summaryrefslogtreecommitdiff
path: root/system/binutils/CVE-2019-17451.patch
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2019-10-16 16:29:42 -0500
committerMax Rees <maxcrees@me.com>2019-10-16 16:30:19 -0500
commit8c4d830f564c6c9a7448556d157d54247618292c (patch)
treef99983f7e5d74f2707afb30c87a95f0305ae1aa3 /system/binutils/CVE-2019-17451.patch
parent2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5 (diff)
downloadpackages-8c4d830f564c6c9a7448556d157d54247618292c.tar.gz
packages-8c4d830f564c6c9a7448556d157d54247618292c.tar.bz2
packages-8c4d830f564c6c9a7448556d157d54247618292c.tar.xz
packages-8c4d830f564c6c9a7448556d157d54247618292c.zip
system/binutils: patch CVE-2019-17450 and CVE-2019-17451 (#212)
Diffstat (limited to 'system/binutils/CVE-2019-17451.patch')
-rw-r--r--system/binutils/CVE-2019-17451.patch38
1 files changed, 38 insertions, 0 deletions
diff --git a/system/binutils/CVE-2019-17451.patch b/system/binutils/CVE-2019-17451.patch
new file mode 100644
index 000000000..f6af71601
--- /dev/null
+++ b/system/binutils/CVE-2019-17451.patch
@@ -0,0 +1,38 @@
+From 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 10:47:13 +1030
+Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
+
+Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
+and ffffd5555453b140 result in a total size of 1. Reading the first
+section of course overflows the buffer and tramples on other memory.
+
+ PR 25070
+ * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+ total_size calculation.
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index d39f4fd..88aaa2d 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
+ for (total_size = 0;
+ msec;
+ msec = find_debug_info (debug_bfd, debug_sections, msec))
+- total_size += msec->size;
++ {
++ /* Catch PR25070 testcase overflowing size calculation here. */
++ if (total_size + msec->size < total_size
++ || total_size + msec->size < msec->size)
++ {
++ bfd_set_error (bfd_error_no_memory);
++ return FALSE;
++ }
++ total_size += msec->size;
++ }
+
+ stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+ if (stash->info_ptr_memory == NULL)
+--
+2.9.3
+