new file mode 100644

@@ -0,0 +1,30 @@

+From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001

+From: Alan Modra <amodra@gmail.com>

+Date: Sat, 27 Jan 2018 08:19:33 +1030

+Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object

+

+	PR 22741

+	* coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in

+	range before converting to a symbol table pointer.

+---

+ bfd/ChangeLog | 6 ++++++

+ bfd/coffgen.c | 3 ++-

+ 2 files changed, 8 insertions(+), 1 deletion(-)

+

+diff --git a/bfd/coffgen.c b/bfd/coffgen.c

+index b241087..4f90ead 100644

+--- a/bfd/coffgen.c

+@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,

+     }

+   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can

+      generate one, so we must be careful to ignore it.  */

+-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)

++  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l

++      < obj_raw_syment_count (abfd))

+     {

+       auxent->u.auxent.x_sym.x_tagndx.p =

+ 	table_base + auxent->u.auxent.x_sym.x_tagndx.l;

+-- 

+2.9.3

+

new file mode 100644

@@ -0,0 +1,85 @@

+From d11ae95ea3403559f052903ab053f43ad7821e37 Mon Sep 17 00:00:00 2001

+From: Nick Clifton <nickc@redhat.com>

+Date: Thu, 1 Mar 2018 16:14:08 +0000

+Subject: [PATCH] Prevent illegal memory accesses triggerd by intger overflow

+ when parsing corrupt DWARF information on a 32-bit host.

+

+	PR 22905

+	* dwarf.c (display_debug_ranges): Check that the offset loaded

+	from the range_entry structure is valid.

+---

+ binutils/ChangeLog |  6 ++++++

+ binutils/dwarf.c   | 15 +++++++++++++++

+ 2 files changed, 21 insertions(+)

+

+diff --git a/binutils/dwarf.c b/binutils/dwarf.c

+index 6aca9b7..17896e6 100644

+--- a/binutils/dwarf.c

+@@ -387,6 +387,9 @@ read_uleb128 (unsigned char * data,

+     }								\

+   while (0)

+ 

++/* Read AMOUNT bytes from PTR and store them in VAL as an unsigned value.

++   Checks to make sure that the read will not reach or pass END

++   and that VAL is big enough to hold AMOUNT bytes.  */

+ #define SAFE_BYTE_GET(VAL, PTR, AMOUNT, END)	\

+   do						\

+     {						\

+@@ -415,6 +418,7 @@ read_uleb128 (unsigned char * data,

+     }						\

+   while (0)

+ 

++/* Like SAFE_BYTE_GET, but also increments PTR by AMOUNT.  */

+ #define SAFE_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END)	\

+   do							\

+     {							\

+@@ -423,6 +427,7 @@ read_uleb128 (unsigned char * data,

+     }							\

+   while (0)

+ 

++/* Like SAFE_BYTE_GET, but reads a signed value.  */

+ #define SAFE_SIGNED_BYTE_GET(VAL, PTR, AMOUNT, END)	\

+   do							\

+     {							\

+@@ -441,6 +446,7 @@ read_uleb128 (unsigned char * data,

+     }							\

+   while (0)

+ 

++/* Like SAFE_SIGNED_BYTE_GET, but also increments PTR by AMOUNT.  */

+ #define SAFE_SIGNED_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END)	\

+   do								\

+     {								\

+@@ -6543,6 +6549,7 @@ display_debug_ranges_list (unsigned char *start, unsigned char *finish,

+ 	break;

+       SAFE_SIGNED_BYTE_GET_AND_INC (end, start, pointer_size, finish);

+ 

++      

+       printf ("    %8.8lx ", offset);

+ 

+       if (begin == 0 && end == 0)

+@@ -6810,6 +6817,13 @@ display_debug_ranges (struct dwarf_section *section,

+ 	  continue;

+ 	}

+ 

++      if (next < section_begin || next >= finish)

++	{

++	  warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),

++		(unsigned long) offset, i);

++	  continue;

++	}

++

+       if (dwarf_check != 0 && i > 0)

+ 	{

+ 	  if (start < next)

+@@ -6825,6 +6839,7 @@ display_debug_ranges (struct dwarf_section *section,

+ 		    (unsigned long) (next - section_begin), section->name);

+ 	    }

+ 	}

++

+       start = next;

+       last_start = next;

+ 

+-- 

+2.9.3

+

@@ -1,7 +1,7 @@

 Summary:        Contains a linker, an assembler, and other tools

 Name:           binutils

 Version:        2.30

-Release:        3%{?dist}

+Release:        4%{?dist}

 License:        GPLv2+

 URL:            http://www.gnu.org/software/binutils

 Group:          System Environment/Base

@@ -10,6 +10,8 @@ Distribution:   Photon

 Source0:        http://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz

 %define sha1    binutils=574d3b5650413d6ee65195a4f5ecbddc3a38f718

 Patch0:         binutils-2.30-CVE-2018-6543.patch

+Patch1:         binutils-2.30-CVE-2018-7643.patch

+Patch2:         binutils-2.30-CVE-2018-7208.patch

 %description

 The Binutils package contains a linker, an assembler,

 and other tools for handling object files.

@@ -22,6 +24,8 @@ for handling compiled objects.

 %prep

 %setup -q

 %patch0 -p1

+%patch1 -p1

+%patch2 -p1

 %build

 install -vdm 755 ../binutils-build

@@ -112,6 +116,8 @@ make %{?_smp_mflags} check

 %{_lib64dir}/libiberty.a

 %changelog

+*   Tue Apr 17 2018 Xiaolin Li <xiaolinl@vmware.com> 2.30-4

+-   Fix CVE-2018-7643, CVE-2018-7208

 *   Mon Mar 19 2018 Alexey Makhalov <amakhalov@vmware.com> 2.30-3

 -   Add libiberty to the -devel package

 *   Wed Feb 28 2018 Xiaolin Li <xiaolinl@vmware.com> 2.30-2