diff options
| author | Max Rees <maxcrees@me.com> | 2019-08-01 03:15:42 -0500 |
|---|---|---|
| committer | Max Rees <maxcrees@me.com> | 2019-08-01 03:15:42 -0500 |
| commit | 0a29ea8a1e1a794d19ba9f23ccc2836379419e18 (patch) | |
| tree | 407c1ab5977afd63aa60c6bd7308439700178682 /system/binutils/CVE-2019-9075.patch | |
| parent | addcb5d4b2d24c7927c597d156f5a31a3df2ab31 (diff) | |
| download | packages-0a29ea8a1e1a794d19ba9f23ccc2836379419e18.tar.gz packages-0a29ea8a1e1a794d19ba9f23ccc2836379419e18.tar.bz2 packages-0a29ea8a1e1a794d19ba9f23ccc2836379419e18.tar.xz packages-0a29ea8a1e1a794d19ba9f23ccc2836379419e18.zip | |
system/binutils: patch multiple CVEs (#116)
Diffstat (limited to 'system/binutils/CVE-2019-9075.patch')
| -rw-r--r-- | system/binutils/CVE-2019-9075.patch | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/system/binutils/CVE-2019-9075.patch b/system/binutils/CVE-2019-9075.patch new file mode 100644 index 000000000..0084d3368 --- /dev/null +++ b/system/binutils/CVE-2019-9075.patch @@ -0,0 +1,96 @@ +From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 20 Feb 2019 08:21:24 +1030 +Subject: [PATCH] PR24236, Heap buffer overflow in + _bfd_archive_64_bit_slurp_armap + + PR 24236 + * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding + sentinel NUL to string buffer nearer to loop where it is used. + Don't go past sentinel when scanning strings, and don't write + NUL again. + * archive.c (do_slurp_coff_armap): Simplify string handling to + archive64.c style. +--- + bfd/archive.c | 17 +++++++---------- + bfd/archive64.c | 10 +++++----- + 3 files changed, 22 insertions(+), 15 deletions(-) + +diff --git a/bfd/archive.c b/bfd/archive.c +index d2d9b72..68a92a3 100644 +--- a/bfd/archive.c ++++ b/bfd/archive.c +@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd) + int *raw_armap, *rawptr; + struct artdata *ardata = bfd_ardata (abfd); + char *stringbase; ++ char *stringend; + bfd_size_type stringsize; + bfd_size_type parsed_size; + carsym *carsyms; +@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd) + } + + /* OK, build the carsyms. */ +- for (i = 0; i < nsymz && stringsize > 0; i++) ++ stringend = stringbase + stringsize; ++ *stringend = 0; ++ for (i = 0; i < nsymz; i++) + { +- bfd_size_type len; +- + rawptr = raw_armap + i; + carsyms->file_offset = swap ((bfd_byte *) rawptr); + carsyms->name = stringbase; +- /* PR 17512: file: 4a1d50c1. */ +- len = strnlen (stringbase, stringsize); +- if (len < stringsize) +- len ++; +- stringbase += len; +- stringsize -= len; ++ stringbase += strlen (stringbase); ++ if (stringbase != stringend) ++ ++stringbase; + carsyms++; + } +- *stringbase = 0; + + ardata->symdef_count = nsymz; + ardata->first_file_filepos = bfd_tell (abfd); +diff --git a/bfd/archive64.c b/bfd/archive64.c +index 312bf82..42f6ed9 100644 +--- a/bfd/archive64.c ++++ b/bfd/archive64.c +@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) + return FALSE; + carsyms = ardata->symdefs; + stringbase = ((char *) ardata->symdefs) + carsym_size; +- stringbase[stringsize] = 0; +- stringend = stringbase + stringsize; + + raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); + if (raw_armap == NULL) +@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) + goto release_raw_armap; + } + ++ stringend = stringbase + stringsize; ++ *stringend = 0; + for (i = 0; i < nsymz; i++) + { + carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); + carsyms->name = stringbase; +- if (stringbase < stringend) +- stringbase += strlen (stringbase) + 1; ++ stringbase += strlen (stringbase); ++ if (stringbase != stringend) ++ ++stringbase; + ++carsyms; + } +- *stringbase = '\0'; + + ardata->symdef_count = nsymz; + ardata->first_file_filepos = bfd_tell (abfd); +-- +2.9.3 + |