|
141 |
++ GET_VALUE_IN_FIELD (off, xcoff_ardata_big (abfd)->symoff); |
|
142 |
+ if (off == 0) |
|
143 |
+ { |
|
144 |
+ bfd_has_map (abfd) = FALSE; |
|
145 |
+@@ -1280,15 +1324,12 @@ _bfd_xcoff_slurp_armap (bfd *abfd) |
|
146 |
+ return FALSE; |
|
147 |
+ |
|
148 |
+ /* Skip the name (normally empty). */ |
|
149 |
+- namlen = strtol (hdr.namlen, (char **) NULL, 10); |
|
150 |
++ GET_VALUE_IN_FIELD (namlen, hdr.namlen); |
|
151 |
+ off = ((namlen + 1) & ~ (size_t) 1) + SXCOFFARFMAG; |
|
152 |
+ if (bfd_seek (abfd, off, SEEK_CUR) != 0) |
|
153 |
+ return FALSE; |
|
154 |
+ |
|
155 |
+- /* XXX This actually has to be a call to strtoll (at least on 32-bit |
|
156 |
+- machines) since the field width is 20 and there numbers with more |
|
157 |
+- than 32 bits can be represented. */ |
|
158 |
+- sz = strtol (hdr.size, (char **) NULL, 10); |
|
159 |
++ GET_VALUE_IN_FIELD (sz, hdr.size); |
|
160 |
+ |
|
161 |
+ /* Read in the entire symbol table. */ |
|
162 |
+ contents = (bfd_byte *) bfd_alloc (abfd, sz); |
|
163 |
+@@ -1393,8 +1434,8 @@ _bfd_xcoff_archive_p (bfd *abfd) |
|
164 |
+ goto error_ret; |
|
165 |
+ } |
|
166 |
+ |
|
167 |
+- bfd_ardata (abfd)->first_file_filepos = strtol (hdr.firstmemoff, |
|
168 |
+- (char **) NULL, 10); |
|
169 |
++ GET_VALUE_IN_FIELD (bfd_ardata (abfd)->first_file_filepos, |
|
170 |
++ hdr.firstmemoff); |
|
171 |
+ |
|
172 |
+ amt = SIZEOF_AR_FILE_HDR; |
|
173 |
+ bfd_ardata (abfd)->tdata = bfd_zalloc (abfd, amt); |
|
174 |
+@@ -1469,7 +1510,7 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd) |
|
175 |
+ return NULL; |
|
176 |
+ } |
|
177 |
+ |
|
178 |
+- namlen = strtol (hdr.namlen, (char **) NULL, 10); |
|
179 |
++ GET_VALUE_IN_FIELD (namlen, hdr.namlen); |
|
180 |
+ amt = SIZEOF_AR_HDR + namlen + 1; |
|
181 |
+ hdrp = (struct xcoff_ar_hdr *) bfd_alloc (abfd, amt); |
|
182 |
+ if (hdrp == NULL) |
|
183 |
+@@ -1486,7 +1527,7 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd) |
|
184 |
+ ((char *) hdrp)[SIZEOF_AR_HDR + namlen] = '\0'; |
|
185 |
+ |
|
186 |
+ ret->arch_header = (char *) hdrp; |
|
187 |
+- ret->parsed_size = strtol (hdr.size, (char **) NULL, 10); |
|
188 |
++ GET_VALUE_IN_FIELD (ret->parsed_size, hdr.size); |
|
189 |
+ ret->filename = (char *) hdrp + SIZEOF_AR_HDR; |
|
190 |
+ } |
|
191 |
+ else |
|
192 |
+@@ -1501,7 +1542,7 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd) |
|
193 |
+ return NULL; |
|
194 |
+ } |
|
195 |
+ |
|
196 |
+- namlen = strtol (hdr.namlen, (char **) NULL, 10); |
|
197 |
++ GET_VALUE_IN_FIELD (namlen, hdr.namlen); |
|
198 |
+ amt = SIZEOF_AR_HDR_BIG + namlen + 1; |
|
199 |
+ hdrp = (struct xcoff_ar_hdr_big *) bfd_alloc (abfd, amt); |
|
200 |
+ if (hdrp == NULL) |
|
201 |
+@@ -1518,10 +1559,7 @@ _bfd_xcoff_read_ar_hdr (bfd *abfd) |
|
202 |
+ ((char *) hdrp)[SIZEOF_AR_HDR_BIG + namlen] = '\0'; |
|
203 |
+ |
|
204 |
+ ret->arch_header = (char *) hdrp; |
|
205 |
+- /* XXX This actually has to be a call to strtoll (at least on 32-bit |
|
206 |
+- machines) since the field width is 20 and there numbers with more |
|
207 |
+- than 32 bits can be represented. */ |
|
208 |
+- ret->parsed_size = strtol (hdr.size, (char **) NULL, 10); |
|
209 |
++ GET_VALUE_IN_FIELD (ret->parsed_size, hdr.size); |
|
210 |
+ ret->filename = (char *) hdrp + SIZEOF_AR_HDR_BIG; |
|
211 |
+ } |
|
212 |
+ |
|
213 |
+@@ -1550,14 +1588,11 @@ _bfd_xcoff_openr_next_archived_file (bfd *archive, bfd *last_file) |
|
214 |
+ if (last_file == NULL) |
|
215 |
+ filestart = bfd_ardata (archive)->first_file_filepos; |
|
216 |
+ else |
|
217 |
+- filestart = strtol (arch_xhdr (last_file)->nextoff, (char **) NULL, |
|
218 |
+- 10); |
|
219 |
++ GET_VALUE_IN_FIELD (filestart, arch_xhdr (last_file)->nextoff); |
|
220 |
+ |
|
221 |
+ if (filestart == 0 |
|
222 |
+- || filestart == strtol (xcoff_ardata (archive)->memoff, |
|
223 |
+- (char **) NULL, 10) |
|
224 |
+- || filestart == strtol (xcoff_ardata (archive)->symoff, |
|
225 |
+- (char **) NULL, 10)) |
|
226 |
++ || EQ_VALUE_IN_FIELD (filestart, xcoff_ardata (archive)->memoff) |
|
227 |
++ || EQ_VALUE_IN_FIELD (filestart, xcoff_ardata (archive)->symoff)) |
|
228 |
+ { |
|
229 |
+ bfd_set_error (bfd_error_no_more_archived_files); |
|
230 |
+ return NULL; |
|
231 |
+@@ -1568,20 +1603,11 @@ _bfd_xcoff_openr_next_archived_file (bfd *archive, bfd *last_file) |
|
232 |
+ if (last_file == NULL) |
|
233 |
+ filestart = bfd_ardata (archive)->first_file_filepos; |
|
234 |
+ else |
|
235 |
+- /* XXX These actually have to be a calls to strtoll (at least |
|
236 |
+- on 32-bit machines) since the fields's width is 20 and |
|
237 |
+- there numbers with more than 32 bits can be represented. */ |
|
238 |
+- filestart = strtol (arch_xhdr_big (last_file)->nextoff, (char **) NULL, |
|
239 |
+- 10); |
|
240 |
+- |
|
241 |
+- /* XXX These actually have to be calls to strtoll (at least on 32-bit |
|
242 |
+- machines) since the fields's width is 20 and there numbers with more |
|
243 |
+- than 32 bits can be represented. */ |
|
244 |
++ GET_VALUE_IN_FIELD (filestart, arch_xhdr_big (last_file)->nextoff); |
|
245 |
++ |
|
246 |
+ if (filestart == 0 |
|
247 |
+- || filestart == strtol (xcoff_ardata_big (archive)->memoff, |
|
248 |
+- (char **) NULL, 10) |
|
249 |
+- || filestart == strtol (xcoff_ardata_big (archive)->symoff, |
|
250 |
+- (char **) NULL, 10)) |
|
251 |
++ || EQ_VALUE_IN_FIELD (filestart, xcoff_ardata_big (archive)->memoff) |
|
252 |
++ || EQ_VALUE_IN_FIELD (filestart, xcoff_ardata_big (archive)->symoff)) |
|
253 |
+ { |
|
254 |
+ bfd_set_error (bfd_error_no_more_archived_files); |
|
255 |
+ return NULL; |
|
256 |
+@@ -1606,20 +1632,20 @@ _bfd_xcoff_stat_arch_elt (bfd *abfd, struct stat *s) |
|
257 |
+ { |
|
258 |
+ struct xcoff_ar_hdr *hdrp = arch_xhdr (abfd); |
|
259 |
+ |
|
260 |
+- s->st_mtime = strtol (hdrp->date, (char **) NULL, 10); |
|
261 |
+- s->st_uid = strtol (hdrp->uid, (char **) NULL, 10); |
|
262 |
+- s->st_gid = strtol (hdrp->gid, (char **) NULL, 10); |
|
263 |
+- s->st_mode = strtol (hdrp->mode, (char **) NULL, 8); |
|
264 |
++ GET_VALUE_IN_FIELD (s->st_mtime, hdrp->date); |
|
265 |
++ GET_VALUE_IN_FIELD (s->st_uid, hdrp->uid); |
|
266 |
++ GET_VALUE_IN_FIELD (s->st_gid, hdrp->gid); |
|
267 |
++ GET_VALUE_IN_FIELD (s->st_mode, hdrp->mode); |
|
268 |
+ s->st_size = arch_eltdata (abfd)->parsed_size; |
|
269 |
+ } |
|
270 |
+ else |
|
271 |
+ { |
|
272 |
+ struct xcoff_ar_hdr_big *hdrp = arch_xhdr_big (abfd); |
|
273 |
+ |
|
274 |
+- s->st_mtime = strtol (hdrp->date, (char **) NULL, 10); |
|
275 |
+- s->st_uid = strtol (hdrp->uid, (char **) NULL, 10); |
|
276 |
+- s->st_gid = strtol (hdrp->gid, (char **) NULL, 10); |
|
277 |
+- s->st_mode = strtol (hdrp->mode, (char **) NULL, 8); |
|
278 |
++ GET_VALUE_IN_FIELD (s->st_mtime, hdrp->date); |
|
279 |
++ GET_VALUE_IN_FIELD (s->st_uid, hdrp->uid); |
|
280 |
++ GET_VALUE_IN_FIELD (s->st_gid, hdrp->gid); |
|
281 |
++ GET_VALUE_IN_FIELD (s->st_mode, hdrp->mode); |
|
282 |
+ s->st_size = arch_eltdata (abfd)->parsed_size; |
|
283 |
+ } |
|
284 |
+ |
|
285 |
+-- |
|
286 |
+2.9.3 |
|
287 |
+ |
0 | 288 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,319 @@ |
0 |
+From ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Nick Clifton <nickc@redhat.com> |
|
2 |
+Date: Mon, 24 Jul 2017 13:49:22 +0100 |
|
3 |
+Subject: [PATCH 1/1] Fix address violation errors parsing corrupt binary |
|
4 |
+ files. |
|
5 |
+ |
|
6 |
+ PR 21813 |
|
7 |
+binutils* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty |
|
8 |
+ string whilst concatenating symbol names. |
|
9 |
+ |
|
10 |
+bfd * mach-o.c (bfd_mach_o_canonicalize_relocs): Pass the base address |
|
11 |
+ of the relocs to the canonicalize_one_reloc routine. |
|
12 |
+ * mach-o.h (struct bfd_mach_o_backend_data): Update the prototype |
|
13 |
+ for the _bfd_mach_o_canonicalize_one_reloc field. |
|
14 |
+ * mach-o-arm.c (bfd_mach_o_arm_canonicalize_one_reloc): Add |
|
15 |
+ res_base parameter. Use to check for corrupt pair relocs. |
|
16 |
+ * mach-o-aarch64.c (bfd_mach_o_arm64_canonicalize_one_reloc): |
|
17 |
+ Likewise. |
|
18 |
+ * mach-o-i386.c (bfd_mach_o_i386_canonicalize_one_reloc): |
|
19 |
+ Likewise. |
|
20 |
+ * mach-o-x86-64.c (bfd_mach_o_x86_64_canonicalize_one_reloc): |
|
21 |
+ Likewise. |
|
22 |
+ |
|
23 |
+ * vms-alpha.c (_bfd_vms_slurp_eihd): Make sure that there is |
|
24 |
+ enough data in the record before attempting to parse it. |
|
25 |
+ (_bfd_vms_slurp_eeom): Likewise. |
|
26 |
+ |
|
27 |
+ (_bfd_vms_slurp_egsd): Check for an invalid section index. |
|
28 |
+ (image_set_ptr): Likewise. |
|
29 |
+ (alpha_vms_slurp_relocs): Likewise. |
|
30 |
+--- |
|
31 |
+ bfd/mach-o-aarch64.c | 8 ++++--- |
|
32 |
+ bfd/mach-o-arm.c | 13 ++++++++---- |
|
33 |
+ bfd/mach-o-i386.c | 17 +++++++++------ |
|
34 |
+ bfd/mach-o-x86-64.c | 8 ++++--- |
|
35 |
+ bfd/mach-o.c | 2 +- |
|
36 |
+ bfd/mach-o.h | 2 +- |
|
37 |
+ bfd/vms-alpha.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++----- |
|
38 |
+ binutils/rddbg.c | 3 ++- |
|
39 |
+ 10 files changed, 118 insertions(+), 24 deletions(-) |
|
40 |
+ |
|
41 |
+diff --git a/bfd/mach-o-aarch64.c b/bfd/mach-o-aarch64.c |
|
42 |
+index 12fc47e..5cf3364 100644 |
|
43 |
+--- a/bfd/mach-o-aarch64.c |
|
44 |
+@@ -147,9 +147,11 @@ static reloc_howto_type arm64_howto_table[]= |
|
45 |
+ }; |
|
46 |
+ |
|
47 |
+ static bfd_boolean |
|
48 |
+-bfd_mach_o_arm64_canonicalize_one_reloc (bfd *abfd, |
|
49 |
+- struct mach_o_reloc_info_external *raw, |
|
50 |
+- arelent *res, asymbol **syms) |
|
51 |
++bfd_mach_o_arm64_canonicalize_one_reloc (bfd * abfd, |
|
52 |
++ struct mach_o_reloc_info_external * raw, |
|
53 |
++ arelent * res, |
|
54 |
++ asymbol ** syms, |
|
55 |
++ arelent * res_base ATTRIBUTE_UNUSED) |
|
56 |
+ { |
|
57 |
+ bfd_mach_o_reloc_info reloc; |
|
58 |
+ |
|
59 |
+diff --git a/bfd/mach-o-arm.c b/bfd/mach-o-arm.c |
|
60 |
+index 5139f79..9eb614c 100644 |
|
61 |
+--- a/bfd/mach-o-arm.c |
|
62 |
+@@ -30,7 +30,7 @@ |
|
63 |
+ #define bfd_mach_o_mkobject bfd_mach_o_arm_mkobject |
|
64 |
+ |
|
65 |
+ #define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_arm_canonicalize_one_reloc |
|
66 |
+-#define bfd_mach_o_swap_reloc_out NULL |
|
67 |
++#define bfd_mach_o_swap_reloc_out NULL |
|
68 |
+ #define bfd_mach_o_bfd_reloc_type_lookup bfd_mach_o_arm_bfd_reloc_type_lookup |
|
69 |
+ #define bfd_mach_o_bfd_reloc_name_lookup bfd_mach_o_arm_bfd_reloc_name_lookup |
|
70 |
+ |
|
71 |
+@@ -147,9 +147,11 @@ static reloc_howto_type arm_howto_table[]= |
|
72 |
+ }; |
|
73 |
+ |
|
74 |
+ static bfd_boolean |
|
75 |
+-bfd_mach_o_arm_canonicalize_one_reloc (bfd *abfd, |
|
76 |
+- struct mach_o_reloc_info_external *raw, |
|
77 |
+- arelent *res, asymbol **syms) |
|
78 |
++bfd_mach_o_arm_canonicalize_one_reloc (bfd * abfd, |
|
79 |
++ struct mach_o_reloc_info_external * raw, |
|
80 |
++ arelent * res, |
|
81 |
++ asymbol ** syms, |
|
82 |
++ arelent * res_base) |
|
83 |
+ { |
|
84 |
+ bfd_mach_o_reloc_info reloc; |
|
85 |
+ |
|
86 |
+@@ -161,6 +163,9 @@ bfd_mach_o_arm_canonicalize_one_reloc (bfd *abfd, |
|
87 |
+ switch (reloc.r_type) |
|
88 |
+ { |
|
89 |
+ case BFD_MACH_O_ARM_RELOC_PAIR: |
|
90 |
++ /* PR 21813: Check for a corrupt PAIR reloc at the start. */ |
|
91 |
++ if (res == res_base) |
|
92 |
++ return FALSE; |
|
93 |
+ if (reloc.r_length == 2) |
|
94 |
+ { |
|
95 |
+ res->howto = &arm_howto_table[7]; |
|
96 |
+diff --git a/bfd/mach-o-i386.c b/bfd/mach-o-i386.c |
|
97 |
+index ce0389e..803af98 100644 |
|
98 |
+--- a/bfd/mach-o-i386.c |
|
99 |
+@@ -112,9 +112,11 @@ static reloc_howto_type i386_howto_table[]= |
|
100 |
+ }; |
|
101 |
+ |
|
102 |
+ static bfd_boolean |
|
103 |
+-bfd_mach_o_i386_canonicalize_one_reloc (bfd *abfd, |
|
104 |
+- struct mach_o_reloc_info_external *raw, |
|
105 |
+- arelent *res, asymbol **syms) |
|
106 |
++bfd_mach_o_i386_canonicalize_one_reloc (bfd * abfd, |
|
107 |
++ struct mach_o_reloc_info_external * raw, |
|
108 |
++ arelent * res, |
|
109 |
++ asymbol ** syms, |
|
110 |
++ arelent * res_base) |
|
111 |
+ { |
|
112 |
+ bfd_mach_o_reloc_info reloc; |
|
113 |
+ |
|
114 |
+@@ -126,6 +128,9 @@ bfd_mach_o_i386_canonicalize_one_reloc (bfd *abfd, |
|
115 |
+ switch (reloc.r_type) |
|
116 |
+ { |
|
117 |
+ case BFD_MACH_O_GENERIC_RELOC_PAIR: |
|
118 |
++ /* PR 21813: Check for a corrupt PAIR reloc at the start. */ |
|
119 |
++ if (res == res_base) |
|
120 |
++ return FALSE; |
|
121 |
+ if (reloc.r_length == 2) |
|
122 |
+ { |
|
123 |
+ res->howto = &i386_howto_table[7]; |
|
124 |
+@@ -391,9 +396,9 @@ const mach_o_segment_name_xlat mach_o_i386_segsec_names_xlat[] = |
|
125 |
+ { NULL, NULL } |
|
126 |
+ }; |
|
127 |
+ |
|
128 |
+-#define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_i386_canonicalize_one_reloc |
|
129 |
+-#define bfd_mach_o_swap_reloc_out bfd_mach_o_i386_swap_reloc_out |
|
130 |
+-#define bfd_mach_o_print_thread bfd_mach_o_i386_print_thread |
|
131 |
++#define bfd_mach_o_canonicalize_one_reloc bfd_mach_o_i386_canonicalize_one_reloc |
|
132 |
++#define bfd_mach_o_swap_reloc_out bfd_mach_o_i386_swap_reloc_out |
|
133 |
++#define bfd_mach_o_print_thread bfd_mach_o_i386_print_thread |
|
134 |
+ |
|
135 |
+ #define bfd_mach_o_tgt_seg_table mach_o_i386_segsec_names_xlat |
|
136 |
+ #define bfd_mach_o_section_type_valid_for_tgt NULL |
|
137 |
+diff --git a/bfd/mach-o-x86-64.c b/bfd/mach-o-x86-64.c |
|
138 |
+index 1c83b10..2c50476 100644 |
|
139 |
+--- a/bfd/mach-o-x86-64.c |
|
140 |
+@@ -120,9 +120,11 @@ static reloc_howto_type x86_64_howto_table[]= |
|
141 |
+ }; |
|
142 |
+ |
|
143 |
+ static bfd_boolean |
|
144 |
+-bfd_mach_o_x86_64_canonicalize_one_reloc (bfd *abfd, |
|
145 |
+- struct mach_o_reloc_info_external *raw, |
|
146 |
+- arelent *res, asymbol **syms) |
|
147 |
++bfd_mach_o_x86_64_canonicalize_one_reloc (bfd * abfd, |
|
148 |
++ struct mach_o_reloc_info_external * raw, |
|
149 |
++ arelent * res, |
|
150 |
++ asymbol ** syms, |
|
151 |
++ arelent * res_base ATTRIBUTE_UNUSED) |
|
152 |
+ { |
|
153 |
+ bfd_mach_o_reloc_info reloc; |
|
154 |
+ |
|
155 |
+diff --git a/bfd/mach-o.c b/bfd/mach-o.c |
|
156 |
+index be2fb17..1807391 100644 |
|
157 |
+--- a/bfd/mach-o.c |
|
158 |
+@@ -1496,7 +1496,7 @@ bfd_mach_o_canonicalize_relocs (bfd *abfd, unsigned long filepos, |
|
159 |
+ for (i = 0; i < count; i++) |
|
160 |
+ { |
|
161 |
+ if (!(*bed->_bfd_mach_o_canonicalize_one_reloc)(abfd, &native_relocs[i], |
|
162 |
+- &res[i], syms)) |
|
163 |
++ &res[i], syms, res)) |
|
164 |
+ goto err; |
|
165 |
+ } |
|
166 |
+ free (native_relocs); |
|
167 |
+diff --git a/bfd/mach-o.h b/bfd/mach-o.h |
|
168 |
+index 83660a4..0719b53 100644 |
|
169 |
+--- a/bfd/mach-o.h |
|
170 |
+@@ -746,7 +746,7 @@ typedef struct bfd_mach_o_backend_data |
|
171 |
+ enum bfd_architecture arch; |
|
172 |
+ bfd_vma page_size; |
|
173 |
+ bfd_boolean (*_bfd_mach_o_canonicalize_one_reloc) |
|
174 |
+- (bfd *, struct mach_o_reloc_info_external *, arelent *, asymbol **); |
|
175 |
++ (bfd *, struct mach_o_reloc_info_external *, arelent *, asymbol **, arelent *); |
|
176 |
+ bfd_boolean (*_bfd_mach_o_swap_reloc_out)(arelent *, bfd_mach_o_reloc_info *); |
|
177 |
+ bfd_boolean (*_bfd_mach_o_print_thread)(bfd *, bfd_mach_o_thread_flavour *, |
|
178 |
+ void *, char *); |
|
179 |
+diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c |
|
180 |
+index 991a1be..5e9170d 100644 |
|
181 |
+--- a/bfd/vms-alpha.c |
|
182 |
+@@ -473,6 +473,14 @@ _bfd_vms_slurp_eihd (bfd *abfd, unsigned int *eisd_offset, |
|
183 |
+ |
|
184 |
+ vms_debug2 ((8, "_bfd_vms_slurp_eihd\n")); |
|
185 |
+ |
|
186 |
++ /* PR 21813: Check for an undersized record. */ |
|
187 |
++ if (PRIV (recrd.buf_size) < sizeof (* eihd)) |
|
188 |
++ { |
|
189 |
++ _bfd_error_handler (_("Corrupt EIHD record - size is too small")); |
|
190 |
++ bfd_set_error (bfd_error_bad_value); |
|
191 |
++ return FALSE; |
|
192 |
++ } |
|
193 |
++ |
|
194 |
+ size = bfd_getl32 (eihd->size); |
|
195 |
+ imgtype = bfd_getl32 (eihd->imgtype); |
|
196 |
+ |
|
197 |
+@@ -1312,19 +1320,38 @@ _bfd_vms_slurp_egsd (bfd *abfd) |
|
198 |
+ if (old_flags & EGSY__V_DEF) |
|
199 |
+ { |
|
200 |
+ struct vms_esdf *esdf = (struct vms_esdf *)vms_rec; |
|
201 |
++ long psindx; |
|
202 |
+ |
|
203 |
+ entry->value = bfd_getl64 (esdf->value); |
|
204 |
+ if (PRIV (sections) == NULL) |
|
205 |
+ return FALSE; |
|
206 |
+- entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)]; |
|
207 |
++ |
|
208 |
++ psindx = bfd_getl32 (esdf->psindx); |
|
209 |
++ /* PR 21813: Check for an out of range index. */ |
|
210 |
++ if (psindx < 0 || psindx >= (int) PRIV (section_count)) |
|
211 |
++ { |
|
212 |
++ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"), |
|
213 |
++ psindx); |
|
214 |
++ bfd_set_error (bfd_error_bad_value); |
|
215 |
++ return FALSE; |
|
216 |
++ } |
|
217 |
++ entry->section = PRIV (sections)[psindx]; |
|
218 |
+ |
|
219 |
+ if (old_flags & EGSY__V_NORM) |
|
220 |
+ { |
|
221 |
+ PRIV (norm_sym_count)++; |
|
222 |
+ |
|
223 |
+ entry->code_value = bfd_getl64 (esdf->code_address); |
|
224 |
+- entry->code_section = |
|
225 |
+- PRIV (sections)[bfd_getl32 (esdf->ca_psindx)]; |
|
226 |
++ psindx = bfd_getl32 (esdf->ca_psindx); |
|
227 |
++ /* PR 21813: Check for an out of range index. */ |
|
228 |
++ if (psindx < 0 || psindx >= (int) PRIV (section_count)) |
|
229 |
++ { |
|
230 |
++ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"), |
|
231 |
++ psindx); |
|
232 |
++ bfd_set_error (bfd_error_bad_value); |
|
233 |
++ return FALSE; |
|
234 |
++ } |
|
235 |
++ entry->code_section = PRIV (sections)[psindx]; |
|
236 |
+ } |
|
237 |
+ } |
|
238 |
+ } |
|
239 |
+@@ -1351,9 +1378,20 @@ _bfd_vms_slurp_egsd (bfd *abfd) |
|
240 |
+ |
|
241 |
+ if (old_flags & EGSY__V_REL) |
|
242 |
+ { |
|
243 |
++ long psindx; |
|
244 |
++ |
|
245 |
+ if (PRIV (sections) == NULL) |
|
246 |
+ return FALSE; |
|
247 |
+- entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)]; |
|
248 |
++ psindx = bfd_getl32 (egst->psindx); |
|
249 |
++ /* PR 21813: Check for an out of range index. */ |
|
250 |
++ if (psindx < 0 || psindx >= (int) PRIV (section_count)) |
|
251 |
++ { |
|
252 |
++ _bfd_error_handler (_("Corrupt EGSD record: its psindx field is too big (%#lx)"), |
|
253 |
++ psindx); |
|
254 |
++ bfd_set_error (bfd_error_bad_value); |
|
255 |
++ return FALSE; |
|
256 |
++ } |
|
257 |
++ entry->section = PRIV (sections)[psindx]; |
|
258 |
+ } |
|
259 |
+ else |
|
260 |
+ entry->section = bfd_abs_section_ptr; |
|
261 |
+@@ -1446,6 +1484,9 @@ image_set_ptr (bfd *abfd, bfd_vma vma, int sect, struct bfd_link_info *info) |
|
262 |
+ |
|
263 |
+ if (PRIV (sections) == NULL) |
|
264 |
+ return; |
|
265 |
++ if (sect < 0 || sect >= (int) PRIV (section_count)) |
|
266 |
++ return; |
|
267 |
++ |
|
268 |
+ sec = PRIV (sections)[sect]; |
|
269 |
+ |
|
270 |
+ if (info) |
|
271 |
+@@ -2450,6 +2491,14 @@ _bfd_vms_slurp_eeom (bfd *abfd) |
|
272 |
+ |
|
273 |
+ vms_debug2 ((2, "EEOM\n")); |
|
274 |
+ |
|
275 |
++ /* PR 21813: Check for an undersized record. */ |
|
276 |
++ if (PRIV (recrd.buf_size) < sizeof (* eeom)) |
|
277 |
++ { |
|
278 |
++ _bfd_error_handler (_("Corrupt EEOM record - size is too small")); |
|
279 |
++ bfd_set_error (bfd_error_bad_value); |
|
280 |
++ return FALSE; |
|
281 |
++ } |
|
282 |
++ |
|
283 |
+ PRIV (eom_data).eom_l_total_lps = bfd_getl32 (eeom->total_lps); |
|
284 |
+ PRIV (eom_data).eom_w_comcod = bfd_getl16 (eeom->comcod); |
|
285 |
+ if (PRIV (eom_data).eom_w_comcod > 1) |
|
286 |
+@@ -5173,7 +5222,7 @@ alpha_vms_slurp_relocs (bfd *abfd) |
|
287 |
+ } |
|
288 |
+ else if (cur_psidx >= 0) |
|
289 |
+ { |
|
290 |
+- if (PRIV (sections) == NULL) |
|
291 |
++ if (PRIV (sections) == NULL || cur_psidx >= (int) PRIV (section_count)) |
|
292 |
+ return FALSE; |
|
293 |
+ reloc->sym_ptr_ptr = |
|
294 |
+ PRIV (sections)[cur_psidx]->symbol_ptr_ptr; |
|
295 |
+diff --git a/binutils/rddbg.c b/binutils/rddbg.c |
|
296 |
+index 1d8c447..b978060 100644 |
|
297 |
+--- a/binutils/rddbg.c |
|
298 |
+@@ -303,7 +303,8 @@ read_symbol_stabs_debugging_info (bfd *abfd, asymbol **syms, long symcount, |
|
299 |
+ return FALSE; |
|
300 |
+ f = NULL; |
|
301 |
+ |
|
302 |
+- while (s[strlen (s) - 1] == '\\' |
|
303 |
++ while (strlen (s) > 0 |
|
304 |
++ && s[strlen (s) - 1] == '\\' |
|
305 |
+ && ps + 1 < symend) |
|
306 |
+ { |
|
307 |
+ char *sc, *n; |
|
308 |
+-- |
|
309 |
+2.9.3 |
|
310 |
+ |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Contains a linker, an assembler, and other tools |
2 | 2 |
Name: binutils |
3 | 3 |
Version: 2.29 |
4 |
-Release: 2%{?dist} |
|
4 |
+Release: 3%{?dist} |
|
5 | 5 |
License: GPLv2+ |
6 | 6 |
URL: http://www.gnu.org/software/binutils |
7 | 7 |
Group: System Environment/Base |
... | ... |
@@ -11,6 +11,12 @@ Source0: http://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz |
11 | 11 |
%define sha1 binutils=47817089b3867baf307365004c51677174a27000 |
12 | 12 |
Patch0: check-elf-section-header-only-for-elf-output.patch |
13 | 13 |
Patch1: elf-checks-for-orphan-placement.patch |
14 |
+Patch2: CVE-2017-12448.patch |
|
15 |
+Patch3: CVE-2017-12449_12455_12457_12458_12459.patch |
|
16 |
+Patch4: CVE-2017-12450.patch |
|
17 |
+Patch5: CVE-2017-12451.patch |
|
18 |
+Patch6: CVE-2017-12452_12453_12454_12456.patch |
|
19 |
+ |
|
14 | 20 |
%description |
15 | 21 |
The Binutils package contains a linker, an assembler, |
16 | 22 |
and other tools for handling object files. |
... | ... |
@@ -24,6 +30,11 @@ for handling compiled objects. |
24 | 24 |
%setup -q |
25 | 25 |
%patch0 -p1 |
26 | 26 |
%patch1 -p1 |
27 |
+%patch2 -p1 |
|
28 |
+%patch3 -p1 |
|
29 |
+%patch4 -p1 |
|
30 |
+%patch5 -p1 |
|
31 |
+%patch6 -p1 |
|
27 | 32 |
%build |
28 | 33 |
install -vdm 755 ../binutils-build |
29 | 34 |
cd ../binutils-build |
... | ... |
@@ -192,6 +203,10 @@ make %{?_smp_mflags} check |
192 | 192 |
%{_libdir}/libopcodes.so |
193 | 193 |
|
194 | 194 |
%changelog |
195 |
+* Fri Aug 11 2017 Anish Swaminathan <anishs@vmware.com> 2.29-3 |
|
196 |
+- Apply patches for CVE-2017-12448,CVE-2017-12449,CVE-2017-12450,CVE-2017-12451, |
|
197 |
+- CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12455,CVE-2017-12456, |
|
198 |
+- CVE-2017-12457,CVE-2017-12458,CVE-2017-12459 |
|
195 | 199 |
* Tue Aug 8 2017 Rongrong Qiu <rqiu@vmware.com> 2.29-2 |
196 | 200 |
- fix for make check for bug 1900247 |
197 | 201 |
* Wed Aug 2 2017 Alexey Makhalov <amakhalov@vmware.com> 2.29-1 |