summaryrefslogtreecommitdiff
path: root/system/binutils/CVE-2019-9075.patch
blob: 0084d3368d38d27060bfc3b28338638a2aeea932 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 20 Feb 2019 08:21:24 +1030
Subject: [PATCH] PR24236, Heap buffer overflow in
 _bfd_archive_64_bit_slurp_armap

	PR 24236
	* archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
	sentinel NUL to string buffer nearer to loop where it is used.
	Don't go past sentinel when scanning strings, and don't write
	NUL again.
	* archive.c (do_slurp_coff_armap): Simplify string handling to
	archive64.c style.
---
 bfd/archive.c   | 17 +++++++----------
 bfd/archive64.c | 10 +++++-----
 3 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/bfd/archive.c b/bfd/archive.c
index d2d9b72..68a92a3 100644
--- a/bfd/archive.c
+++ b/bfd/archive.c
@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd)
   int *raw_armap, *rawptr;
   struct artdata *ardata = bfd_ardata (abfd);
   char *stringbase;
+  char *stringend;
   bfd_size_type stringsize;
   bfd_size_type parsed_size;
   carsym *carsyms;
@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd)
     }
 
   /* OK, build the carsyms.  */
-  for (i = 0; i < nsymz && stringsize > 0; i++)
+  stringend = stringbase + stringsize;
+  *stringend = 0;
+  for (i = 0; i < nsymz; i++)
     {
-      bfd_size_type len;
-
       rawptr = raw_armap + i;
       carsyms->file_offset = swap ((bfd_byte *) rawptr);
       carsyms->name = stringbase;
-      /* PR 17512: file: 4a1d50c1.  */
-      len = strnlen (stringbase, stringsize);
-      if (len < stringsize)
-	len ++;
-      stringbase += len;
-      stringsize -= len;
+      stringbase += strlen (stringbase);
+      if (stringbase != stringend)
+	++stringbase;
       carsyms++;
     }
-  *stringbase = 0;
 
   ardata->symdef_count = nsymz;
   ardata->first_file_filepos = bfd_tell (abfd);
diff --git a/bfd/archive64.c b/bfd/archive64.c
index 312bf82..42f6ed9 100644
--- a/bfd/archive64.c
+++ b/bfd/archive64.c
@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
     return FALSE;
   carsyms = ardata->symdefs;
   stringbase = ((char *) ardata->symdefs) + carsym_size;
-  stringbase[stringsize] = 0;
-  stringend = stringbase + stringsize;
 
   raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
   if (raw_armap == NULL)
@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
       goto release_raw_armap;
     }
 
+  stringend = stringbase + stringsize;
+  *stringend = 0;
   for (i = 0; i < nsymz; i++)
     {
       carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
       carsyms->name = stringbase;
-      if (stringbase < stringend)
-	stringbase += strlen (stringbase) + 1;
+      stringbase += strlen (stringbase);
+      if (stringbase != stringend)
+	++stringbase;
       ++carsyms;
     }
-  *stringbase = '\0';
 
   ardata->symdef_count = nsymz;
   ardata->first_file_filepos = bfd_tell (abfd);
-- 
2.9.3