diff options
author | A. Wilcox <awilcox@wilcox-tech.com> | 2019-10-17 00:32:50 +0000 |
---|---|---|
committer | A. Wilcox <awilcox@wilcox-tech.com> | 2019-10-17 00:32:50 +0000 |
commit | c665adb6aa1d2253d650989bd6f72ceca79747d1 (patch) | |
tree | 186a1b93a14ea53d9635984fddf50e82ad3eb92a /system/binutils/CVE-2019-17451.patch | |
parent | e4100adf318e482a9932afcdea301b2339967698 (diff) | |
parent | 3bd6d256fad70f5c9089bcde94480eca572693d5 (diff) | |
download | packages-c665adb6aa1d2253d650989bd6f72ceca79747d1.tar.gz packages-c665adb6aa1d2253d650989bd6f72ceca79747d1.tar.bz2 packages-c665adb6aa1d2253d650989bd6f72ceca79747d1.tar.xz packages-c665adb6aa1d2253d650989bd6f72ceca79747d1.zip |
Merge branch 'cves.2019.10.16' into 'master'
CVE patches for 2019.10.16
See merge request adelie/packages!366
Diffstat (limited to 'system/binutils/CVE-2019-17451.patch')
-rw-r--r-- | system/binutils/CVE-2019-17451.patch | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/system/binutils/CVE-2019-17451.patch b/system/binutils/CVE-2019-17451.patch new file mode 100644 index 000000000..f6af71601 --- /dev/null +++ b/system/binutils/CVE-2019-17451.patch @@ -0,0 +1,38 @@ +From 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 9 Oct 2019 10:47:13 +1030 +Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line + +Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 +and ffffd5555453b140 result in a total size of 1. Reading the first +section of course overflows the buffer and tramples on other memory. + + PR 25070 + * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of + total_size calculation. + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index d39f4fd..88aaa2d 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, + for (total_size = 0; + msec; + msec = find_debug_info (debug_bfd, debug_sections, msec)) +- total_size += msec->size; ++ { ++ /* Catch PR25070 testcase overflowing size calculation here. */ ++ if (total_size + msec->size < total_size ++ || total_size + msec->size < msec->size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return FALSE; ++ } ++ total_size += msec->size; ++ } + + stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); + if (stash->info_ptr_memory == NULL) +-- +2.9.3 + |