diff options
Diffstat (limited to 'meta/recipes-devtools/binutils')
35 files changed, 7052 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc index 40b518bf7a..1784c52ffa 100644 --- a/meta/recipes-devtools/binutils/binutils-2.28.inc +++ b/meta/recipes-devtools/binutils/binutils-2.28.inc @@ -43,6 +43,40 @@ SRC_URI = "\ file://CVE-2017-6969_2.patch \ file://CVE-2017-7209.patch \ file://CVE-2017-7210.patch \ + file://CVE-2017-7223.patch \ + file://CVE-2017-7614.patch \ + file://CVE-2017-8393.patch \ + file://CVE-2017-8394.patch \ + file://CVE-2017-8395.patch \ + file://CVE-2017-8396_8397.patch \ + file://CVE-2017-8398.patch \ + file://CVE-2017-8421.patch \ + file://CVE-2017-9038_9044.patch \ + file://CVE-2017-9039.patch \ + file://CVE-2017-9040_9042.patch \ + file://CVE-2017-9742.patch \ + file://CVE-2017-9744.patch \ + file://CVE-2017-9745.patch \ + file://CVE-2017-9746.patch \ + file://CVE-2017-9747.patch \ + file://CVE-2017-9748.patch \ + file://CVE-2017-9749.patch \ + file://CVE-2017-9750.patch \ + file://CVE-2017-9751.patch \ + file://CVE-2017-9752.patch \ + file://CVE-2017-9753.patch \ + file://CVE-2017-9755.patch \ + file://CVE-2017-9756.patch \ + file://CVE-2017-9954.patch \ + file://CVE-2017-9955_1.patch \ + file://CVE-2017-9955_2.patch \ + file://CVE-2017-9955_3.patch \ + file://CVE-2017-9955_4.patch \ + file://CVE-2017-9955_5.patch \ + file://CVE-2017-9955_6.patch \ + file://CVE-2017-9955_7.patch \ + file://CVE-2017-9955_8.patch \ + file://CVE-2017-9955_9.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7223.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7223.patch new file mode 100644 index 0000000000..c78c8bf00a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7223.patch @@ -0,0 +1,52 @@ +From 69ace2200106348a1b00d509a6a234337c104c17 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 1 Dec 2016 15:20:19 +0000 +Subject: [PATCH] Fix seg fault attempting to unget an EOF character. + + PR gas/20898 + * app.c (do_scrub_chars): Do not attempt to unget EOF. + +Affects: <= 2.28 +Upstream-Status: Backport +CVE: CVE-2017-7223 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + gas/ChangeLog | 3 +++ + gas/app.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +Index: git/gas/ChangeLog +=================================================================== +--- git.orig/gas/ChangeLog ++++ git/gas/ChangeLog +@@ -1,3 +1,8 @@ ++2016-12-01 Nick Clifton <nickc@redhat.com> ++ ++ PR gas/20898 ++ * app.c (do_scrub_chars): Do not attempt to unget EOF. ++ + 2017-03-02 Tristan Gingold <gingold@adacore.com> + + * configure: Regenerate. +@@ -198,7 +203,6 @@ + * config/tc-pru.c (md_number_to_chars): Fix parameter to be + valueT, as declared in tc.h. + (md_apply_fix): Fix to work on 32-bit hosts. +->>>>>>> 0115611... RISC-V/GAS: Correct branch relaxation for weak symbols. + + 2017-01-02 Alan Modra <amodra@gmail.com> + +Index: git/gas/app.c +=================================================================== +--- git.orig/gas/app.c ++++ git/gas/app.c +@@ -1350,7 +1350,7 @@ do_scrub_chars (size_t (*get) (char *, s + PUT (ch); + break; + } +- else ++ else if (ch2 != EOF) + { + state = 9; + if (ch == EOF || !IS_SYMBOL_COMPONENT (ch)) diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7614.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7614.patch new file mode 100644 index 0000000000..be8631ab78 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7614.patch @@ -0,0 +1,103 @@ +From ad32986fdf9da1c8748e47b8b45100398223dba8 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 4 Apr 2017 11:23:36 +0100 +Subject: [PATCH] Fix null pointer dereferences when using a link built with + clang. + + PR binutils/21342 + * elflink.c (_bfd_elf_define_linkage_sym): Prevent null pointer + dereference. + (bfd_elf_final_link): Only initialize the extended symbol index + section if there are extended symbol tables to list. + +Upstream-Status: Backport +CVE: CVE-2017-7614 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 8 ++++++++ + bfd/elflink.c | 35 +++++++++++++++++++++-------------- + 2 files changed, 29 insertions(+), 14 deletions(-) + +Index: git/bfd/elflink.c +=================================================================== +--- git.orig/bfd/elflink.c ++++ git/bfd/elflink.c +@@ -119,15 +119,18 @@ _bfd_elf_define_linkage_sym (bfd *abfd, + defined in shared libraries can't be overridden, because we + lose the link to the bfd which is via the symbol section. */ + h->root.type = bfd_link_hash_new; ++ bh = &h->root; + } ++ else ++ bh = NULL; + +- bh = &h->root; + bed = get_elf_backend_data (abfd); + if (!_bfd_generic_link_add_one_symbol (info, abfd, name, BSF_GLOBAL, + sec, 0, NULL, FALSE, bed->collect, + &bh)) + return NULL; + h = (struct elf_link_hash_entry *) bh; ++ BFD_ASSERT (h != NULL); + h->def_regular = 1; + h->non_elf = 0; + h->root.linker_def = 1; +@@ -11973,24 +11976,28 @@ bfd_elf_final_link (bfd *abfd, struct bf + { + /* Finish up and write out the symbol string table (.strtab) + section. */ +- Elf_Internal_Shdr *symstrtab_hdr; ++ Elf_Internal_Shdr *symstrtab_hdr = NULL; + file_ptr off = symtab_hdr->sh_offset + symtab_hdr->sh_size; + +- symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr; +- if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0) ++ if (elf_symtab_shndx_list (abfd)) + { +- symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX; +- symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx); +- symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx); +- amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx); +- symtab_shndx_hdr->sh_size = amt; ++ symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr; + +- off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr, +- off, TRUE); ++ if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0) ++ { ++ symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX; ++ symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx); ++ symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx); ++ amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx); ++ symtab_shndx_hdr->sh_size = amt; + +- if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0 +- || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt)) +- return FALSE; ++ off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr, ++ off, TRUE); ++ ++ if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0 ++ || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt)) ++ return FALSE; ++ } + } + + symstrtab_hdr = &elf_tdata (abfd)->strtab_hdr; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,11 @@ ++2017-04-04 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21342 ++ * elflink.c (_bfd_elf_define_linkage_sym): Prevent null pointer ++ dereference. ++ (bfd_elf_final_link): Only initialize the extended symbol index ++ section if there are extended symbol tables to list. ++ + 2017-03-07 Alan Modra <amodra@gmail.com> + + PR 21224 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch new file mode 100644 index 0000000000..8500a03b13 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch @@ -0,0 +1,205 @@ +From bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 23 Apr 2017 11:03:34 +0930 +Subject: [PATCH] PR 21412, get_reloc_section assumes .rel/.rela name for + SHT_REL/RELA. + +This patch fixes an assumption made by code that runs for objcopy and +strip, that SHT_REL/SHR_RELA sections are always named starting with a +.rel/.rela prefix. I'm also modifying the interface for +elf_backend_get_reloc_section, so any backend function just needs to +handle name mapping. + + PR 21412 + * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change + parameters and comment. + (_bfd_elf_get_reloc_section): Delete. + (_bfd_elf_plt_get_reloc_section): Declare. + * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section): + New functions. Don't blindly skip over assumed .rel/.rela prefix. + Extracted from.. + (_bfd_elf_get_reloc_section): ..here. Delete. + (assign_section_numbers): Call elf_get_reloc_section. + * elf64-ppc.c (elf_backend_get_reloc_section): Define. + * elfxx-target.h (elf_backend_get_reloc_section): Update. + +Upstream-Status: Backport +CVE: CVE-2017-8393 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 15 ++++++++++++++ + bfd/elf-bfd.h | 8 ++++--- + bfd/elf.c | 61 +++++++++++++++++++++++++++++++----------------------- + bfd/elf64-ppc.c | 1 + + bfd/elfxx-target.h | 2 +- + 5 files changed, 57 insertions(+), 30 deletions(-) + +Index: git/bfd/elf-bfd.h +=================================================================== +--- git.orig/bfd/elf-bfd.h ++++ git/bfd/elf-bfd.h +@@ -1322,8 +1322,10 @@ struct elf_backend_data + bfd_size_type (*maybe_function_sym) (const asymbol *sym, asection *sec, + bfd_vma *code_off); + +- /* Return the section which RELOC_SEC applies to. */ +- asection *(*get_reloc_section) (asection *reloc_sec); ++ /* Given NAME, the name of a relocation section stripped of its ++ .rel/.rela prefix, return the section in ABFD to which the ++ relocations apply. */ ++ asection *(*get_reloc_section) (bfd *abfd, const char *name); + + /* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which + has a type >= SHT_LOOS. Returns TRUE if the fields were initialised, +@@ -2392,7 +2394,7 @@ extern bfd_boolean _bfd_elf_is_function_ + extern bfd_size_type _bfd_elf_maybe_function_sym (const asymbol *, asection *, + bfd_vma *); + +-extern asection *_bfd_elf_get_reloc_section (asection *); ++extern asection *_bfd_elf_plt_get_reloc_section (bfd *, const char *); + + extern int bfd_elf_get_default_section_type (flagword); + +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c ++++ git/bfd/elf.c +@@ -3532,17 +3532,39 @@ bfd_elf_set_group_contents (bfd *abfd, a + H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc); + } + +-/* Return the section which RELOC_SEC applies to. */ ++/* Given NAME, the name of a relocation section stripped of its ++ .rel/.rela prefix, return the section in ABFD to which the ++ relocations apply. */ + + asection * +-_bfd_elf_get_reloc_section (asection *reloc_sec) ++_bfd_elf_plt_get_reloc_section (bfd *abfd, const char *name) ++{ ++ /* If a target needs .got.plt section, relocations in rela.plt/rel.plt ++ section likely apply to .got.plt or .got section. */ ++ if (get_elf_backend_data (abfd)->want_got_plt ++ && strcmp (name, ".plt") == 0) ++ { ++ asection *sec; ++ ++ name = ".got.plt"; ++ sec = bfd_get_section_by_name (abfd, name); ++ if (sec != NULL) ++ return sec; ++ name = ".got"; ++ } ++ ++ return bfd_get_section_by_name (abfd, name); ++} ++ ++/* Return the section to which RELOC_SEC applies. */ ++ ++static asection * ++elf_get_reloc_section (asection *reloc_sec) + { + const char *name; + unsigned int type; + bfd *abfd; +- +- if (reloc_sec == NULL) +- return NULL; ++ const struct elf_backend_data *bed; + + type = elf_section_data (reloc_sec)->this_hdr.sh_type; + if (type != SHT_REL && type != SHT_RELA) +@@ -3550,28 +3572,15 @@ _bfd_elf_get_reloc_section (asection *re + + /* We look up the section the relocs apply to by name. */ + name = reloc_sec->name; +- if (type == SHT_REL) +- name += 4; +- else +- name += 5; ++ if (strncmp (name, ".rel", 4) != 0) ++ return NULL; ++ name += 4; ++ if (type == SHT_RELA && *name++ != 'a') ++ return NULL; + +- /* If a target needs .got.plt section, relocations in rela.plt/rel.plt +- section apply to .got.plt section. */ + abfd = reloc_sec->owner; +- if (get_elf_backend_data (abfd)->want_got_plt +- && strcmp (name, ".plt") == 0) +- { +- /* .got.plt is a linker created input section. It may be mapped +- to some other output section. Try two likely sections. */ +- name = ".got.plt"; +- reloc_sec = bfd_get_section_by_name (abfd, name); +- if (reloc_sec != NULL) +- return reloc_sec; +- name = ".got"; +- } +- +- reloc_sec = bfd_get_section_by_name (abfd, name); +- return reloc_sec; ++ bed = get_elf_backend_data (abfd); ++ return bed->get_reloc_section (abfd, name); + } + + /* Assign all ELF section numbers. The dummy first section is handled here +@@ -3833,7 +3842,7 @@ assign_section_numbers (bfd *abfd, struc + if (s != NULL) + d->this_hdr.sh_link = elf_section_data (s)->this_idx; + +- s = get_elf_backend_data (abfd)->get_reloc_section (sec); ++ s = elf_get_reloc_section (sec); + if (s != NULL) + { + d->this_hdr.sh_info = elf_section_data (s)->this_idx; +Index: git/bfd/elf64-ppc.c +=================================================================== +--- git.orig/bfd/elf64-ppc.c ++++ git/bfd/elf64-ppc.c +@@ -121,6 +121,7 @@ static bfd_vma opd_entry_value + #define elf_backend_special_sections ppc64_elf_special_sections + #define elf_backend_merge_symbol_attribute ppc64_elf_merge_symbol_attribute + #define elf_backend_merge_symbol ppc64_elf_merge_symbol ++#define elf_backend_get_reloc_section bfd_get_section_by_name + + /* The name of the dynamic interpreter. This is put in the .interp + section. */ +Index: git/bfd/elfxx-target.h +=================================================================== +--- git.orig/bfd/elfxx-target.h ++++ git/bfd/elfxx-target.h +@@ -706,7 +706,7 @@ + #endif + + #ifndef elf_backend_get_reloc_section +-#define elf_backend_get_reloc_section _bfd_elf_get_reloc_section ++#define elf_backend_get_reloc_section _bfd_elf_plt_get_reloc_section + #endif + + #ifndef elf_backend_copy_special_section_fields +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,18 @@ ++2017-04-23 Alan Modra <amodra@gmail.com> ++ ++ PR 21412 ++ * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change ++ parameters and comment. ++ (_bfd_elf_get_reloc_section): Delete. ++ (_bfd_elf_plt_get_reloc_section): Declare. ++ * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section): ++ New functions. Don't blindly skip over assumed .rel/.rela prefix. ++ Extracted from.. ++ (_bfd_elf_get_reloc_section): ..here. Delete. ++ (assign_section_numbers): Call elf_get_reloc_section. ++ * elf64-ppc.c (elf_backend_get_reloc_section): Define. ++ * elfxx-target.h (elf_backend_get_reloc_section): Update. ++ + 2017-04-04 Nick Clifton <nickc@redhat.com> + + PR binutils/21342 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8394.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8394.patch new file mode 100644 index 0000000000..e6c6b17da4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8394.patch @@ -0,0 +1,118 @@ +From 7eacd66b086cabb1daab20890d5481894d4f56b2 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 23 Apr 2017 15:21:11 +0930 +Subject: [PATCH] PR 21414, null pointer deref of _bfd_elf_large_com_section + sym + + PR 21414 + * section.c (GLOBAL_SYM_INIT): Make available in bfd.h. + * elf.c (lcomm_sym): New. + (_bfd_elf_large_com_section): Use lcomm_sym section symbol. + * bfd-in2.h: Regenerate. + +Upstream-Status: Backport +CVE: CVE-2017-8394 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 8 ++++++++ + bfd/bfd-in2.h | 12 ++++++++++++ + bfd/elf.c | 6 ++++-- + bfd/section.c | 24 ++++++++++++------------ + 4 files changed, 36 insertions(+), 14 deletions(-) + +Index: git/bfd/bfd-in2.h +=================================================================== +--- git.orig/bfd/bfd-in2.h ++++ git/bfd/bfd-in2.h +@@ -1838,6 +1838,18 @@ extern asection _bfd_std_section[4]; + { NULL }, { NULL } \ + } + ++/* We use a macro to initialize the static asymbol structures because ++ traditional C does not permit us to initialize a union member while ++ gcc warns if we don't initialize it. ++ the_bfd, name, value, attr, section [, udata] */ ++#ifdef __STDC__ ++#define GLOBAL_SYM_INIT(NAME, SECTION) \ ++ { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }} ++#else ++#define GLOBAL_SYM_INIT(NAME, SECTION) \ ++ { 0, NAME, 0, BSF_SECTION_SYM, SECTION } ++#endif ++ + void bfd_section_list_clear (bfd *); + + asection *bfd_get_section_by_name (bfd *abfd, const char *name); +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c ++++ git/bfd/elf.c +@@ -11164,9 +11164,11 @@ _bfd_elf_get_synthetic_symtab (bfd *abfd + + /* It is only used by x86-64 so far. + ??? This repeats *COM* id of zero. sec->id is supposed to be unique, +- but current usage would allow all of _bfd_std_section to be zero. t*/ ++ but current usage would allow all of _bfd_std_section to be zero. */ ++static const asymbol lcomm_sym ++ = GLOBAL_SYM_INIT ("LARGE_COMMON", &_bfd_elf_large_com_section); + asection _bfd_elf_large_com_section +- = BFD_FAKE_SECTION (_bfd_elf_large_com_section, NULL, ++ = BFD_FAKE_SECTION (_bfd_elf_large_com_section, &lcomm_sym, + "LARGE_COMMON", 0, SEC_IS_COMMON); + + void +Index: git/bfd/section.c +=================================================================== +--- git.orig/bfd/section.c ++++ git/bfd/section.c +@@ -738,20 +738,20 @@ CODE_FRAGMENT + . { NULL }, { NULL } \ + . } + . ++.{* We use a macro to initialize the static asymbol structures because ++. traditional C does not permit us to initialize a union member while ++. gcc warns if we don't initialize it. ++. the_bfd, name, value, attr, section [, udata] *} ++.#ifdef __STDC__ ++.#define GLOBAL_SYM_INIT(NAME, SECTION) \ ++. { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }} ++.#else ++.#define GLOBAL_SYM_INIT(NAME, SECTION) \ ++. { 0, NAME, 0, BSF_SECTION_SYM, SECTION } ++.#endif ++. + */ + +-/* We use a macro to initialize the static asymbol structures because +- traditional C does not permit us to initialize a union member while +- gcc warns if we don't initialize it. */ +- /* the_bfd, name, value, attr, section [, udata] */ +-#ifdef __STDC__ +-#define GLOBAL_SYM_INIT(NAME, SECTION) \ +- { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }} +-#else +-#define GLOBAL_SYM_INIT(NAME, SECTION) \ +- { 0, NAME, 0, BSF_SECTION_SYM, SECTION } +-#endif +- + /* These symbols are global, not specific to any BFD. Therefore, anything + that tries to change them is broken, and should be repaired. */ + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,12 @@ ++ + 2017-04-23 Alan Modra <amodra@gmail.com> ++ PR 21414 ++ * section.c (GLOBAL_SYM_INIT): Make available in bfd.h. ++ * elf.c (lcomm_sym): New. ++ (_bfd_elf_large_com_section): Use lcomm_sym section symbol. ++ * bfd-in2.h: Regenerate. ++ +++2017-04-23 Alan Modra <amodra@gmail.com> + + PR 21412 + * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8395.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8395.patch new file mode 100644 index 0000000000..0a9bce3372 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8395.patch @@ -0,0 +1,72 @@ +From e63d123268f23a4cbc45ee55fb6dbc7d84729da3 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 26 Apr 2017 13:07:49 +0100 +Subject: [PATCH] Fix seg-fault attempting to compress a debug section in a + corrupt binary. + + PR binutils/21431 + * compress.c (bfd_init_section_compress_status): Check the return + value from bfd_malloc. + +Upstream-Status: Backport +CVE: CVE-2017-8395 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/compress.c | 19 +++++++++---------- + 2 files changed, 15 insertions(+), 10 deletions(-) + +Index: git/bfd/compress.c +=================================================================== +--- git.orig/bfd/compress.c ++++ git/bfd/compress.c +@@ -542,7 +542,6 @@ bfd_init_section_compress_status (bfd *a + { + bfd_size_type uncompressed_size; + bfd_byte *uncompressed_buffer; +- bfd_boolean ret; + + /* Error if not opened for read. */ + if (abfd->direction != read_direction +@@ -558,18 +557,18 @@ bfd_init_section_compress_status (bfd *a + /* Read in the full section contents and compress it. */ + uncompressed_size = sec->size; + uncompressed_buffer = (bfd_byte *) bfd_malloc (uncompressed_size); ++ /* PR 21431 */ ++ if (uncompressed_buffer == NULL) ++ return FALSE; ++ + if (!bfd_get_section_contents (abfd, sec, uncompressed_buffer, + 0, uncompressed_size)) +- ret = FALSE; +- else +- { +- uncompressed_size = bfd_compress_section_contents (abfd, sec, +- uncompressed_buffer, +- uncompressed_size); +- ret = uncompressed_size != 0; +- } ++ return FALSE; + +- return ret; ++ uncompressed_size = bfd_compress_section_contents (abfd, sec, ++ uncompressed_buffer, ++ uncompressed_size); ++ return uncompressed_size != 0; + } + + /* +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,8 @@ ++2017-04-26 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21431 ++ * compress.c (bfd_init_section_compress_status): Check the return ++ value from bfd_malloc. + + 2017-04-23 Alan Modra <amodra@gmail.com> + PR 21414 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8396_8397.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8396_8397.patch new file mode 100644 index 0000000000..14f42824a0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8396_8397.patch @@ -0,0 +1,102 @@ +From a941291cab71b9ac356e1c03968c177c03e602ab Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 29 Apr 2017 14:48:16 +0930 +Subject: [PATCH] PR21432, buffer overflow in perform_relocation + +The existing reloc offset range tests didn't catch small negative +offsets less than the size of the reloc field. + + PR 21432 + * reloc.c (reloc_offset_in_range): New function. + (bfd_perform_relocation, bfd_install_relocation): Use it. + (_bfd_final_link_relocate): Likewise. + +Upstream-Status: Backport +CVE: CVE-2017-8396 +CVE: CVE-2017-8397 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 7 +++++++ + bfd/reloc.c | 32 ++++++++++++++++++++------------ + 2 files changed, 27 insertions(+), 12 deletions(-) + +Index: git/bfd/reloc.c +=================================================================== +--- git.orig/bfd/reloc.c ++++ git/bfd/reloc.c +@@ -538,6 +538,22 @@ bfd_check_overflow (enum complain_overfl + return flag; + } + ++/* HOWTO describes a relocation, at offset OCTET. Return whether the ++ relocation field is within SECTION of ABFD. */ ++ ++static bfd_boolean ++reloc_offset_in_range (reloc_howto_type *howto, bfd *abfd, ++ asection *section, bfd_size_type octet) ++{ ++ bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section); ++ bfd_size_type reloc_size = bfd_get_reloc_size (howto); ++ ++ /* The reloc field must be contained entirely within the section. ++ Allow zero length fields (marker relocs or NONE relocs where no ++ relocation will be performed) at the end of the section. */ ++ return octet <= octet_end && octet + reloc_size <= octet_end; ++} ++ + /* + FUNCTION + bfd_perform_relocation +@@ -618,13 +634,10 @@ bfd_perform_relocation (bfd *abfd, + /* PR 17512: file: 0f67f69d. */ + if (howto == NULL) + return bfd_reloc_undefined; +- +- /* Is the address of the relocation really within the section? +- Include the size of the reloc in the test for out of range addresses. +- PR 17512: file: c146ab8b, 46dff27f, 38e53ebf. */ ++ ++ /* Is the address of the relocation really within the section? */ + octets = reloc_entry->address * bfd_octets_per_byte (abfd); +- if (octets + bfd_get_reloc_size (howto) +- > bfd_get_section_limit_octets (abfd, input_section)) ++ if (!reloc_offset_in_range (howto, abfd, input_section, octets)) + return bfd_reloc_outofrange; + + /* Work out which section the relocation is targeted at and the +@@ -1012,8 +1025,7 @@ bfd_install_relocation (bfd *abfd, + + /* Is the address of the relocation really within the section? */ + octets = reloc_entry->address * bfd_octets_per_byte (abfd); +- if (octets + bfd_get_reloc_size (howto) +- > bfd_get_section_limit_octets (abfd, input_section)) ++ if (!reloc_offset_in_range (howto, abfd, input_section, octets)) + return bfd_reloc_outofrange; + + /* Work out which section the relocation is targeted at and the +@@ -1351,8 +1363,7 @@ _bfd_final_link_relocate (reloc_howto_ty + bfd_size_type octets = address * bfd_octets_per_byte (input_bfd); + + /* Sanity check the address. */ +- if (octets + bfd_get_reloc_size (howto) +- > bfd_get_section_limit_octets (input_bfd, input_section)) ++ if (!reloc_offset_in_range (howto, input_bfd, input_section, octets)) + return bfd_reloc_outofrange; + + /* This function assumes that we are dealing with a basic relocation +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-04-29 Alan Modra <amodra@gmail.com> ++ ++ PR 21432 ++ * reloc.c (reloc_offset_in_range): New function. ++ (bfd_perform_relocation, bfd_install_relocation): Use it. ++ (_bfd_final_link_relocate): Likewise. ++ + 2017-04-26 Nick Clifton <nickc@redhat.com> + + PR binutils/21431 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch new file mode 100644 index 0000000000..5b9acc8cfa --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch @@ -0,0 +1,147 @@ +From d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 28 Apr 2017 10:28:04 +0100 +Subject: [PATCH] Fix heap-buffer overflow bugs caused when dumping debug + information from a corrupt binary. + + PR binutils/21438 + * dwarf.c (process_extended_line_op): Do not assume that the + string extracted from the section is NUL terminated. + (fetch_indirect_string): If the string retrieved from the section + is not NUL terminated, return an error message. + (fetch_indirect_line_string): Likewise. + (fetch_indexed_string): Likewise. + +Upstream-Status: Backport +CVE: CVE-2017-8398 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 10 +++++++++ + binutils/dwarf.c | 66 +++++++++++++++++++++++++++++++++++++++++------------- + 2 files changed, 60 insertions(+), 16 deletions(-) + +Index: git/binutils/dwarf.c +=================================================================== +--- git.orig/binutils/dwarf.c ++++ git/binutils/dwarf.c +@@ -472,15 +472,20 @@ process_extended_line_op (unsigned char + printf (_(" Entry\tDir\tTime\tSize\tName\n")); + printf (" %d\t", ++state_machine_regs.last_file_entry); + +- name = data; +- data += strnlen ((char *) data, end - data) + 1; +- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); +- data += bytes_read; +- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); +- data += bytes_read; +- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); +- data += bytes_read; +- printf ("%s\n\n", name); ++ { ++ size_t l; ++ ++ name = data; ++ l = strnlen ((char *) data, end - data); ++ data += len + 1; ++ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); ++ data += bytes_read; ++ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); ++ data += bytes_read; ++ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); ++ data += bytes_read; ++ printf ("%.*s\n\n", (int) l, name); ++ } + + if (((unsigned int) (data - orig_data) != len) || data == end) + warn (_("DW_LNE_define_file: Bad opcode length\n")); +@@ -597,18 +602,27 @@ static const unsigned char * + fetch_indirect_string (dwarf_vma offset) + { + struct dwarf_section *section = &debug_displays [str].section; ++ const unsigned char * ret; + + if (section->start == NULL) + return (const unsigned char *) _("<no .debug_str section>"); + +- if (offset > section->size) ++ if (offset >= section->size) + { + warn (_("DW_FORM_strp offset too big: %s\n"), + dwarf_vmatoa ("x", offset)); + return (const unsigned char *) _("<offset is too big>"); + } ++ ret = section->start + offset; ++ /* Unfortunately we cannot rely upon the .debug_str section ending with a ++ NUL byte. Since our caller is expecting to receive a well formed C ++ string we test for the lack of a terminating byte here. */ ++ if (strnlen ((const char *) ret, section->size - offset) ++ == section->size - offset) ++ ret = (const unsigned char *) ++ _("<no NUL byte at end of .debug_str section>"); + +- return (const unsigned char *) section->start + offset; ++ return ret; + } + + static const char * +@@ -621,6 +635,7 @@ fetch_indexed_string (dwarf_vma idx, str + struct dwarf_section *str_section = &debug_displays [str_sec_idx].section; + dwarf_vma index_offset = idx * offset_size; + dwarf_vma str_offset; ++ const char * ret; + + if (index_section->start == NULL) + return (dwo ? _("<no .debug_str_offsets.dwo section>") +@@ -628,7 +643,7 @@ fetch_indexed_string (dwarf_vma idx, str + + if (this_set != NULL) + index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS]; +- if (index_offset > index_section->size) ++ if (index_offset >= index_section->size) + { + warn (_("DW_FORM_GNU_str_index offset too big: %s\n"), + dwarf_vmatoa ("x", index_offset)); +@@ -641,14 +656,22 @@ fetch_indexed_string (dwarf_vma idx, str + + str_offset = byte_get (index_section->start + index_offset, offset_size); + str_offset -= str_section->address; +- if (str_offset > str_section->size) ++ if (str_offset >= str_section->size) + { + warn (_("DW_FORM_GNU_str_index indirect offset too big: %s\n"), + dwarf_vmatoa ("x", str_offset)); + return _("<indirect index offset is too big>"); + } + +- return (const char *) str_section->start + str_offset; ++ ret = (const char *) str_section->start + str_offset; ++ /* Unfortunately we cannot rely upon str_section ending with a NUL byte. ++ Since our caller is expecting to receive a well formed C string we test ++ for the lack of a terminating byte here. */ ++ if (strnlen (ret, str_section->size - str_offset) ++ == str_section->size - str_offset) ++ ret = (const char *) _("<no NUL byte at end of section>"); ++ ++ return ret; + } + + static const char * +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,13 @@ ++2017-04-28 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21438 ++ * dwarf.c (process_extended_line_op): Do not assume that the ++ string extracted from the section is NUL terminated. ++ (fetch_indirect_string): If the string retrieved from the section ++ is not NUL terminated, return an error message. ++ (fetch_indirect_line_string): Likewise. ++ (fetch_indexed_string): Likewise. ++ + 2017-02-14 Nick Clifton <nickc@redhat.com> + + PR binutils/21157 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8421.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8421.patch new file mode 100644 index 0000000000..7969c66f30 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8421.patch @@ -0,0 +1,52 @@ +From 39ff1b79f687b65f4144ddb379f22587003443fb Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 2 May 2017 11:54:53 +0100 +Subject: [PATCH] Prevent memory exhaustion from a corrupt PE binary with an + overlarge number of relocs. + + PR 21440 + * objdump.c (dump_relocs_in_section): Check for an excessive + number of relocs before attempting to dump them. + +Upstream-Status: Backport +CVE: CVE-2017-8421 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/objdump.c | 8 ++++++++ + 2 files changed, 14 insertions(+) + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c ++++ git/binutils/objdump.c +@@ -3311,6 +3311,14 @@ dump_relocs_in_section (bfd *abfd, + return; + } + ++ if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 ++ && relsize > get_file_size (bfd_get_filename (abfd))) ++ { ++ printf (" (too many: 0x%x)\n", section->reloc_count); ++ bfd_set_error (bfd_error_file_truncated); ++ bfd_fatal (bfd_get_filename (abfd)); ++ } ++ + relpp = (arelent **) xmalloc (relsize); + relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms); + +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2017-05-02 Nick Clifton <nickc@redhat.com> ++ ++ PR 21440 ++ * objdump.c (dump_relocs_in_section): Check for an excessive ++ number of relocs before attempting to dump them. ++ + 2017-04-28 Nick Clifton <nickc@redhat.com> + + PR binutils/21438 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9038_9044.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9038_9044.patch new file mode 100644 index 0000000000..535efc314f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9038_9044.patch @@ -0,0 +1,51 @@ +From f32ba72991d2406b21ab17edc234a2f3fa7fb23d Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 3 Apr 2017 11:01:45 +0100 +Subject: [PATCH] readelf: Update check for invalid word offsets in ARM unwind + information. + + PR binutils/21343 + * readelf.c (get_unwind_section_word): Fix snafu checking for + invalid word offsets in ARM unwind information. + +Upstream-Status: Backport +CVE: CVE-2017-9038 +CVE: CVE-2017-9044 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/readelf.c | 6 +++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -7972,9 +7972,9 @@ get_unwind_section_word (struct arm_unw_ + return FALSE; + + /* If the offset is invalid then fail. */ +- if (word_offset > (sec->sh_size - 4) +- /* PR 18879 */ +- || (sec->sh_size < 5 && word_offset >= sec->sh_size) ++ if (/* PR 21343 *//* PR 18879 */ ++ sec->sh_size < 4 ++ || word_offset > (sec->sh_size - 4) + || ((bfd_signed_vma) word_offset) < 0) + return FALSE; + +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2017-04-03 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21343 ++ * readelf.c (get_unwind_section_word): Fix snafu checking for ++ invalid word offsets in ARM unwind information. ++ + 2017-05-02 Nick Clifton <nickc@redhat.com> + + PR 21440 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch new file mode 100644 index 0000000000..aed8f7f408 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch @@ -0,0 +1,61 @@ +From 82156ab704b08b124d319c0decdbd48b3ca2dac5 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 3 Apr 2017 12:14:06 +0100 +Subject: [PATCH] readelf: Fix overlarge memory allocation when reading a + binary with an excessive number of program headers. + + PR binutils/21345 + * readelf.c (get_program_headers): Check for there being too many + program headers before attempting to allocate space for them. + +Upstream-Status: Backport +CVE: CVE-2017-9039 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/readelf.c | 17 ++++++++++++++--- + 2 files changed, 20 insertions(+), 3 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -4765,9 +4765,19 @@ get_program_headers (FILE * file) + if (program_headers != NULL) + return 1; + +- phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, +- sizeof (Elf_Internal_Phdr)); ++ /* Be kind to memory checkers by looking for ++ e_phnum values which we know must be invalid. */ ++ if (elf_header.e_phnum ++ * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof (Elf64_External_Phdr)) ++ >= current_file_size) ++ { ++ error (_("Too many program headers - %#x - the file is not that big\n"), ++ elf_header.e_phnum); ++ return FALSE; ++ } + ++ phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, ++ sizeof (Elf_Internal_Phdr)); + if (phdrs == NULL) + { + error (_("Out of memory reading %u program headers\n"), +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,5 +1,11 @@ + 2017-04-03 Nick Clifton <nickc@redhat.com> + ++ PR binutils/21345 ++ * readelf.c (get_program_headers): Check for there being too many ++ program headers before attempting to allocate space for them. ++ ++2017-04-03 Nick Clifton <nickc@redhat.com> ++ + PR binutils/21343 + * readelf.c (get_unwind_section_word): Fix snafu checking for + invalid word offsets in ARM unwind information. diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_9042.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_9042.patch new file mode 100644 index 0000000000..79c6a7d8ab --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_9042.patch @@ -0,0 +1,57 @@ +From 7296a62a2a237f6b1ad8db8c38b090e9f592c8cf Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 13 Apr 2017 16:06:30 +0100 +Subject: [PATCH] readelf: fix out of range subtraction, seg fault from a NULL + pointer and memory exhaustion, all from parsing corrupt binaries. + + PR binutils/21379 + * readelf.c (process_dynamic_section): Detect over large section + offsets in the DT_SYMTAB entry. + + PR binutils/21345 + * readelf.c (process_mips_specific): Catch an unfeasible memory + allocation before it happens and print a suitable error message. + +Upstream-Status: Backport +CVE: CVE-2017-9040 +CVE: CVE-2017-9042 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 12 ++++++++++++ + binutils/readelf.c | 26 +++++++++++++++++++++----- + 2 files changed, 33 insertions(+), 5 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -9306,6 +9306,12 @@ process_dynamic_section (FILE * file) + processing that. This is overkill, I know, but it + should work. */ + section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0); ++ if ((bfd_size_type) section.sh_offset > current_file_size) ++ { ++ /* See PR 21379 for a reproducer. */ ++ error (_("Invalid DT_SYMTAB entry: %lx"), (long) section.sh_offset); ++ return FALSE; ++ } + + if (archive_file_offset != 0) + section.sh_size = archive_file_size - section.sh_offset; +@@ -15175,6 +15181,15 @@ process_mips_specific (FILE * file) + return 0; + } + ++ /* PR 21345 - print a slightly more helpful error message ++ if we are sure that the cmalloc will fail. */ ++ if (conflictsno * sizeof (* iconf) > current_file_size) ++ { ++ error (_("Overlarge number of conflicts detected: %lx\n"), ++ (long) conflictsno); ++ return FALSE; ++ } ++ + iconf = (Elf32_Conflict *) cmalloc (conflictsno, sizeof (* iconf)); + if (iconf == NULL) + { diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9742.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9742.patch new file mode 100644 index 0000000000..0c9ed0d2af --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9742.patch @@ -0,0 +1,45 @@ +From e64519d1ed7fd8f990f05a5562d5b5c0c44b7d7e Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 14 Jun 2017 17:10:28 +0100 +Subject: [PATCH] Fix seg-fault when trying to disassemble a corrupt score + binary. + + PR binutils/21576 + * score7-dis.c (score_opcodes): Add sentinel. + +Upstream-Status: Backport +CVE: CVE-2017-9742 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + opcodes/ChangeLog | 5 +++++ + opcodes/score7-dis.c | 3 ++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/opcodes/score7-dis.c +=================================================================== +--- git.orig/opcodes/score7-dis.c ++++ git/opcodes/score7-dis.c +@@ -513,7 +513,8 @@ static struct score_opcode score_opcodes + {0x00000d05, 0x00007f0f, "tvc!"}, + {0x00000026, 0x3e0003ff, "xor\t\t%20-24r, %15-19r, %10-14r"}, + {0x00000027, 0x3e0003ff, "xor.c\t\t%20-24r, %15-19r, %10-14r"}, +- {0x00002007, 0x0000700f, "xor!\t\t%8-11r, %4-7r"} ++ {0x00002007, 0x0000700f, "xor!\t\t%8-11r, %4-7r"}, ++ { 0, 0, NULL } + }; + + typedef struct +Index: git/opcodes/ChangeLog +=================================================================== +--- git.orig/opcodes/ChangeLog ++++ git/opcodes/ChangeLog +@@ -1,3 +1,8 @@ ++2017-06-14 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21576 ++ * score7-dis.c (score_opcodes): Add sentinel. ++ + 2017-03-07 Alan Modra <amodra@gmail.com> + + Apply from master diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9744.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9744.patch new file mode 100644 index 0000000000..c34a5a6ec9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9744.patch @@ -0,0 +1,46 @@ +From f461bbd847f15657f3dd2f317c30c75a7520da1f Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 14 Jun 2017 17:01:54 +0100 +Subject: [PATCH] Fix address violation bug when disassembling a corrupt SH + binary. + + PR binutils/21578 + * elf32-sh.c (sh_elf_set_mach_from_flags): Fix check for invalid + flag value. + +Upstream-Status: Backport +CVE: CVE-2017-9744 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/elf32-sh.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/bfd/elf32-sh.c +=================================================================== +--- git.orig/bfd/elf32-sh.c ++++ git/bfd/elf32-sh.c +@@ -6344,7 +6344,7 @@ sh_elf_set_mach_from_flags (bfd *abfd) + { + flagword flags = elf_elfheader (abfd)->e_flags & EF_SH_MACH_MASK; + +- if (flags >= sizeof(sh_ef_bfd_table)) ++ if (flags >= ARRAY_SIZE (sh_ef_bfd_table)) + return FALSE; + + if (sh_ef_bfd_table[flags] == 0) +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-06-14 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21578 ++ * elf32-sh.c (sh_elf_set_mach_from_flags): Fix check for invalid ++ flag value. ++ + 2017-04-29 Alan Modra <amodra@gmail.com> + + PR 21432 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch new file mode 100644 index 0000000000..0b3885b947 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch @@ -0,0 +1,35 @@ +From 76800cba595efc3fe95a446c2d664e42ae4ee869 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 15 Jun 2017 12:08:57 +0100 +Subject: [PATCH] Handle EITR records in VMS Alpha binaries with overlarge + command length parameters. + + PR binutils/21579 + * vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length. + +Upstream-Status: Backport +CVE: CVE-2017-9745 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 5 +++++ + bfd/vms-alpha.c | 16 ++++++++-------- + 2 files changed, 13 insertions(+), 8 deletions(-) + +Index: git/bfd/vms-alpha.c +=================================================================== +--- git.orig/bfd/vms-alpha.c ++++ git/bfd/vms-alpha.c +@@ -1741,6 +1741,12 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + _bfd_hexdump (8, ptr, cmd_length - 4, 0); + #endif + ++#if VMS_DEBUG ++ _bfd_vms_debug (4, "etir: %s(%d)\n", ++ _bfd_vms_etir_name (cmd), cmd); ++ _bfd_hexdump (8, ptr, cmd_length - 4, 0); ++#endif ++ + switch (cmd) + { + /* Stack global diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch new file mode 100644 index 0000000000..bd4a40c35e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch @@ -0,0 +1,91 @@ +From ae87f7e73eba29bd38b3a9684a10b948ed715612 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 14 Jun 2017 16:50:03 +0100 +Subject: [PATCH] Fix address violation when disassembling a corrupt binary. + + PR binutils/21580 +binutils * objdump.c (disassemble_bytes): Check for buffer overrun when + printing out rae insns. + +ld * testsuite/ld-nds32/diff.d: Adjust expected output. + +Upstream-Status: Backport +CVE: CVE-2017-9746 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/objdump.c | 27 +++++++++++++++------------ + ld/ChangeLog | 5 +++++ + ld/testsuite/ld-nds32/diff.d | 6 +++--- + 3 files changed, 23 insertions(+), 15 deletions(-) + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c ++++ git/binutils/objdump.c +@@ -1855,20 +1855,23 @@ disassemble_bytes (struct disassemble_in + + for (j = addr_offset * opb; j < addr_offset * opb + pb; j += bpc) + { +- int k; +- +- if (bpc > 1 && inf->display_endian == BFD_ENDIAN_LITTLE) +- { +- for (k = bpc - 1; k >= 0; k--) +- printf ("%02x", (unsigned) data[j + k]); +- putchar (' '); +- } +- else ++ /* PR 21580: Check for a buffer ending early. */ ++ if (j + bpc <= stop_offset * opb) + { +- for (k = 0; k < bpc; k++) +- printf ("%02x", (unsigned) data[j + k]); +- putchar (' '); ++ int k; ++ ++ if (inf->display_endian == BFD_ENDIAN_LITTLE) ++ { ++ for (k = bpc - 1; k >= 0; k--) ++ printf ("%02x", (unsigned) data[j + k]); ++ } ++ else ++ { ++ for (k = 0; k < bpc; k++) ++ printf ("%02x", (unsigned) data[j + k]); ++ } + } ++ putchar (' '); + } + + for (; pb < octets_per_line; pb += bpc) +Index: git/ld/testsuite/ld-nds32/diff.d +=================================================================== +--- git.orig/ld/testsuite/ld-nds32/diff.d ++++ git/ld/testsuite/ld-nds32/diff.d +@@ -7,9 +7,9 @@ + + Disassembly of section .data: + 00008000 <WORD> (7e 00 00 00|00 00 00 7e).* +-00008004 <HALF> (7e 00 7e fe|00 7e 7e fe).* +-00008006 <BYTE> 7e fe 00 fe.* +-00008007 <ULEB128> fe 00.* ++00008004 <HALF> (7e 00|00 7e).* ++00008006 <BYTE> 7e.* ++00008007 <ULEB128> fe.* + ... + 00008009 <ULEB128_2> fe 00.* + .* +Index: git/ld/ChangeLog +=================================================================== +--- git.orig/ld/ChangeLog ++++ git/ld/ChangeLog +@@ -1,3 +1,8 @@ ++2017-06-14 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21580 ++ * testsuite/ld-nds32/diff.d: Adjust expected output. ++ + 2017-03-07 Alan Modra <amodra@gmail.com> + + * ldlang.c (open_input_bfds): Check that lang_assignment_statement diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9747.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9747.patch new file mode 100644 index 0000000000..41ead54a98 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9747.patch @@ -0,0 +1,43 @@ +From 62b76e4b6e0b4cb5b3e0053d1de4097b32577049 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 15 Jun 2017 13:08:47 +0100 +Subject: [PATCH] Fix address violation parsing a corrupt ieee binary. + + PR binutils/21581 + (ieee_archive_p): Use a static buffer to avoid compiler bugs. + +Upstream-Status: Backport +CVE: CVE-2017-9747 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 2 ++ + bfd/ieee.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +Index: git/bfd/ieee.c +=================================================================== +--- git.orig/bfd/ieee.c ++++ git/bfd/ieee.c +@@ -1357,7 +1357,7 @@ ieee_archive_p (bfd *abfd) + { + char *library; + unsigned int i; +- unsigned char buffer[512]; ++ static unsigned char buffer[512]; + file_ptr buffer_offset = 0; + ieee_ar_data_type *save = abfd->tdata.ieee_ar_data; + ieee_ar_data_type *ieee; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,8 @@ ++2017-06-15 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21581 ++ (ieee_archive_p): Likewise. ++ + 2017-06-14 Nick Clifton <nickc@redhat.com> + + PR binutils/21578 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9748.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9748.patch new file mode 100644 index 0000000000..02070235a8 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9748.patch @@ -0,0 +1,46 @@ +From 63634bb4a107877dd08b6282e28e11cfd1a1649e Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 15 Jun 2017 12:44:23 +0100 +Subject: [PATCH] Avoid a possible compiler bug by using a static buffer + instead of a stack local buffer. + + PR binutils/21582 + * ieee.c (ieee_object_p): Use a static buffer to avoid compiler + bugs. + +Upstream-Status: Backport +CVE: CVE-2017-9748 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/ieee.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/bfd/ieee.c +=================================================================== +--- git.orig/bfd/ieee.c ++++ git/bfd/ieee.c +@@ -1875,7 +1875,7 @@ ieee_object_p (bfd *abfd) + char *processor; + unsigned int part; + ieee_data_type *ieee; +- unsigned char buffer[300]; ++ static unsigned char buffer[300]; + ieee_data_type *save = IEEE_DATA (abfd); + bfd_size_type amt; + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,5 +1,9 @@ + 2017-06-15 Nick Clifton <nickc@redhat.com> + ++ PR binutils/21582 ++ * ieee.c (ieee_object_p): Use a static buffer to avoid compiler ++ bugs. ++ + PR binutils/21581 + (ieee_archive_p): Likewise. + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9749.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9749.patch new file mode 100644 index 0000000000..3cc2afc918 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9749.patch @@ -0,0 +1,77 @@ +From 08c7881b814c546efc3996fd1decdf0877f7a779 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 15 Jun 2017 11:52:02 +0100 +Subject: [PATCH] Prevent invalid array accesses when disassembling a corrupt + bfin binary. + + PR binutils/21586 + * bfin-dis.c (gregs): Clip index to prevent overflow. + (regs): Likewise. + (regs_lo): Likewise. + (regs_hi): Likewise. + +Upstream-Status: Backport +CVE: CVE-2017-9749 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + opcodes/ChangeLog | 8 ++++++++ + opcodes/bfin-dis.c | 8 ++++---- + 2 files changed, 12 insertions(+), 4 deletions(-) + +Index: git/opcodes/ChangeLog +=================================================================== +--- git.orig/opcodes/ChangeLog ++++ git/opcodes/ChangeLog +@@ -1,3 +1,11 @@ ++2017-06-15 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21586 ++ * bfin-dis.c (gregs): Clip index to prevent overflow. ++ (regs): Likewise. ++ (regs_lo): Likewise. ++ (regs_hi): Likewise. ++ + 2017-06-14 Nick Clifton <nickc@redhat.com> + + PR binutils/21576 +Index: git/opcodes/bfin-dis.c +=================================================================== +--- git.orig/opcodes/bfin-dis.c ++++ git/opcodes/bfin-dis.c +@@ -350,7 +350,7 @@ static const enum machine_registers deco + REG_P0, REG_P1, REG_P2, REG_P3, REG_P4, REG_P5, REG_SP, REG_FP, + }; + +-#define gregs(x, i) REGNAME (decode_gregs[((i) << 3) | (x)]) ++#define gregs(x, i) REGNAME (decode_gregs[(((i) << 3) | (x)) & 15]) + + /* [dregs pregs (iregs mregs) (bregs lregs)]. */ + static const enum machine_registers decode_regs[] = +@@ -361,7 +361,7 @@ static const enum machine_registers deco + REG_B0, REG_B1, REG_B2, REG_B3, REG_L0, REG_L1, REG_L2, REG_L3, + }; + +-#define regs(x, i) REGNAME (decode_regs[((i) << 3) | (x)]) ++#define regs(x, i) REGNAME (decode_regs[(((i) << 3) | (x)) & 31]) + + /* [dregs pregs (iregs mregs) (bregs lregs) Low Half]. */ + static const enum machine_registers decode_regs_lo[] = +@@ -372,7 +372,7 @@ static const enum machine_registers deco + REG_BL0, REG_BL1, REG_BL2, REG_BL3, REG_LL0, REG_LL1, REG_LL2, REG_LL3, + }; + +-#define regs_lo(x, i) REGNAME (decode_regs_lo[((i) << 3) | (x)]) ++#define regs_lo(x, i) REGNAME (decode_regs_lo[(((i) << 3) | (x)) & 31]) + + /* [dregs pregs (iregs mregs) (bregs lregs) High Half]. */ + static const enum machine_registers decode_regs_hi[] = +@@ -383,7 +383,7 @@ static const enum machine_registers deco + REG_BH0, REG_BH1, REG_BH2, REG_BH3, REG_LH0, REG_LH1, REG_LH2, REG_LH3, + }; + +-#define regs_hi(x, i) REGNAME (decode_regs_hi[((i) << 3) | (x)]) ++#define regs_hi(x, i) REGNAME (decode_regs_hi[(((i) << 3) | (x)) & 31]) + + static const enum machine_registers decode_statbits[] = + { diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch new file mode 100644 index 0000000000..fe8fa69344 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch @@ -0,0 +1,247 @@ +From db5fa770268baf8cc82cf9b141d69799fd485fe2 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 14 Jun 2017 13:35:06 +0100 +Subject: [PATCH] Fix address violation problems when disassembling a corrupt + RX binary. + + PR binutils/21587 + * rx-decode.opc: Include libiberty.h + (GET_SCALE): New macro - validates access to SCALE array. + (GET_PSCALE): New macro - validates access to PSCALE array. + (DIs, SIs, S2Is, rx_disp): Use new macros. + * rx-decode.c: Regenerate. + +Upstream-Status: Backport +CVE: CVE-2017-9750 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + opcodes/ChangeLog | 9 +++++++++ + opcodes/rx-decode.c | 24 ++++++++++++++---------- + opcodes/rx-decode.opc | 24 ++++++++++++++---------- + 3 files changed, 37 insertions(+), 20 deletions(-) + +Index: git/opcodes/rx-decode.c +=================================================================== +--- git.orig/opcodes/rx-decode.c ++++ git/opcodes/rx-decode.c +@@ -27,6 +27,7 @@ + #include <string.h> + #include "ansidecl.h" + #include "opcode/rx.h" ++#include "libiberty.h" + + #define RX_OPCODE_BIG_ENDIAN 0 + +@@ -45,7 +46,7 @@ static int trace = 0; + #define LSIZE 2 + + /* These are for when the upper bits are "don't care" or "undefined". */ +-static int bwl[] = ++static int bwl[4] = + { + RX_Byte, + RX_Word, +@@ -53,7 +54,7 @@ static int bwl[] = + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int sbwl[] = ++static int sbwl[4] = + { + RX_SByte, + RX_SWord, +@@ -61,7 +62,7 @@ static int sbwl[] = + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int ubw[] = ++static int ubw[4] = + { + RX_UByte, + RX_UWord, +@@ -69,7 +70,7 @@ static int ubw[] = + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int memex[] = ++static int memex[4] = + { + RX_SByte, + RX_SWord, +@@ -89,6 +90,9 @@ static int SCALE[] = { 1, 2, 4, 0 }; + /* This is for the prefix size enum. */ + static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 }; + ++#define GET_SCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0) ++#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0) ++ + static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0, + 16, 17, 0, 0, 0, 0, 0, 0 }; + +@@ -107,7 +111,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, + #define DC(c) OP (0, RX_Operand_Immediate, 0, c) + #define DR(r) OP (0, RX_Operand_Register, r, 0) + #define DI(r,a) OP (0, RX_Operand_Indirect, r, a) +-#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define DD(t,r,s) rx_disp (0, t, r, bwl[s], ld); + #define DF(r) OP (0, RX_Operand_Flag, flagmap[r], 0) + +@@ -115,7 +119,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, + #define SR(r) OP (1, RX_Operand_Register, r, 0) + #define SRR(r) OP (1, RX_Operand_TwoReg, r, 0) + #define SI(r,a) OP (1, RX_Operand_Indirect, r, a) +-#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define SD(t,r,s) rx_disp (1, t, r, bwl[s], ld); + #define SP(t,r) rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1); + #define SPm(t,r,m) rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m]; +@@ -124,7 +128,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, + #define S2C(i) OP (2, RX_Operand_Immediate, 0, i) + #define S2R(r) OP (2, RX_Operand_Register, r, 0) + #define S2I(r,a) OP (2, RX_Operand_Indirect, r, a) +-#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define S2D(t,r,s) rx_disp (2, t, r, bwl[s], ld); + #define S2P(t,r) rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2); + #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m]; +@@ -211,7 +215,7 @@ immediate (int sfield, int ex, LocalData + } + + static void +-rx_disp (int n, int type, int reg, int size, LocalData * ld) ++rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld) + { + int disp; + +@@ -228,7 +232,7 @@ rx_disp (int n, int type, int reg, int s + case 1: + ld->rx->op[n].type = RX_Operand_Indirect; + disp = GETBYTE (); +- ld->rx->op[n].addend = disp * PSCALE[size]; ++ ld->rx->op[n].addend = disp * GET_PSCALE (size); + break; + case 2: + ld->rx->op[n].type = RX_Operand_Indirect; +@@ -238,7 +242,7 @@ rx_disp (int n, int type, int reg, int s + #else + disp = disp + GETBYTE () * 256; + #endif +- ld->rx->op[n].addend = disp * PSCALE[size]; ++ ld->rx->op[n].addend = disp * GET_PSCALE (size); + break; + default: + abort (); +Index: git/opcodes/rx-decode.opc +=================================================================== +--- git.orig/opcodes/rx-decode.opc ++++ git/opcodes/rx-decode.opc +@@ -26,6 +26,7 @@ + #include <string.h> + #include "ansidecl.h" + #include "opcode/rx.h" ++#include "libiberty.h" + + #define RX_OPCODE_BIG_ENDIAN 0 + +@@ -44,7 +45,7 @@ static int trace = 0; + #define LSIZE 2 + + /* These are for when the upper bits are "don't care" or "undefined". */ +-static int bwl[] = ++static int bwl[4] = + { + RX_Byte, + RX_Word, +@@ -52,7 +53,7 @@ static int bwl[] = + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int sbwl[] = ++static int sbwl[4] = + { + RX_SByte, + RX_SWord, +@@ -60,7 +61,7 @@ static int sbwl[] = + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int ubw[] = ++static int ubw[4] = + { + RX_UByte, + RX_UWord, +@@ -68,7 +69,7 @@ static int ubw[] = + RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ + }; + +-static int memex[] = ++static int memex[4] = + { + RX_SByte, + RX_SWord, +@@ -88,6 +89,9 @@ static int SCALE[] = { 1, 2, 4, 0 }; + /* This is for the prefix size enum. */ + static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 }; + ++#define GET_SCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0) ++#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0) ++ + static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0, + 16, 17, 0, 0, 0, 0, 0, 0 }; + +@@ -106,7 +110,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, + #define DC(c) OP (0, RX_Operand_Immediate, 0, c) + #define DR(r) OP (0, RX_Operand_Register, r, 0) + #define DI(r,a) OP (0, RX_Operand_Indirect, r, a) +-#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define DD(t,r,s) rx_disp (0, t, r, bwl[s], ld); + #define DF(r) OP (0, RX_Operand_Flag, flagmap[r], 0) + +@@ -114,7 +118,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, + #define SR(r) OP (1, RX_Operand_Register, r, 0) + #define SRR(r) OP (1, RX_Operand_TwoReg, r, 0) + #define SI(r,a) OP (1, RX_Operand_Indirect, r, a) +-#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define SD(t,r,s) rx_disp (1, t, r, bwl[s], ld); + #define SP(t,r) rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1); + #define SPm(t,r,m) rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m]; +@@ -123,7 +127,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, + #define S2C(i) OP (2, RX_Operand_Immediate, 0, i) + #define S2R(r) OP (2, RX_Operand_Register, r, 0) + #define S2I(r,a) OP (2, RX_Operand_Indirect, r, a) +-#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * SCALE[s]) ++#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) + #define S2D(t,r,s) rx_disp (2, t, r, bwl[s], ld); + #define S2P(t,r) rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2); + #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m]; +@@ -210,7 +214,7 @@ immediate (int sfield, int ex, LocalData + } + + static void +-rx_disp (int n, int type, int reg, int size, LocalData * ld) ++rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld) + { + int disp; + +@@ -227,7 +231,7 @@ rx_disp (int n, int type, int reg, int s + case 1: + ld->rx->op[n].type = RX_Operand_Indirect; + disp = GETBYTE (); +- ld->rx->op[n].addend = disp * PSCALE[size]; ++ ld->rx->op[n].addend = disp * GET_PSCALE (size); + break; + case 2: + ld->rx->op[n].type = RX_Operand_Indirect; +@@ -237,7 +241,7 @@ rx_disp (int n, int type, int reg, int s + #else + disp = disp + GETBYTE () * 256; + #endif +- ld->rx->op[n].addend = disp * PSCALE[size]; ++ ld->rx->op[n].addend = disp * GET_PSCALE (size); + break; + default: + abort (); diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9751.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9751.patch new file mode 100644 index 0000000000..d7c18cf85a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9751.patch @@ -0,0 +1,3748 @@ +From 63323b5b23bd83fa7b04ea00dff593c933e9b0e3 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 15 Jun 2017 12:37:01 +0100 +Subject: [PATCH] Fix address violation when disassembling a corrupt RL78 + binary. + + PR binutils/21588 + * rl78-decode.opc (OP_BUF_LEN): Define. + (GETBYTE): Check for the index exceeding OP_BUF_LEN. + (rl78_decode_opcode): Use OP_BUF_LEN as the length of the op_buf + array. + * rl78-decode.c: Regenerate. + +Upstream-Status: Backport +CVE: CVE-2017-9751 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + opcodes/ChangeLog | 9 + + opcodes/rl78-decode.c | 820 ++++++++++++++++++++++++------------------------ + opcodes/rl78-decode.opc | 6 +- + 3 files changed, 424 insertions(+), 411 deletions(-) + +diff --git a/opcodes/ChangeLog b/opcodes/ChangeLog +index 34b1844..c77f00a 100644 +--- a/opcodes/ChangeLog ++++ b/opcodes/ChangeLog +@@ -1,5 +1,14 @@ + 2017-06-15 Nick Clifton <nickc@redhat.com> + ++ PR binutils/21588 ++ * rl78-decode.opc (OP_BUF_LEN): Define. ++ (GETBYTE): Check for the index exceeding OP_BUF_LEN. ++ (rl78_decode_opcode): Use OP_BUF_LEN as the length of the op_buf ++ array. ++ * rl78-decode.c: Regenerate. ++ ++2017-06-15 Nick Clifton <nickc@redhat.com> ++ + PR binutils/21586 + * bfin-dis.c (gregs): Clip index to prevent overflow. + (regs): Likewise. +diff --git a/opcodes/rl78-decode.c b/opcodes/rl78-decode.c +index d0566ea..b2d4bd6 100644 +--- a/opcodes/rl78-decode.c ++++ b/opcodes/rl78-decode.c +@@ -51,7 +51,9 @@ typedef struct + #define W() rl78->size = RL78_Word + + #define AU ATTRIBUTE_UNUSED +-#define GETBYTE() (ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr)) ++ ++#define OP_BUF_LEN 20 ++#define GETBYTE() (ld->rl78->n_bytes < (OP_BUF_LEN - 1) ? ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr): 0) + #define B ((unsigned long) GETBYTE()) + + #define SYNTAX(x) rl78->syntax = x +@@ -169,7 +171,7 @@ rl78_decode_opcode (unsigned long pc AU, + RL78_Dis_Isa isa) + { + LocalData lds, * ld = &lds; +- unsigned char op_buf[20] = {0}; ++ unsigned char op_buf[OP_BUF_LEN] = {0}; + unsigned char *op = op_buf; + int op0, op1; + +@@ -201,7 +203,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("nop"); +-#line 911 "rl78-decode.opc" ++#line 913 "rl78-decode.opc" + ID(nop); + + /*----------------------------------------------------------------------*/ +@@ -214,7 +216,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x07: + { + /** 0000 0rw1 addw %0, %1 */ +-#line 274 "rl78-decode.opc" ++#line 276 "rl78-decode.opc" + int rw AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -224,7 +226,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rw = 0x%x\n", rw); + } + SYNTAX("addw %0, %1"); +-#line 274 "rl78-decode.opc" ++#line 276 "rl78-decode.opc" + ID(add); W(); DR(AX); SRW(rw); Fzac; + + } +@@ -239,7 +241,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("addw %0, %e!1"); +-#line 265 "rl78-decode.opc" ++#line 267 "rl78-decode.opc" + ID(add); W(); DR(AX); SM(None, IMMU(2)); Fzac; + + } +@@ -254,7 +256,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("addw %0, #%1"); +-#line 271 "rl78-decode.opc" ++#line 273 "rl78-decode.opc" + ID(add); W(); DR(AX); SC(IMMU(2)); Fzac; + + } +@@ -269,7 +271,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("addw %0, %1"); +-#line 277 "rl78-decode.opc" ++#line 279 "rl78-decode.opc" + ID(add); W(); DR(AX); SM(None, SADDR); Fzac; + + } +@@ -284,7 +286,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("xch a, x"); +-#line 1234 "rl78-decode.opc" ++#line 1236 "rl78-decode.opc" + ID(xch); DR(A); SR(X); + + /*----------------------------------------------------------------------*/ +@@ -301,7 +303,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %e1"); +-#line 678 "rl78-decode.opc" ++#line 680 "rl78-decode.opc" + ID(mov); DR(A); SM(B, IMMU(2)); + + } +@@ -316,7 +318,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("add %0, #%1"); +-#line 228 "rl78-decode.opc" ++#line 230 "rl78-decode.opc" + ID(add); DM(None, SADDR); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -333,7 +335,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("add %0, %1"); +-#line 222 "rl78-decode.opc" ++#line 224 "rl78-decode.opc" + ID(add); DR(A); SM(None, SADDR); Fzac; + + } +@@ -348,7 +350,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("add %0, #%1"); +-#line 216 "rl78-decode.opc" ++#line 218 "rl78-decode.opc" + ID(add); DR(A); SC(IMMU(1)); Fzac; + + } +@@ -363,7 +365,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("add %0, %e1"); +-#line 204 "rl78-decode.opc" ++#line 206 "rl78-decode.opc" + ID(add); DR(A); SM(HL, 0); Fzac; + + } +@@ -378,7 +380,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("add %0, %ea1"); +-#line 210 "rl78-decode.opc" ++#line 212 "rl78-decode.opc" + ID(add); DR(A); SM(HL, IMMU(1)); Fzac; + + } +@@ -393,7 +395,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("add %0, %e!1"); +-#line 201 "rl78-decode.opc" ++#line 203 "rl78-decode.opc" + ID(add); DR(A); SM(None, IMMU(2)); Fzac; + + } +@@ -408,7 +410,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("addw %0, #%1"); +-#line 280 "rl78-decode.opc" ++#line 282 "rl78-decode.opc" + ID(add); W(); DR(SP); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -425,7 +427,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("es:"); +-#line 193 "rl78-decode.opc" ++#line 195 "rl78-decode.opc" + DE(); SE(); + op ++; + pc ++; +@@ -440,7 +442,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x16: + { + /** 0001 0ra0 movw %0, %1 */ +-#line 859 "rl78-decode.opc" ++#line 861 "rl78-decode.opc" + int ra AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -450,7 +452,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" ra = 0x%x\n", ra); + } + SYNTAX("movw %0, %1"); +-#line 859 "rl78-decode.opc" ++#line 861 "rl78-decode.opc" + ID(mov); W(); DRW(ra); SR(AX); + + } +@@ -460,7 +462,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x17: + { + /** 0001 0ra1 movw %0, %1 */ +-#line 856 "rl78-decode.opc" ++#line 858 "rl78-decode.opc" + int ra AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -470,7 +472,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" ra = 0x%x\n", ra); + } + SYNTAX("movw %0, %1"); +-#line 856 "rl78-decode.opc" ++#line 858 "rl78-decode.opc" + ID(mov); W(); DR(AX); SRW(ra); + + } +@@ -485,7 +487,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %e0, %1"); +-#line 729 "rl78-decode.opc" ++#line 731 "rl78-decode.opc" + ID(mov); DM(B, IMMU(2)); SR(A); + + } +@@ -500,7 +502,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %e0, #%1"); +-#line 726 "rl78-decode.opc" ++#line 728 "rl78-decode.opc" + ID(mov); DM(B, IMMU(2)); SC(IMMU(1)); + + } +@@ -515,7 +517,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("addc %0, #%1"); +-#line 260 "rl78-decode.opc" ++#line 262 "rl78-decode.opc" + ID(addc); DM(None, SADDR); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -532,7 +534,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("addc %0, %1"); +-#line 257 "rl78-decode.opc" ++#line 259 "rl78-decode.opc" + ID(addc); DR(A); SM(None, SADDR); Fzac; + + } +@@ -547,7 +549,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("addc %0, #%1"); +-#line 248 "rl78-decode.opc" ++#line 250 "rl78-decode.opc" + ID(addc); DR(A); SC(IMMU(1)); Fzac; + + } +@@ -562,7 +564,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("addc %0, %e1"); +-#line 236 "rl78-decode.opc" ++#line 238 "rl78-decode.opc" + ID(addc); DR(A); SM(HL, 0); Fzac; + + } +@@ -577,7 +579,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("addc %0, %ea1"); +-#line 245 "rl78-decode.opc" ++#line 247 "rl78-decode.opc" + ID(addc); DR(A); SM(HL, IMMU(1)); Fzac; + + } +@@ -592,7 +594,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("addc %0, %e!1"); +-#line 233 "rl78-decode.opc" ++#line 235 "rl78-decode.opc" + ID(addc); DR(A); SM(None, IMMU(2)); Fzac; + + } +@@ -607,7 +609,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("subw %0, #%1"); +-#line 1198 "rl78-decode.opc" ++#line 1200 "rl78-decode.opc" + ID(sub); W(); DR(SP); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -620,7 +622,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x27: + { + /** 0010 0rw1 subw %0, %1 */ +-#line 1192 "rl78-decode.opc" ++#line 1194 "rl78-decode.opc" + int rw AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -630,7 +632,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rw = 0x%x\n", rw); + } + SYNTAX("subw %0, %1"); +-#line 1192 "rl78-decode.opc" ++#line 1194 "rl78-decode.opc" + ID(sub); W(); DR(AX); SRW(rw); Fzac; + + } +@@ -645,7 +647,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("subw %0, %e!1"); +-#line 1183 "rl78-decode.opc" ++#line 1185 "rl78-decode.opc" + ID(sub); W(); DR(AX); SM(None, IMMU(2)); Fzac; + + } +@@ -660,7 +662,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("subw %0, #%1"); +-#line 1189 "rl78-decode.opc" ++#line 1191 "rl78-decode.opc" + ID(sub); W(); DR(AX); SC(IMMU(2)); Fzac; + + } +@@ -675,7 +677,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("subw %0, %1"); +-#line 1195 "rl78-decode.opc" ++#line 1197 "rl78-decode.opc" + ID(sub); W(); DR(AX); SM(None, SADDR); Fzac; + + } +@@ -690,7 +692,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %e0, %1"); +-#line 741 "rl78-decode.opc" ++#line 743 "rl78-decode.opc" + ID(mov); DM(C, IMMU(2)); SR(A); + + } +@@ -705,7 +707,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %e1"); +-#line 684 "rl78-decode.opc" ++#line 686 "rl78-decode.opc" + ID(mov); DR(A); SM(C, IMMU(2)); + + } +@@ -720,7 +722,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("sub %0, #%1"); +-#line 1146 "rl78-decode.opc" ++#line 1148 "rl78-decode.opc" + ID(sub); DM(None, SADDR); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -737,7 +739,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("sub %0, %1"); +-#line 1140 "rl78-decode.opc" ++#line 1142 "rl78-decode.opc" + ID(sub); DR(A); SM(None, SADDR); Fzac; + + } +@@ -752,7 +754,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("sub %0, #%1"); +-#line 1134 "rl78-decode.opc" ++#line 1136 "rl78-decode.opc" + ID(sub); DR(A); SC(IMMU(1)); Fzac; + + } +@@ -767,7 +769,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("sub %0, %e1"); +-#line 1122 "rl78-decode.opc" ++#line 1124 "rl78-decode.opc" + ID(sub); DR(A); SM(HL, 0); Fzac; + + } +@@ -782,7 +784,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("sub %0, %ea1"); +-#line 1128 "rl78-decode.opc" ++#line 1130 "rl78-decode.opc" + ID(sub); DR(A); SM(HL, IMMU(1)); Fzac; + + } +@@ -797,7 +799,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("sub %0, %e!1"); +-#line 1119 "rl78-decode.opc" ++#line 1121 "rl78-decode.opc" + ID(sub); DR(A); SM(None, IMMU(2)); Fzac; + + } +@@ -808,7 +810,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x36: + { + /** 0011 0rg0 movw %0, #%1 */ +-#line 853 "rl78-decode.opc" ++#line 855 "rl78-decode.opc" + int rg AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -818,7 +820,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rg = 0x%x\n", rg); + } + SYNTAX("movw %0, #%1"); +-#line 853 "rl78-decode.opc" ++#line 855 "rl78-decode.opc" + ID(mov); W(); DRW(rg); SC(IMMU(2)); + + } +@@ -830,7 +832,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x00: + { + /** 0011 0001 0bit 0000 btclr %s1, $%a0 */ +-#line 416 "rl78-decode.opc" ++#line 418 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -840,7 +842,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("btclr %s1, $%a0"); +-#line 416 "rl78-decode.opc" ++#line 418 "rl78-decode.opc" + ID(branch_cond_clear); SM(None, SADDR); SB(bit); DC(pc+IMMS(1)+4); COND(T); + + /*----------------------------------------------------------------------*/ +@@ -850,7 +852,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x01: + { + /** 0011 0001 0bit 0001 btclr %1, $%a0 */ +-#line 410 "rl78-decode.opc" ++#line 412 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -860,7 +862,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("btclr %1, $%a0"); +-#line 410 "rl78-decode.opc" ++#line 412 "rl78-decode.opc" + ID(branch_cond_clear); DC(pc+IMMS(1)+3); SR(A); SB(bit); COND(T); + + } +@@ -868,7 +870,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x02: + { + /** 0011 0001 0bit 0010 bt %s1, $%a0 */ +-#line 402 "rl78-decode.opc" ++#line 404 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -878,7 +880,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bt %s1, $%a0"); +-#line 402 "rl78-decode.opc" ++#line 404 "rl78-decode.opc" + ID(branch_cond); SM(None, SADDR); SB(bit); DC(pc+IMMS(1)+4); COND(T); + + /*----------------------------------------------------------------------*/ +@@ -888,7 +890,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x03: + { + /** 0011 0001 0bit 0011 bt %1, $%a0 */ +-#line 396 "rl78-decode.opc" ++#line 398 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -898,7 +900,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bt %1, $%a0"); +-#line 396 "rl78-decode.opc" ++#line 398 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SR(A); SB(bit); COND(T); + + } +@@ -906,7 +908,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x04: + { + /** 0011 0001 0bit 0100 bf %s1, $%a0 */ +-#line 363 "rl78-decode.opc" ++#line 365 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -916,7 +918,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bf %s1, $%a0"); +-#line 363 "rl78-decode.opc" ++#line 365 "rl78-decode.opc" + ID(branch_cond); SM(None, SADDR); SB(bit); DC(pc+IMMS(1)+4); COND(F); + + /*----------------------------------------------------------------------*/ +@@ -926,7 +928,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x05: + { + /** 0011 0001 0bit 0101 bf %1, $%a0 */ +-#line 357 "rl78-decode.opc" ++#line 359 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -936,7 +938,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bf %1, $%a0"); +-#line 357 "rl78-decode.opc" ++#line 359 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SR(A); SB(bit); COND(F); + + } +@@ -944,7 +946,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x07: + { + /** 0011 0001 0cnt 0111 shl %0, %1 */ +-#line 1075 "rl78-decode.opc" ++#line 1077 "rl78-decode.opc" + int cnt AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -954,7 +956,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" cnt = 0x%x\n", cnt); + } + SYNTAX("shl %0, %1"); +-#line 1075 "rl78-decode.opc" ++#line 1077 "rl78-decode.opc" + ID(shl); DR(C); SC(cnt); + + } +@@ -962,7 +964,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x08: + { + /** 0011 0001 0cnt 1000 shl %0, %1 */ +-#line 1072 "rl78-decode.opc" ++#line 1074 "rl78-decode.opc" + int cnt AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -972,7 +974,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" cnt = 0x%x\n", cnt); + } + SYNTAX("shl %0, %1"); +-#line 1072 "rl78-decode.opc" ++#line 1074 "rl78-decode.opc" + ID(shl); DR(B); SC(cnt); + + } +@@ -980,7 +982,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x09: + { + /** 0011 0001 0cnt 1001 shl %0, %1 */ +-#line 1069 "rl78-decode.opc" ++#line 1071 "rl78-decode.opc" + int cnt AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -990,7 +992,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" cnt = 0x%x\n", cnt); + } + SYNTAX("shl %0, %1"); +-#line 1069 "rl78-decode.opc" ++#line 1071 "rl78-decode.opc" + ID(shl); DR(A); SC(cnt); + + } +@@ -998,7 +1000,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x0a: + { + /** 0011 0001 0cnt 1010 shr %0, %1 */ +-#line 1086 "rl78-decode.opc" ++#line 1088 "rl78-decode.opc" + int cnt AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1008,7 +1010,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" cnt = 0x%x\n", cnt); + } + SYNTAX("shr %0, %1"); +-#line 1086 "rl78-decode.opc" ++#line 1088 "rl78-decode.opc" + ID(shr); DR(A); SC(cnt); + + } +@@ -1016,7 +1018,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x0b: + { + /** 0011 0001 0cnt 1011 sar %0, %1 */ +-#line 1033 "rl78-decode.opc" ++#line 1035 "rl78-decode.opc" + int cnt AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1026,7 +1028,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" cnt = 0x%x\n", cnt); + } + SYNTAX("sar %0, %1"); +-#line 1033 "rl78-decode.opc" ++#line 1035 "rl78-decode.opc" + ID(sar); DR(A); SC(cnt); + + } +@@ -1035,7 +1037,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x8c: + { + /** 0011 0001 wcnt 1100 shlw %0, %1 */ +-#line 1081 "rl78-decode.opc" ++#line 1083 "rl78-decode.opc" + int wcnt AU = (op[1] >> 4) & 0x0f; + if (trace) + { +@@ -1045,7 +1047,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" wcnt = 0x%x\n", wcnt); + } + SYNTAX("shlw %0, %1"); +-#line 1081 "rl78-decode.opc" ++#line 1083 "rl78-decode.opc" + ID(shl); W(); DR(BC); SC(wcnt); + + /*----------------------------------------------------------------------*/ +@@ -1056,7 +1058,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x8d: + { + /** 0011 0001 wcnt 1101 shlw %0, %1 */ +-#line 1078 "rl78-decode.opc" ++#line 1080 "rl78-decode.opc" + int wcnt AU = (op[1] >> 4) & 0x0f; + if (trace) + { +@@ -1066,7 +1068,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" wcnt = 0x%x\n", wcnt); + } + SYNTAX("shlw %0, %1"); +-#line 1078 "rl78-decode.opc" ++#line 1080 "rl78-decode.opc" + ID(shl); W(); DR(AX); SC(wcnt); + + } +@@ -1075,7 +1077,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x8e: + { + /** 0011 0001 wcnt 1110 shrw %0, %1 */ +-#line 1089 "rl78-decode.opc" ++#line 1091 "rl78-decode.opc" + int wcnt AU = (op[1] >> 4) & 0x0f; + if (trace) + { +@@ -1085,7 +1087,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" wcnt = 0x%x\n", wcnt); + } + SYNTAX("shrw %0, %1"); +-#line 1089 "rl78-decode.opc" ++#line 1091 "rl78-decode.opc" + ID(shr); W(); DR(AX); SC(wcnt); + + /*----------------------------------------------------------------------*/ +@@ -1096,7 +1098,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x8f: + { + /** 0011 0001 wcnt 1111 sarw %0, %1 */ +-#line 1036 "rl78-decode.opc" ++#line 1038 "rl78-decode.opc" + int wcnt AU = (op[1] >> 4) & 0x0f; + if (trace) + { +@@ -1106,7 +1108,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" wcnt = 0x%x\n", wcnt); + } + SYNTAX("sarw %0, %1"); +-#line 1036 "rl78-decode.opc" ++#line 1038 "rl78-decode.opc" + ID(sar); W(); DR(AX); SC(wcnt); + + /*----------------------------------------------------------------------*/ +@@ -1116,7 +1118,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x80: + { + /** 0011 0001 1bit 0000 btclr %s1, $%a0 */ +-#line 413 "rl78-decode.opc" ++#line 415 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1126,7 +1128,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("btclr %s1, $%a0"); +-#line 413 "rl78-decode.opc" ++#line 415 "rl78-decode.opc" + ID(branch_cond_clear); SM(None, SFR); SB(bit); DC(pc+IMMS(1)+4); COND(T); + + } +@@ -1134,7 +1136,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x81: + { + /** 0011 0001 1bit 0001 btclr %e1, $%a0 */ +-#line 407 "rl78-decode.opc" ++#line 409 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1144,7 +1146,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("btclr %e1, $%a0"); +-#line 407 "rl78-decode.opc" ++#line 409 "rl78-decode.opc" + ID(branch_cond_clear); DC(pc+IMMS(1)+3); SM(HL,0); SB(bit); COND(T); + + } +@@ -1152,7 +1154,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x82: + { + /** 0011 0001 1bit 0010 bt %s1, $%a0 */ +-#line 399 "rl78-decode.opc" ++#line 401 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1162,7 +1164,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bt %s1, $%a0"); +-#line 399 "rl78-decode.opc" ++#line 401 "rl78-decode.opc" + ID(branch_cond); SM(None, SFR); SB(bit); DC(pc+IMMS(1)+4); COND(T); + + } +@@ -1170,7 +1172,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x83: + { + /** 0011 0001 1bit 0011 bt %e1, $%a0 */ +-#line 393 "rl78-decode.opc" ++#line 395 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1180,7 +1182,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bt %e1, $%a0"); +-#line 393 "rl78-decode.opc" ++#line 395 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SM(HL,0); SB(bit); COND(T); + + } +@@ -1188,7 +1190,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x84: + { + /** 0011 0001 1bit 0100 bf %s1, $%a0 */ +-#line 360 "rl78-decode.opc" ++#line 362 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1198,7 +1200,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bf %s1, $%a0"); +-#line 360 "rl78-decode.opc" ++#line 362 "rl78-decode.opc" + ID(branch_cond); SM(None, SFR); SB(bit); DC(pc+IMMS(1)+4); COND(F); + + } +@@ -1206,7 +1208,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x85: + { + /** 0011 0001 1bit 0101 bf %e1, $%a0 */ +-#line 354 "rl78-decode.opc" ++#line 356 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -1216,7 +1218,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("bf %e1, $%a0"); +-#line 354 "rl78-decode.opc" ++#line 356 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SM(HL,0); SB(bit); COND(F); + + } +@@ -1229,7 +1231,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x37: + { + /** 0011 0ra1 xchw %0, %1 */ +-#line 1239 "rl78-decode.opc" ++#line 1241 "rl78-decode.opc" + int ra AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -1239,7 +1241,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" ra = 0x%x\n", ra); + } + SYNTAX("xchw %0, %1"); +-#line 1239 "rl78-decode.opc" ++#line 1241 "rl78-decode.opc" + ID(xch); W(); DR(AX); SRW(ra); + + /*----------------------------------------------------------------------*/ +@@ -1256,7 +1258,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %e0, #%1"); +-#line 738 "rl78-decode.opc" ++#line 740 "rl78-decode.opc" + ID(mov); DM(C, IMMU(2)); SC(IMMU(1)); + + } +@@ -1271,7 +1273,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %e0, #%1"); +-#line 732 "rl78-decode.opc" ++#line 734 "rl78-decode.opc" + ID(mov); DM(BC, IMMU(2)); SC(IMMU(1)); + + } +@@ -1286,7 +1288,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("subc %0, #%1"); +-#line 1178 "rl78-decode.opc" ++#line 1180 "rl78-decode.opc" + ID(subc); DM(None, SADDR); SC(IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -1303,7 +1305,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("subc %0, %1"); +-#line 1175 "rl78-decode.opc" ++#line 1177 "rl78-decode.opc" + ID(subc); DR(A); SM(None, SADDR); Fzac; + + } +@@ -1318,7 +1320,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("subc %0, #%1"); +-#line 1166 "rl78-decode.opc" ++#line 1168 "rl78-decode.opc" + ID(subc); DR(A); SC(IMMU(1)); Fzac; + + } +@@ -1333,7 +1335,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("subc %0, %e1"); +-#line 1154 "rl78-decode.opc" ++#line 1156 "rl78-decode.opc" + ID(subc); DR(A); SM(HL, 0); Fzac; + + } +@@ -1348,7 +1350,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("subc %0, %ea1"); +-#line 1163 "rl78-decode.opc" ++#line 1165 "rl78-decode.opc" + ID(subc); DR(A); SM(HL, IMMU(1)); Fzac; + + } +@@ -1363,7 +1365,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("subc %0, %e!1"); +-#line 1151 "rl78-decode.opc" ++#line 1153 "rl78-decode.opc" + ID(subc); DR(A); SM(None, IMMU(2)); Fzac; + + } +@@ -1378,7 +1380,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmp %e!0, #%1"); +-#line 480 "rl78-decode.opc" ++#line 482 "rl78-decode.opc" + ID(cmp); DM(None, IMMU(2)); SC(IMMU(1)); Fzac; + + } +@@ -1393,7 +1395,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, #%1"); +-#line 717 "rl78-decode.opc" ++#line 719 "rl78-decode.opc" + ID(mov); DR(ES); SC(IMMU(1)); + + } +@@ -1408,7 +1410,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmpw %0, %e!1"); +-#line 531 "rl78-decode.opc" ++#line 533 "rl78-decode.opc" + ID(cmp); W(); DR(AX); SM(None, IMMU(2)); Fzac; + + } +@@ -1418,7 +1420,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x47: + { + /** 0100 0ra1 cmpw %0, %1 */ +-#line 540 "rl78-decode.opc" ++#line 542 "rl78-decode.opc" + int ra AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -1428,7 +1430,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" ra = 0x%x\n", ra); + } + SYNTAX("cmpw %0, %1"); +-#line 540 "rl78-decode.opc" ++#line 542 "rl78-decode.opc" + ID(cmp); W(); DR(AX); SRW(ra); Fzac; + + } +@@ -1443,7 +1445,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmpw %0, #%1"); +-#line 537 "rl78-decode.opc" ++#line 539 "rl78-decode.opc" + ID(cmp); W(); DR(AX); SC(IMMU(2)); Fzac; + + } +@@ -1458,7 +1460,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmpw %0, %1"); +-#line 543 "rl78-decode.opc" ++#line 545 "rl78-decode.opc" + ID(cmp); W(); DR(AX); SM(None, SADDR); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -1475,7 +1477,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %e0, %1"); +-#line 735 "rl78-decode.opc" ++#line 737 "rl78-decode.opc" + ID(mov); DM(BC, IMMU(2)); SR(A); + + } +@@ -1490,7 +1492,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %e1"); +-#line 681 "rl78-decode.opc" ++#line 683 "rl78-decode.opc" + ID(mov); DR(A); SM(BC, IMMU(2)); + + } +@@ -1505,7 +1507,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmp %0, #%1"); +-#line 483 "rl78-decode.opc" ++#line 485 "rl78-decode.opc" + ID(cmp); DM(None, SADDR); SC(IMMU(1)); Fzac; + + } +@@ -1520,7 +1522,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmp %0, %1"); +-#line 510 "rl78-decode.opc" ++#line 512 "rl78-decode.opc" + ID(cmp); DR(A); SM(None, SADDR); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -1537,7 +1539,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmp %0, #%1"); +-#line 501 "rl78-decode.opc" ++#line 503 "rl78-decode.opc" + ID(cmp); DR(A); SC(IMMU(1)); Fzac; + + } +@@ -1552,7 +1554,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmp %0, %e1"); +-#line 489 "rl78-decode.opc" ++#line 491 "rl78-decode.opc" + ID(cmp); DR(A); SM(HL, 0); Fzac; + + } +@@ -1567,7 +1569,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmp %0, %ea1"); +-#line 498 "rl78-decode.opc" ++#line 500 "rl78-decode.opc" + ID(cmp); DR(A); SM(HL, IMMU(1)); Fzac; + + } +@@ -1582,7 +1584,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmp %0, %e!1"); +-#line 486 "rl78-decode.opc" ++#line 488 "rl78-decode.opc" + ID(cmp); DR(A); SM(None, IMMU(2)); Fzac; + + } +@@ -1597,7 +1599,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x57: + { + /** 0101 0reg mov %0, #%1 */ +-#line 669 "rl78-decode.opc" ++#line 671 "rl78-decode.opc" + int reg AU = op[0] & 0x07; + if (trace) + { +@@ -1607,7 +1609,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("mov %0, #%1"); +-#line 669 "rl78-decode.opc" ++#line 671 "rl78-decode.opc" + ID(mov); DRB(reg); SC(IMMU(1)); + + } +@@ -1622,7 +1624,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %e0, %1"); +-#line 871 "rl78-decode.opc" ++#line 873 "rl78-decode.opc" + ID(mov); W(); DM(B, IMMU(2)); SR(AX); + + } +@@ -1637,7 +1639,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %e1"); +-#line 862 "rl78-decode.opc" ++#line 864 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(B, IMMU(2)); + + } +@@ -1652,7 +1654,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("and %0, #%1"); +-#line 312 "rl78-decode.opc" ++#line 314 "rl78-decode.opc" + ID(and); DM(None, SADDR); SC(IMMU(1)); Fz; + + /*----------------------------------------------------------------------*/ +@@ -1669,7 +1671,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("and %0, %1"); +-#line 309 "rl78-decode.opc" ++#line 311 "rl78-decode.opc" + ID(and); DR(A); SM(None, SADDR); Fz; + + } +@@ -1684,7 +1686,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("and %0, #%1"); +-#line 300 "rl78-decode.opc" ++#line 302 "rl78-decode.opc" + ID(and); DR(A); SC(IMMU(1)); Fz; + + } +@@ -1699,7 +1701,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("and %0, %e1"); +-#line 288 "rl78-decode.opc" ++#line 290 "rl78-decode.opc" + ID(and); DR(A); SM(HL, 0); Fz; + + } +@@ -1714,7 +1716,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("and %0, %ea1"); +-#line 294 "rl78-decode.opc" ++#line 296 "rl78-decode.opc" + ID(and); DR(A); SM(HL, IMMU(1)); Fz; + + } +@@ -1729,7 +1731,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("and %0, %e!1"); +-#line 285 "rl78-decode.opc" ++#line 287 "rl78-decode.opc" + ID(and); DR(A); SM(None, IMMU(2)); Fz; + + } +@@ -1743,7 +1745,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x67: + { + /** 0110 0rba mov %0, %1 */ +-#line 672 "rl78-decode.opc" ++#line 674 "rl78-decode.opc" + int rba AU = op[0] & 0x07; + if (trace) + { +@@ -1753,7 +1755,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rba = 0x%x\n", rba); + } + SYNTAX("mov %0, %1"); +-#line 672 "rl78-decode.opc" ++#line 674 "rl78-decode.opc" + ID(mov); DR(A); SRB(rba); + + } +@@ -1772,7 +1774,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x07: + { + /** 0110 0001 0000 0reg add %0, %1 */ +-#line 225 "rl78-decode.opc" ++#line 227 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -1782,7 +1784,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("add %0, %1"); +-#line 225 "rl78-decode.opc" ++#line 227 "rl78-decode.opc" + ID(add); DRB(reg); SR(A); Fzac; + + } +@@ -1796,7 +1798,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x0f: + { + /** 0110 0001 0000 1rba add %0, %1 */ +-#line 219 "rl78-decode.opc" ++#line 221 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -1806,7 +1808,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rba = 0x%x\n", rba); + } + SYNTAX("add %0, %1"); +-#line 219 "rl78-decode.opc" ++#line 221 "rl78-decode.opc" + ID(add); DR(A); SRB(rba); Fzac; + + } +@@ -1821,7 +1823,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("addw %0, %ea1"); +-#line 268 "rl78-decode.opc" ++#line 270 "rl78-decode.opc" + ID(add); W(); DR(AX); SM(HL, IMMU(1)); Fzac; + + } +@@ -1836,7 +1838,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x17: + { + /** 0110 0001 0001 0reg addc %0, %1 */ +-#line 254 "rl78-decode.opc" ++#line 256 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -1846,7 +1848,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("addc %0, %1"); +-#line 254 "rl78-decode.opc" ++#line 256 "rl78-decode.opc" + ID(addc); DRB(reg); SR(A); Fzac; + + } +@@ -1860,7 +1862,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x1f: + { + /** 0110 0001 0001 1rba addc %0, %1 */ +-#line 251 "rl78-decode.opc" ++#line 253 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -1870,7 +1872,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rba = 0x%x\n", rba); + } + SYNTAX("addc %0, %1"); +-#line 251 "rl78-decode.opc" ++#line 253 "rl78-decode.opc" + ID(addc); DR(A); SRB(rba); Fzac; + + } +@@ -1885,7 +1887,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x27: + { + /** 0110 0001 0010 0reg sub %0, %1 */ +-#line 1143 "rl78-decode.opc" ++#line 1145 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -1895,7 +1897,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("sub %0, %1"); +-#line 1143 "rl78-decode.opc" ++#line 1145 "rl78-decode.opc" + ID(sub); DRB(reg); SR(A); Fzac; + + } +@@ -1909,7 +1911,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x2f: + { + /** 0110 0001 0010 1rba sub %0, %1 */ +-#line 1137 "rl78-decode.opc" ++#line 1139 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -1919,7 +1921,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rba = 0x%x\n", rba); + } + SYNTAX("sub %0, %1"); +-#line 1137 "rl78-decode.opc" ++#line 1139 "rl78-decode.opc" + ID(sub); DR(A); SRB(rba); Fzac; + + } +@@ -1934,7 +1936,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("subw %0, %ea1"); +-#line 1186 "rl78-decode.opc" ++#line 1188 "rl78-decode.opc" + ID(sub); W(); DR(AX); SM(HL, IMMU(1)); Fzac; + + } +@@ -1949,7 +1951,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x37: + { + /** 0110 0001 0011 0reg subc %0, %1 */ +-#line 1172 "rl78-decode.opc" ++#line 1174 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -1959,7 +1961,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("subc %0, %1"); +-#line 1172 "rl78-decode.opc" ++#line 1174 "rl78-decode.opc" + ID(subc); DRB(reg); SR(A); Fzac; + + } +@@ -1973,7 +1975,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x3f: + { + /** 0110 0001 0011 1rba subc %0, %1 */ +-#line 1169 "rl78-decode.opc" ++#line 1171 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -1983,7 +1985,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rba = 0x%x\n", rba); + } + SYNTAX("subc %0, %1"); +-#line 1169 "rl78-decode.opc" ++#line 1171 "rl78-decode.opc" + ID(subc); DR(A); SRB(rba); Fzac; + + } +@@ -1998,7 +2000,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x47: + { + /** 0110 0001 0100 0reg cmp %0, %1 */ +-#line 507 "rl78-decode.opc" ++#line 509 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -2008,7 +2010,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("cmp %0, %1"); +-#line 507 "rl78-decode.opc" ++#line 509 "rl78-decode.opc" + ID(cmp); DRB(reg); SR(A); Fzac; + + } +@@ -2022,7 +2024,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x4f: + { + /** 0110 0001 0100 1rba cmp %0, %1 */ +-#line 504 "rl78-decode.opc" ++#line 506 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -2032,7 +2034,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rba = 0x%x\n", rba); + } + SYNTAX("cmp %0, %1"); +-#line 504 "rl78-decode.opc" ++#line 506 "rl78-decode.opc" + ID(cmp); DR(A); SRB(rba); Fzac; + + } +@@ -2047,7 +2049,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("cmpw %0, %ea1"); +-#line 534 "rl78-decode.opc" ++#line 536 "rl78-decode.opc" + ID(cmp); W(); DR(AX); SM(HL, IMMU(1)); Fzac; + + } +@@ -2062,7 +2064,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x57: + { + /** 0110 0001 0101 0reg and %0, %1 */ +-#line 306 "rl78-decode.opc" ++#line 308 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -2072,7 +2074,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("and %0, %1"); +-#line 306 "rl78-decode.opc" ++#line 308 "rl78-decode.opc" + ID(and); DRB(reg); SR(A); Fz; + + } +@@ -2086,7 +2088,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x5f: + { + /** 0110 0001 0101 1rba and %0, %1 */ +-#line 303 "rl78-decode.opc" ++#line 305 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -2096,7 +2098,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rba = 0x%x\n", rba); + } + SYNTAX("and %0, %1"); +-#line 303 "rl78-decode.opc" ++#line 305 "rl78-decode.opc" + ID(and); DR(A); SRB(rba); Fz; + + } +@@ -2111,7 +2113,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("inc %ea0"); +-#line 584 "rl78-decode.opc" ++#line 586 "rl78-decode.opc" + ID(add); DM(HL, IMMU(1)); SC(1); Fza; + + } +@@ -2126,7 +2128,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x67: + { + /** 0110 0001 0110 0reg or %0, %1 */ +-#line 961 "rl78-decode.opc" ++#line 963 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -2136,7 +2138,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("or %0, %1"); +-#line 961 "rl78-decode.opc" ++#line 963 "rl78-decode.opc" + ID(or); DRB(reg); SR(A); Fz; + + } +@@ -2150,7 +2152,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x6f: + { + /** 0110 0001 0110 1rba or %0, %1 */ +-#line 958 "rl78-decode.opc" ++#line 960 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -2160,7 +2162,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rba = 0x%x\n", rba); + } + SYNTAX("or %0, %1"); +-#line 958 "rl78-decode.opc" ++#line 960 "rl78-decode.opc" + ID(or); DR(A); SRB(rba); Fz; + + } +@@ -2175,7 +2177,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("dec %ea0"); +-#line 551 "rl78-decode.opc" ++#line 553 "rl78-decode.opc" + ID(sub); DM(HL, IMMU(1)); SC(1); Fza; + + } +@@ -2190,7 +2192,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x77: + { + /** 0110 0001 0111 0reg xor %0, %1 */ +-#line 1265 "rl78-decode.opc" ++#line 1267 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -2200,7 +2202,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("xor %0, %1"); +-#line 1265 "rl78-decode.opc" ++#line 1267 "rl78-decode.opc" + ID(xor); DRB(reg); SR(A); Fz; + + } +@@ -2214,7 +2216,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x7f: + { + /** 0110 0001 0111 1rba xor %0, %1 */ +-#line 1262 "rl78-decode.opc" ++#line 1264 "rl78-decode.opc" + int rba AU = op[1] & 0x07; + if (trace) + { +@@ -2224,7 +2226,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rba = 0x%x\n", rba); + } + SYNTAX("xor %0, %1"); +-#line 1262 "rl78-decode.opc" ++#line 1264 "rl78-decode.opc" + ID(xor); DR(A); SRB(rba); Fz; + + } +@@ -2239,7 +2241,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("incw %ea0"); +-#line 598 "rl78-decode.opc" ++#line 600 "rl78-decode.opc" + ID(add); W(); DM(HL, IMMU(1)); SC(1); + + } +@@ -2255,7 +2257,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("add %0, %e1"); +-#line 207 "rl78-decode.opc" ++#line 209 "rl78-decode.opc" + ID(add); DR(A); SM2(HL, B, 0); Fzac; + + } +@@ -2270,7 +2272,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("add %0, %e1"); +-#line 213 "rl78-decode.opc" ++#line 215 "rl78-decode.opc" + ID(add); DR(A); SM2(HL, C, 0); Fzac; + + } +@@ -2309,9 +2311,9 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xf7: + { + /** 0110 0001 1nnn 01mm callt [%x0] */ +-#line 433 "rl78-decode.opc" ++#line 435 "rl78-decode.opc" + int nnn AU = (op[1] >> 4) & 0x07; +-#line 433 "rl78-decode.opc" ++#line 435 "rl78-decode.opc" + int mm AU = op[1] & 0x03; + if (trace) + { +@@ -2322,7 +2324,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" mm = 0x%x\n", mm); + } + SYNTAX("callt [%x0]"); +-#line 433 "rl78-decode.opc" ++#line 435 "rl78-decode.opc" + ID(call); DM(None, 0x80 + mm*16 + nnn*2); + + /*----------------------------------------------------------------------*/ +@@ -2338,7 +2340,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x8f: + { + /** 0110 0001 1000 1reg xch %0, %1 */ +-#line 1224 "rl78-decode.opc" ++#line 1226 "rl78-decode.opc" + int reg AU = op[1] & 0x07; + if (trace) + { +@@ -2348,7 +2350,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("xch %0, %1"); +-#line 1224 "rl78-decode.opc" ++#line 1226 "rl78-decode.opc" + /* Note: DECW uses reg == X, so this must follow DECW */ + ID(xch); DR(A); SRB(reg); + +@@ -2364,7 +2366,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("decw %ea0"); +-#line 565 "rl78-decode.opc" ++#line 567 "rl78-decode.opc" + ID(sub); W(); DM(HL, IMMU(1)); SC(1); + + } +@@ -2379,7 +2381,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("addc %0, %e1"); +-#line 239 "rl78-decode.opc" ++#line 241 "rl78-decode.opc" + ID(addc); DR(A); SM2(HL, B, 0); Fzac; + + } +@@ -2394,7 +2396,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("addc %0, %e1"); +-#line 242 "rl78-decode.opc" ++#line 244 "rl78-decode.opc" + ID(addc); DR(A); SM2(HL, C, 0); Fzac; + + } +@@ -2410,7 +2412,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("sub %0, %e1"); +-#line 1125 "rl78-decode.opc" ++#line 1127 "rl78-decode.opc" + ID(sub); DR(A); SM2(HL, B, 0); Fzac; + + } +@@ -2425,7 +2427,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("sub %0, %e1"); +-#line 1131 "rl78-decode.opc" ++#line 1133 "rl78-decode.opc" + ID(sub); DR(A); SM2(HL, C, 0); Fzac; + + } +@@ -2440,7 +2442,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xch %0, %1"); +-#line 1228 "rl78-decode.opc" ++#line 1230 "rl78-decode.opc" + ID(xch); DR(A); SM(None, SADDR); + + } +@@ -2455,7 +2457,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xch %0, %e1"); +-#line 1221 "rl78-decode.opc" ++#line 1223 "rl78-decode.opc" + ID(xch); DR(A); SM2(HL, C, 0); + + } +@@ -2470,7 +2472,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xch %0, %e!1"); +-#line 1203 "rl78-decode.opc" ++#line 1205 "rl78-decode.opc" + ID(xch); DR(A); SM(None, IMMU(2)); + + } +@@ -2485,7 +2487,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xch %0, %s1"); +-#line 1231 "rl78-decode.opc" ++#line 1233 "rl78-decode.opc" + ID(xch); DR(A); SM(None, SFR); + + } +@@ -2500,7 +2502,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xch %0, %e1"); +-#line 1212 "rl78-decode.opc" ++#line 1214 "rl78-decode.opc" + ID(xch); DR(A); SM(HL, 0); + + } +@@ -2515,7 +2517,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xch %0, %ea1"); +-#line 1218 "rl78-decode.opc" ++#line 1220 "rl78-decode.opc" + ID(xch); DR(A); SM(HL, IMMU(1)); + + } +@@ -2530,7 +2532,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xch %0, %e1"); +-#line 1206 "rl78-decode.opc" ++#line 1208 "rl78-decode.opc" + ID(xch); DR(A); SM(DE, 0); + + } +@@ -2545,7 +2547,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xch %0, %ea1"); +-#line 1209 "rl78-decode.opc" ++#line 1211 "rl78-decode.opc" + ID(xch); DR(A); SM(DE, IMMU(1)); + + } +@@ -2560,7 +2562,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("subc %0, %e1"); +-#line 1157 "rl78-decode.opc" ++#line 1159 "rl78-decode.opc" + ID(subc); DR(A); SM2(HL, B, 0); Fzac; + + } +@@ -2575,7 +2577,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("subc %0, %e1"); +-#line 1160 "rl78-decode.opc" ++#line 1162 "rl78-decode.opc" + ID(subc); DR(A); SM2(HL, C, 0); Fzac; + + } +@@ -2590,7 +2592,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("mov %0, %1"); +-#line 723 "rl78-decode.opc" ++#line 725 "rl78-decode.opc" + ID(mov); DR(ES); SM(None, SADDR); + + } +@@ -2605,7 +2607,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xch %0, %e1"); +-#line 1215 "rl78-decode.opc" ++#line 1217 "rl78-decode.opc" + ID(xch); DR(A); SM2(HL, B, 0); + + } +@@ -2620,7 +2622,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("cmp %0, %e1"); +-#line 492 "rl78-decode.opc" ++#line 494 "rl78-decode.opc" + ID(cmp); DR(A); SM2(HL, B, 0); Fzac; + + } +@@ -2635,7 +2637,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("cmp %0, %e1"); +-#line 495 "rl78-decode.opc" ++#line 497 "rl78-decode.opc" + ID(cmp); DR(A); SM2(HL, C, 0); Fzac; + + } +@@ -2650,7 +2652,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("bh $%a0"); +-#line 340 "rl78-decode.opc" ++#line 342 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SR(None); COND(H); + + } +@@ -2665,7 +2667,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1094 "rl78-decode.opc" ++#line 1096 "rl78-decode.opc" + ID(skip); COND(C); + + } +@@ -2680,7 +2682,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("mov %0, %e1"); +-#line 660 "rl78-decode.opc" ++#line 662 "rl78-decode.opc" + ID(mov); DR(A); SM2(HL, B, 0); + + } +@@ -2691,7 +2693,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xfa: + { + /** 0110 0001 11rg 1010 call %0 */ +-#line 430 "rl78-decode.opc" ++#line 432 "rl78-decode.opc" + int rg AU = (op[1] >> 4) & 0x03; + if (trace) + { +@@ -2701,7 +2703,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rg = 0x%x\n", rg); + } + SYNTAX("call %0"); +-#line 430 "rl78-decode.opc" ++#line 432 "rl78-decode.opc" + ID(call); DRW(rg); + + } +@@ -2716,7 +2718,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("br ax"); +-#line 380 "rl78-decode.opc" ++#line 382 "rl78-decode.opc" + ID(branch); DR(AX); + + /*----------------------------------------------------------------------*/ +@@ -2733,7 +2735,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("brk"); +-#line 388 "rl78-decode.opc" ++#line 390 "rl78-decode.opc" + ID(break); + + /*----------------------------------------------------------------------*/ +@@ -2750,7 +2752,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("pop %s0"); +-#line 989 "rl78-decode.opc" ++#line 991 "rl78-decode.opc" + ID(mov); W(); DR(PSW); SPOP(); + + /*----------------------------------------------------------------------*/ +@@ -2767,7 +2769,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("movs %ea0, %1"); +-#line 811 "rl78-decode.opc" ++#line 813 "rl78-decode.opc" + ID(mov); DM(HL, IMMU(1)); SR(X); Fzc; + + /*----------------------------------------------------------------------*/ +@@ -2780,7 +2782,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xff: + { + /** 0110 0001 11rb 1111 sel rb%1 */ +-#line 1041 "rl78-decode.opc" ++#line 1043 "rl78-decode.opc" + int rb AU = (op[1] >> 4) & 0x03; + if (trace) + { +@@ -2790,7 +2792,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rb = 0x%x\n", rb); + } + SYNTAX("sel rb%1"); +-#line 1041 "rl78-decode.opc" ++#line 1043 "rl78-decode.opc" + ID(sel); SC(rb); + + /*----------------------------------------------------------------------*/ +@@ -2807,7 +2809,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("and %0, %e1"); +-#line 291 "rl78-decode.opc" ++#line 293 "rl78-decode.opc" + ID(and); DR(A); SM2(HL, B, 0); Fz; + + } +@@ -2822,7 +2824,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("and %0, %e1"); +-#line 297 "rl78-decode.opc" ++#line 299 "rl78-decode.opc" + ID(and); DR(A); SM2(HL, C, 0); Fz; + + } +@@ -2837,7 +2839,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("bnh $%a0"); +-#line 343 "rl78-decode.opc" ++#line 345 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+3); SR(None); COND(NH); + + } +@@ -2852,7 +2854,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1100 "rl78-decode.opc" ++#line 1102 "rl78-decode.opc" + ID(skip); COND(NC); + + } +@@ -2867,7 +2869,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("mov %e0, %1"); +-#line 627 "rl78-decode.opc" ++#line 629 "rl78-decode.opc" + ID(mov); DM2(HL, B, 0); SR(A); + + } +@@ -2882,7 +2884,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("ror %0, %1"); +-#line 1022 "rl78-decode.opc" ++#line 1024 "rl78-decode.opc" + ID(ror); DR(A); SC(1); + + } +@@ -2897,7 +2899,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("rolc %0, %1"); +-#line 1016 "rl78-decode.opc" ++#line 1018 "rl78-decode.opc" + ID(rolc); DR(A); SC(1); + + } +@@ -2912,7 +2914,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("push %s1"); +-#line 997 "rl78-decode.opc" ++#line 999 "rl78-decode.opc" + ID(mov); W(); DPUSH(); SR(PSW); + + /*----------------------------------------------------------------------*/ +@@ -2929,7 +2931,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("cmps %0, %ea1"); +-#line 526 "rl78-decode.opc" ++#line 528 "rl78-decode.opc" + ID(cmp); DR(X); SM(HL, IMMU(1)); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -2946,7 +2948,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("or %0, %e1"); +-#line 946 "rl78-decode.opc" ++#line 948 "rl78-decode.opc" + ID(or); DR(A); SM2(HL, B, 0); Fz; + + } +@@ -2961,7 +2963,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("or %0, %e1"); +-#line 952 "rl78-decode.opc" ++#line 954 "rl78-decode.opc" + ID(or); DR(A); SM2(HL, C, 0); Fz; + + } +@@ -2976,7 +2978,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1097 "rl78-decode.opc" ++#line 1099 "rl78-decode.opc" + ID(skip); COND(H); + + } +@@ -2991,7 +2993,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1109 "rl78-decode.opc" ++#line 1111 "rl78-decode.opc" + ID(skip); COND(Z); + + /*----------------------------------------------------------------------*/ +@@ -3008,7 +3010,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("mov %0, %e1"); +-#line 663 "rl78-decode.opc" ++#line 665 "rl78-decode.opc" + ID(mov); DR(A); SM2(HL, C, 0); + + } +@@ -3023,7 +3025,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("rol %0, %1"); +-#line 1013 "rl78-decode.opc" ++#line 1015 "rl78-decode.opc" + ID(rol); DR(A); SC(1); + + } +@@ -3038,7 +3040,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("retb"); +-#line 1008 "rl78-decode.opc" ++#line 1010 "rl78-decode.opc" + ID(reti); + + /*----------------------------------------------------------------------*/ +@@ -3055,7 +3057,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("halt"); +-#line 576 "rl78-decode.opc" ++#line 578 "rl78-decode.opc" + ID(halt); + + /*----------------------------------------------------------------------*/ +@@ -3066,7 +3068,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xfe: + { + /** 0110 0001 111r 1110 rolwc %0, %1 */ +-#line 1019 "rl78-decode.opc" ++#line 1021 "rl78-decode.opc" + int r AU = (op[1] >> 4) & 0x01; + if (trace) + { +@@ -3076,7 +3078,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" r = 0x%x\n", r); + } + SYNTAX("rolwc %0, %1"); +-#line 1019 "rl78-decode.opc" ++#line 1021 "rl78-decode.opc" + ID(rolc); W(); DRW(r); SC(1); + + } +@@ -3091,7 +3093,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xor %0, %e1"); +-#line 1250 "rl78-decode.opc" ++#line 1252 "rl78-decode.opc" + ID(xor); DR(A); SM2(HL, B, 0); Fz; + + } +@@ -3106,7 +3108,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("xor %0, %e1"); +-#line 1256 "rl78-decode.opc" ++#line 1258 "rl78-decode.opc" + ID(xor); DR(A); SM2(HL, C, 0); Fz; + + } +@@ -3121,7 +3123,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1103 "rl78-decode.opc" ++#line 1105 "rl78-decode.opc" + ID(skip); COND(NH); + + } +@@ -3136,7 +3138,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("sk%c1"); +-#line 1106 "rl78-decode.opc" ++#line 1108 "rl78-decode.opc" + ID(skip); COND(NZ); + + } +@@ -3151,7 +3153,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("mov %e0, %1"); +-#line 636 "rl78-decode.opc" ++#line 638 "rl78-decode.opc" + ID(mov); DM2(HL, C, 0); SR(A); + + } +@@ -3166,7 +3168,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("rorc %0, %1"); +-#line 1025 "rl78-decode.opc" ++#line 1027 "rl78-decode.opc" + ID(rorc); DR(A); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -3186,7 +3188,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("reti"); +-#line 1005 "rl78-decode.opc" ++#line 1007 "rl78-decode.opc" + ID(reti); + + } +@@ -3201,7 +3203,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("stop"); +-#line 1114 "rl78-decode.opc" ++#line 1116 "rl78-decode.opc" + ID(stop); + + /*----------------------------------------------------------------------*/ +@@ -3221,7 +3223,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %e0, %1"); +-#line 874 "rl78-decode.opc" ++#line 876 "rl78-decode.opc" + ID(mov); W(); DM(C, IMMU(2)); SR(AX); + + } +@@ -3236,7 +3238,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %e1"); +-#line 865 "rl78-decode.opc" ++#line 867 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(C, IMMU(2)); + + } +@@ -3251,7 +3253,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("or %0, #%1"); +-#line 967 "rl78-decode.opc" ++#line 969 "rl78-decode.opc" + ID(or); DM(None, SADDR); SC(IMMU(1)); Fz; + + /*----------------------------------------------------------------------*/ +@@ -3268,7 +3270,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("or %0, %1"); +-#line 964 "rl78-decode.opc" ++#line 966 "rl78-decode.opc" + ID(or); DR(A); SM(None, SADDR); Fz; + + } +@@ -3283,7 +3285,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("or %0, #%1"); +-#line 955 "rl78-decode.opc" ++#line 957 "rl78-decode.opc" + ID(or); DR(A); SC(IMMU(1)); Fz; + + } +@@ -3298,7 +3300,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("or %0, %e1"); +-#line 943 "rl78-decode.opc" ++#line 945 "rl78-decode.opc" + ID(or); DR(A); SM(HL, 0); Fz; + + } +@@ -3313,7 +3315,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("or %0, %ea1"); +-#line 949 "rl78-decode.opc" ++#line 951 "rl78-decode.opc" + ID(or); DR(A); SM(HL, IMMU(1)); Fz; + + } +@@ -3328,7 +3330,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("or %0, %e!1"); +-#line 940 "rl78-decode.opc" ++#line 942 "rl78-decode.opc" + ID(or); DR(A); SM(None, IMMU(2)); Fz; + + } +@@ -3342,7 +3344,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x77: + { + /** 0111 0rba mov %0, %1 */ +-#line 696 "rl78-decode.opc" ++#line 698 "rl78-decode.opc" + int rba AU = op[0] & 0x07; + if (trace) + { +@@ -3352,7 +3354,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rba = 0x%x\n", rba); + } + SYNTAX("mov %0, %1"); +-#line 696 "rl78-decode.opc" ++#line 698 "rl78-decode.opc" + ID(mov); DRB(rba); SR(A); + + } +@@ -3371,7 +3373,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x70: + { + /** 0111 0001 0bit 0000 set1 %e!0 */ +-#line 1046 "rl78-decode.opc" ++#line 1048 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3381,7 +3383,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("set1 %e!0"); +-#line 1046 "rl78-decode.opc" ++#line 1048 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); DB(bit); SC(1); + + } +@@ -3396,7 +3398,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x71: + { + /** 0111 0001 0bit 0001 mov1 %0, cy */ +-#line 803 "rl78-decode.opc" ++#line 805 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3406,7 +3408,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 %0, cy"); +-#line 803 "rl78-decode.opc" ++#line 805 "rl78-decode.opc" + ID(mov); DM(None, SADDR); DB(bit); SCY(); + + } +@@ -3421,7 +3423,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x72: + { + /** 0111 0001 0bit 0010 set1 %0 */ +-#line 1064 "rl78-decode.opc" ++#line 1066 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3431,7 +3433,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("set1 %0"); +-#line 1064 "rl78-decode.opc" ++#line 1066 "rl78-decode.opc" + ID(mov); DM(None, SADDR); DB(bit); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -3448,7 +3450,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x73: + { + /** 0111 0001 0bit 0011 clr1 %0 */ +-#line 456 "rl78-decode.opc" ++#line 458 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3458,7 +3460,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("clr1 %0"); +-#line 456 "rl78-decode.opc" ++#line 458 "rl78-decode.opc" + ID(mov); DM(None, SADDR); DB(bit); SC(0); + + /*----------------------------------------------------------------------*/ +@@ -3475,7 +3477,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x74: + { + /** 0111 0001 0bit 0100 mov1 cy, %1 */ +-#line 797 "rl78-decode.opc" ++#line 799 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3485,7 +3487,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 cy, %1"); +-#line 797 "rl78-decode.opc" ++#line 799 "rl78-decode.opc" + ID(mov); DCY(); SM(None, SADDR); SB(bit); + + } +@@ -3500,7 +3502,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x75: + { + /** 0111 0001 0bit 0101 and1 cy, %s1 */ +-#line 326 "rl78-decode.opc" ++#line 328 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3510,7 +3512,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("and1 cy, %s1"); +-#line 326 "rl78-decode.opc" ++#line 328 "rl78-decode.opc" + ID(and); DCY(); SM(None, SADDR); SB(bit); + + /*----------------------------------------------------------------------*/ +@@ -3530,7 +3532,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x76: + { + /** 0111 0001 0bit 0110 or1 cy, %s1 */ +-#line 981 "rl78-decode.opc" ++#line 983 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3540,7 +3542,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("or1 cy, %s1"); +-#line 981 "rl78-decode.opc" ++#line 983 "rl78-decode.opc" + ID(or); DCY(); SM(None, SADDR); SB(bit); + + /*----------------------------------------------------------------------*/ +@@ -3557,7 +3559,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x77: + { + /** 0111 0001 0bit 0111 xor1 cy, %s1 */ +-#line 1285 "rl78-decode.opc" ++#line 1287 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3567,7 +3569,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("xor1 cy, %s1"); +-#line 1285 "rl78-decode.opc" ++#line 1287 "rl78-decode.opc" + ID(xor); DCY(); SM(None, SADDR); SB(bit); + + /*----------------------------------------------------------------------*/ +@@ -3584,7 +3586,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x78: + { + /** 0111 0001 0bit 1000 clr1 %e!0 */ +-#line 438 "rl78-decode.opc" ++#line 440 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3594,7 +3596,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("clr1 %e!0"); +-#line 438 "rl78-decode.opc" ++#line 440 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); DB(bit); SC(0); + + } +@@ -3609,7 +3611,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x79: + { + /** 0111 0001 0bit 1001 mov1 %s0, cy */ +-#line 806 "rl78-decode.opc" ++#line 808 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3619,7 +3621,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 %s0, cy"); +-#line 806 "rl78-decode.opc" ++#line 808 "rl78-decode.opc" + ID(mov); DM(None, SFR); DB(bit); SCY(); + + /*----------------------------------------------------------------------*/ +@@ -3636,7 +3638,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x7a: + { + /** 0111 0001 0bit 1010 set1 %s0 */ +-#line 1058 "rl78-decode.opc" ++#line 1060 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3646,7 +3648,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("set1 %s0"); +-#line 1058 "rl78-decode.opc" ++#line 1060 "rl78-decode.opc" + op0 = SFR; + ID(mov); DM(None, op0); DB(bit); SC(1); + if (op0 == RL78_SFR_PSW && bit == 7) +@@ -3664,7 +3666,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x7b: + { + /** 0111 0001 0bit 1011 clr1 %s0 */ +-#line 450 "rl78-decode.opc" ++#line 452 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3674,7 +3676,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("clr1 %s0"); +-#line 450 "rl78-decode.opc" ++#line 452 "rl78-decode.opc" + op0 = SFR; + ID(mov); DM(None, op0); DB(bit); SC(0); + if (op0 == RL78_SFR_PSW && bit == 7) +@@ -3692,7 +3694,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x7c: + { + /** 0111 0001 0bit 1100 mov1 cy, %s1 */ +-#line 800 "rl78-decode.opc" ++#line 802 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3702,7 +3704,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 cy, %s1"); +-#line 800 "rl78-decode.opc" ++#line 802 "rl78-decode.opc" + ID(mov); DCY(); SM(None, SFR); SB(bit); + + } +@@ -3717,7 +3719,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x7d: + { + /** 0111 0001 0bit 1101 and1 cy, %s1 */ +-#line 323 "rl78-decode.opc" ++#line 325 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3727,7 +3729,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("and1 cy, %s1"); +-#line 323 "rl78-decode.opc" ++#line 325 "rl78-decode.opc" + ID(and); DCY(); SM(None, SFR); SB(bit); + + } +@@ -3742,7 +3744,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x7e: + { + /** 0111 0001 0bit 1110 or1 cy, %s1 */ +-#line 978 "rl78-decode.opc" ++#line 980 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3752,7 +3754,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("or1 cy, %s1"); +-#line 978 "rl78-decode.opc" ++#line 980 "rl78-decode.opc" + ID(or); DCY(); SM(None, SFR); SB(bit); + + } +@@ -3767,7 +3769,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x7f: + { + /** 0111 0001 0bit 1111 xor1 cy, %s1 */ +-#line 1282 "rl78-decode.opc" ++#line 1284 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3777,7 +3779,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("xor1 cy, %s1"); +-#line 1282 "rl78-decode.opc" ++#line 1284 "rl78-decode.opc" + ID(xor); DCY(); SM(None, SFR); SB(bit); + + } +@@ -3792,7 +3794,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("set1 cy"); +-#line 1055 "rl78-decode.opc" ++#line 1057 "rl78-decode.opc" + ID(mov); DCY(); SC(1); + + } +@@ -3807,7 +3809,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xf1: + { + /** 0111 0001 1bit 0001 mov1 %e0, cy */ +-#line 785 "rl78-decode.opc" ++#line 787 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3817,7 +3819,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 %e0, cy"); +-#line 785 "rl78-decode.opc" ++#line 787 "rl78-decode.opc" + ID(mov); DM(HL, 0); DB(bit); SCY(); + + } +@@ -3832,7 +3834,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xf2: + { + /** 0111 0001 1bit 0010 set1 %e0 */ +-#line 1049 "rl78-decode.opc" ++#line 1051 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3842,7 +3844,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("set1 %e0"); +-#line 1049 "rl78-decode.opc" ++#line 1051 "rl78-decode.opc" + ID(mov); DM(HL, 0); DB(bit); SC(1); + + } +@@ -3857,7 +3859,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xf3: + { + /** 0111 0001 1bit 0011 clr1 %e0 */ +-#line 441 "rl78-decode.opc" ++#line 443 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3867,7 +3869,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("clr1 %e0"); +-#line 441 "rl78-decode.opc" ++#line 443 "rl78-decode.opc" + ID(mov); DM(HL, 0); DB(bit); SC(0); + + } +@@ -3882,7 +3884,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xf4: + { + /** 0111 0001 1bit 0100 mov1 cy, %e1 */ +-#line 791 "rl78-decode.opc" ++#line 793 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3892,7 +3894,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 cy, %e1"); +-#line 791 "rl78-decode.opc" ++#line 793 "rl78-decode.opc" + ID(mov); DCY(); SM(HL, 0); SB(bit); + + } +@@ -3907,7 +3909,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xf5: + { + /** 0111 0001 1bit 0101 and1 cy, %e1 */ +-#line 317 "rl78-decode.opc" ++#line 319 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3917,7 +3919,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("and1 cy, %e1"); +-#line 317 "rl78-decode.opc" ++#line 319 "rl78-decode.opc" + ID(and); DCY(); SM(HL, 0); SB(bit); + + } +@@ -3932,7 +3934,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xf6: + { + /** 0111 0001 1bit 0110 or1 cy, %e1 */ +-#line 972 "rl78-decode.opc" ++#line 974 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3942,7 +3944,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("or1 cy, %e1"); +-#line 972 "rl78-decode.opc" ++#line 974 "rl78-decode.opc" + ID(or); DCY(); SM(HL, 0); SB(bit); + + } +@@ -3957,7 +3959,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xf7: + { + /** 0111 0001 1bit 0111 xor1 cy, %e1 */ +-#line 1276 "rl78-decode.opc" ++#line 1278 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -3967,7 +3969,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("xor1 cy, %e1"); +-#line 1276 "rl78-decode.opc" ++#line 1278 "rl78-decode.opc" + ID(xor); DCY(); SM(HL, 0); SB(bit); + + } +@@ -3982,7 +3984,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("clr1 cy"); +-#line 447 "rl78-decode.opc" ++#line 449 "rl78-decode.opc" + ID(mov); DCY(); SC(0); + + } +@@ -3997,7 +3999,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xf9: + { + /** 0111 0001 1bit 1001 mov1 %e0, cy */ +-#line 788 "rl78-decode.opc" ++#line 790 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4007,7 +4009,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 %e0, cy"); +-#line 788 "rl78-decode.opc" ++#line 790 "rl78-decode.opc" + ID(mov); DR(A); DB(bit); SCY(); + + } +@@ -4022,7 +4024,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xfa: + { + /** 0111 0001 1bit 1010 set1 %0 */ +-#line 1052 "rl78-decode.opc" ++#line 1054 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4032,7 +4034,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("set1 %0"); +-#line 1052 "rl78-decode.opc" ++#line 1054 "rl78-decode.opc" + ID(mov); DR(A); DB(bit); SC(1); + + } +@@ -4047,7 +4049,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xfb: + { + /** 0111 0001 1bit 1011 clr1 %0 */ +-#line 444 "rl78-decode.opc" ++#line 446 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4057,7 +4059,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("clr1 %0"); +-#line 444 "rl78-decode.opc" ++#line 446 "rl78-decode.opc" + ID(mov); DR(A); DB(bit); SC(0); + + } +@@ -4072,7 +4074,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xfc: + { + /** 0111 0001 1bit 1100 mov1 cy, %e1 */ +-#line 794 "rl78-decode.opc" ++#line 796 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4082,7 +4084,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("mov1 cy, %e1"); +-#line 794 "rl78-decode.opc" ++#line 796 "rl78-decode.opc" + ID(mov); DCY(); SR(A); SB(bit); + + } +@@ -4097,7 +4099,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xfd: + { + /** 0111 0001 1bit 1101 and1 cy, %1 */ +-#line 320 "rl78-decode.opc" ++#line 322 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4107,7 +4109,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("and1 cy, %1"); +-#line 320 "rl78-decode.opc" ++#line 322 "rl78-decode.opc" + ID(and); DCY(); SR(A); SB(bit); + + } +@@ -4122,7 +4124,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xfe: + { + /** 0111 0001 1bit 1110 or1 cy, %1 */ +-#line 975 "rl78-decode.opc" ++#line 977 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4132,7 +4134,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("or1 cy, %1"); +-#line 975 "rl78-decode.opc" ++#line 977 "rl78-decode.opc" + ID(or); DCY(); SR(A); SB(bit); + + } +@@ -4147,7 +4149,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xff: + { + /** 0111 0001 1bit 1111 xor1 cy, %1 */ +-#line 1279 "rl78-decode.opc" ++#line 1281 "rl78-decode.opc" + int bit AU = (op[1] >> 4) & 0x07; + if (trace) + { +@@ -4157,7 +4159,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" bit = 0x%x\n", bit); + } + SYNTAX("xor1 cy, %1"); +-#line 1279 "rl78-decode.opc" ++#line 1281 "rl78-decode.opc" + ID(xor); DCY(); SR(A); SB(bit); + + } +@@ -4172,7 +4174,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0], op[1]); + } + SYNTAX("not1 cy"); +-#line 916 "rl78-decode.opc" ++#line 918 "rl78-decode.opc" + ID(xor); DCY(); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -4192,7 +4194,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %e0, %1"); +-#line 877 "rl78-decode.opc" ++#line 879 "rl78-decode.opc" + ID(mov); W(); DM(BC, IMMU(2)); SR(AX); + + } +@@ -4207,7 +4209,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %e1"); +-#line 868 "rl78-decode.opc" ++#line 870 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(BC, IMMU(2)); + + } +@@ -4222,7 +4224,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("xor %0, #%1"); +-#line 1271 "rl78-decode.opc" ++#line 1273 "rl78-decode.opc" + ID(xor); DM(None, SADDR); SC(IMMU(1)); Fz; + + /*----------------------------------------------------------------------*/ +@@ -4239,7 +4241,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("xor %0, %1"); +-#line 1268 "rl78-decode.opc" ++#line 1270 "rl78-decode.opc" + ID(xor); DR(A); SM(None, SADDR); Fz; + + } +@@ -4254,7 +4256,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("xor %0, #%1"); +-#line 1259 "rl78-decode.opc" ++#line 1261 "rl78-decode.opc" + ID(xor); DR(A); SC(IMMU(1)); Fz; + + } +@@ -4269,7 +4271,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("xor %0, %e1"); +-#line 1247 "rl78-decode.opc" ++#line 1249 "rl78-decode.opc" + ID(xor); DR(A); SM(HL, 0); Fz; + + } +@@ -4284,7 +4286,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("xor %0, %ea1"); +-#line 1253 "rl78-decode.opc" ++#line 1255 "rl78-decode.opc" + ID(xor); DR(A); SM(HL, IMMU(1)); Fz; + + } +@@ -4299,7 +4301,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("xor %0, %e!1"); +-#line 1244 "rl78-decode.opc" ++#line 1246 "rl78-decode.opc" + ID(xor); DR(A); SM(None, IMMU(2)); Fz; + + } +@@ -4314,7 +4316,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x87: + { + /** 1000 0reg inc %0 */ +-#line 587 "rl78-decode.opc" ++#line 589 "rl78-decode.opc" + int reg AU = op[0] & 0x07; + if (trace) + { +@@ -4324,7 +4326,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("inc %0"); +-#line 587 "rl78-decode.opc" ++#line 589 "rl78-decode.opc" + ID(add); DRB(reg); SC(1); Fza; + + } +@@ -4339,7 +4341,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %ea1"); +-#line 666 "rl78-decode.opc" ++#line 668 "rl78-decode.opc" + ID(mov); DR(A); SM(SP, IMMU(1)); + + } +@@ -4354,7 +4356,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %e1"); +-#line 648 "rl78-decode.opc" ++#line 650 "rl78-decode.opc" + ID(mov); DR(A); SM(DE, 0); + + } +@@ -4369,7 +4371,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %ea1"); +-#line 651 "rl78-decode.opc" ++#line 653 "rl78-decode.opc" + ID(mov); DR(A); SM(DE, IMMU(1)); + + } +@@ -4384,7 +4386,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %e1"); +-#line 654 "rl78-decode.opc" ++#line 656 "rl78-decode.opc" + ID(mov); DR(A); SM(HL, 0); + + } +@@ -4399,7 +4401,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %ea1"); +-#line 657 "rl78-decode.opc" ++#line 659 "rl78-decode.opc" + ID(mov); DR(A); SM(HL, IMMU(1)); + + } +@@ -4414,7 +4416,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %1"); +-#line 690 "rl78-decode.opc" ++#line 692 "rl78-decode.opc" + ID(mov); DR(A); SM(None, SADDR); + + } +@@ -4429,7 +4431,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %s1"); +-#line 687 "rl78-decode.opc" ++#line 689 "rl78-decode.opc" + ID(mov); DR(A); SM(None, SFR); + + } +@@ -4444,7 +4446,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %e!1"); +-#line 645 "rl78-decode.opc" ++#line 647 "rl78-decode.opc" + ID(mov); DR(A); SM(None, IMMU(2)); + + } +@@ -4459,7 +4461,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0x97: + { + /** 1001 0reg dec %0 */ +-#line 554 "rl78-decode.opc" ++#line 556 "rl78-decode.opc" + int reg AU = op[0] & 0x07; + if (trace) + { +@@ -4469,7 +4471,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" reg = 0x%x\n", reg); + } + SYNTAX("dec %0"); +-#line 554 "rl78-decode.opc" ++#line 556 "rl78-decode.opc" + ID(sub); DRB(reg); SC(1); Fza; + + } +@@ -4484,7 +4486,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %a0, %1"); +-#line 642 "rl78-decode.opc" ++#line 644 "rl78-decode.opc" + ID(mov); DM(SP, IMMU(1)); SR(A); + + } +@@ -4499,7 +4501,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %e0, %1"); +-#line 615 "rl78-decode.opc" ++#line 617 "rl78-decode.opc" + ID(mov); DM(DE, 0); SR(A); + + } +@@ -4514,7 +4516,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %ea0, %1"); +-#line 621 "rl78-decode.opc" ++#line 623 "rl78-decode.opc" + ID(mov); DM(DE, IMMU(1)); SR(A); + + } +@@ -4529,7 +4531,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %e0, %1"); +-#line 624 "rl78-decode.opc" ++#line 626 "rl78-decode.opc" + ID(mov); DM(HL, 0); SR(A); + + } +@@ -4544,7 +4546,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %ea0, %1"); +-#line 633 "rl78-decode.opc" ++#line 635 "rl78-decode.opc" + ID(mov); DM(HL, IMMU(1)); SR(A); + + } +@@ -4559,7 +4561,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %1"); +-#line 747 "rl78-decode.opc" ++#line 749 "rl78-decode.opc" + ID(mov); DM(None, SADDR); SR(A); + + } +@@ -4574,7 +4576,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %s0, %1"); +-#line 780 "rl78-decode.opc" ++#line 782 "rl78-decode.opc" + ID(mov); DM(None, SFR); SR(A); + + /*----------------------------------------------------------------------*/ +@@ -4591,7 +4593,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %e!0, %1"); +-#line 612 "rl78-decode.opc" ++#line 614 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); SR(A); + + } +@@ -4606,7 +4608,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("inc %e!0"); +-#line 581 "rl78-decode.opc" ++#line 583 "rl78-decode.opc" + ID(add); DM(None, IMMU(2)); SC(1); Fza; + + } +@@ -4617,7 +4619,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xa7: + { + /** 1010 0rg1 incw %0 */ +-#line 601 "rl78-decode.opc" ++#line 603 "rl78-decode.opc" + int rg AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -4627,7 +4629,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rg = 0x%x\n", rg); + } + SYNTAX("incw %0"); +-#line 601 "rl78-decode.opc" ++#line 603 "rl78-decode.opc" + ID(add); W(); DRW(rg); SC(1); + + } +@@ -4642,7 +4644,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("incw %e!0"); +-#line 595 "rl78-decode.opc" ++#line 597 "rl78-decode.opc" + ID(add); W(); DM(None, IMMU(2)); SC(1); + + } +@@ -4657,7 +4659,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("inc %0"); +-#line 590 "rl78-decode.opc" ++#line 592 "rl78-decode.opc" + ID(add); DM(None, SADDR); SC(1); Fza; + + /*----------------------------------------------------------------------*/ +@@ -4674,7 +4676,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("incw %0"); +-#line 604 "rl78-decode.opc" ++#line 606 "rl78-decode.opc" + ID(add); W(); DM(None, SADDR); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -4691,7 +4693,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %a1"); +-#line 850 "rl78-decode.opc" ++#line 852 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(SP, IMMU(1)); + + } +@@ -4706,7 +4708,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %e1"); +-#line 838 "rl78-decode.opc" ++#line 840 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(DE, 0); + + } +@@ -4721,7 +4723,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %ea1"); +-#line 841 "rl78-decode.opc" ++#line 843 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(DE, IMMU(1)); + + } +@@ -4736,7 +4738,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %e1"); +-#line 844 "rl78-decode.opc" ++#line 846 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(HL, 0); + + } +@@ -4751,7 +4753,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %ea1"); +-#line 847 "rl78-decode.opc" ++#line 849 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(HL, IMMU(1)); + + } +@@ -4766,7 +4768,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %1"); +-#line 880 "rl78-decode.opc" ++#line 882 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(None, SADDR); + + } +@@ -4781,7 +4783,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %s1"); +-#line 883 "rl78-decode.opc" ++#line 885 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(None, SFR); + + } +@@ -4796,7 +4798,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %e!1"); +-#line 834 "rl78-decode.opc" ++#line 836 "rl78-decode.opc" + ID(mov); W(); DR(AX); SM(None, IMMU(2)); + + +@@ -4812,7 +4814,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("dec %e!0"); +-#line 548 "rl78-decode.opc" ++#line 550 "rl78-decode.opc" + ID(sub); DM(None, IMMU(2)); SC(1); Fza; + + } +@@ -4823,7 +4825,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xb7: + { + /** 1011 0rg1 decw %0 */ +-#line 568 "rl78-decode.opc" ++#line 570 "rl78-decode.opc" + int rg AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -4833,7 +4835,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rg = 0x%x\n", rg); + } + SYNTAX("decw %0"); +-#line 568 "rl78-decode.opc" ++#line 570 "rl78-decode.opc" + ID(sub); W(); DRW(rg); SC(1); + + } +@@ -4848,7 +4850,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("decw %e!0"); +-#line 562 "rl78-decode.opc" ++#line 564 "rl78-decode.opc" + ID(sub); W(); DM(None, IMMU(2)); SC(1); + + } +@@ -4863,7 +4865,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("dec %0"); +-#line 557 "rl78-decode.opc" ++#line 559 "rl78-decode.opc" + ID(sub); DM(None, SADDR); SC(1); Fza; + + /*----------------------------------------------------------------------*/ +@@ -4880,7 +4882,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("decw %0"); +-#line 571 "rl78-decode.opc" ++#line 573 "rl78-decode.opc" + ID(sub); W(); DM(None, SADDR); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -4897,7 +4899,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %a0, %1"); +-#line 831 "rl78-decode.opc" ++#line 833 "rl78-decode.opc" + ID(mov); W(); DM(SP, IMMU(1)); SR(AX); + + } +@@ -4912,7 +4914,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %e0, %1"); +-#line 819 "rl78-decode.opc" ++#line 821 "rl78-decode.opc" + ID(mov); W(); DM(DE, 0); SR(AX); + + } +@@ -4927,7 +4929,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %ea0, %1"); +-#line 822 "rl78-decode.opc" ++#line 824 "rl78-decode.opc" + ID(mov); W(); DM(DE, IMMU(1)); SR(AX); + + } +@@ -4942,7 +4944,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %e0, %1"); +-#line 825 "rl78-decode.opc" ++#line 827 "rl78-decode.opc" + ID(mov); W(); DM(HL, 0); SR(AX); + + } +@@ -4957,7 +4959,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %ea0, %1"); +-#line 828 "rl78-decode.opc" ++#line 830 "rl78-decode.opc" + ID(mov); W(); DM(HL, IMMU(1)); SR(AX); + + } +@@ -4972,7 +4974,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, %1"); +-#line 895 "rl78-decode.opc" ++#line 897 "rl78-decode.opc" + ID(mov); W(); DM(None, SADDR); SR(AX); + + } +@@ -4987,7 +4989,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %s0, %1"); +-#line 901 "rl78-decode.opc" ++#line 903 "rl78-decode.opc" + ID(mov); W(); DM(None, SFR); SR(AX); + + /*----------------------------------------------------------------------*/ +@@ -5004,7 +5006,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %e!0, %1"); +-#line 816 "rl78-decode.opc" ++#line 818 "rl78-decode.opc" + ID(mov); W(); DM(None, IMMU(2)); SR(AX); + + } +@@ -5015,7 +5017,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xc6: + { + /** 1100 0rg0 pop %0 */ +-#line 986 "rl78-decode.opc" ++#line 988 "rl78-decode.opc" + int rg AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -5025,7 +5027,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rg = 0x%x\n", rg); + } + SYNTAX("pop %0"); +-#line 986 "rl78-decode.opc" ++#line 988 "rl78-decode.opc" + ID(mov); W(); DRW(rg); SPOP(); + + } +@@ -5036,7 +5038,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xc7: + { + /** 1100 0rg1 push %1 */ +-#line 994 "rl78-decode.opc" ++#line 996 "rl78-decode.opc" + int rg AU = (op[0] >> 1) & 0x03; + if (trace) + { +@@ -5046,7 +5048,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rg = 0x%x\n", rg); + } + SYNTAX("push %1"); +-#line 994 "rl78-decode.opc" ++#line 996 "rl78-decode.opc" + ID(mov); W(); DPUSH(); SRW(rg); + + } +@@ -5061,7 +5063,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %a0, #%1"); +-#line 639 "rl78-decode.opc" ++#line 641 "rl78-decode.opc" + ID(mov); DM(SP, IMMU(1)); SC(IMMU(1)); + + } +@@ -5076,7 +5078,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %0, #%1"); +-#line 892 "rl78-decode.opc" ++#line 894 "rl78-decode.opc" + ID(mov); W(); DM(None, SADDR); SC(IMMU(2)); + + } +@@ -5091,7 +5093,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %ea0, #%1"); +-#line 618 "rl78-decode.opc" ++#line 620 "rl78-decode.opc" + ID(mov); DM(DE, IMMU(1)); SC(IMMU(1)); + + } +@@ -5106,7 +5108,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("movw %s0, #%1"); +-#line 898 "rl78-decode.opc" ++#line 900 "rl78-decode.opc" + ID(mov); W(); DM(None, SFR); SC(IMMU(2)); + + } +@@ -5121,7 +5123,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %ea0, #%1"); +-#line 630 "rl78-decode.opc" ++#line 632 "rl78-decode.opc" + ID(mov); DM(HL, IMMU(1)); SC(IMMU(1)); + + } +@@ -5136,7 +5138,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, #%1"); +-#line 744 "rl78-decode.opc" ++#line 746 "rl78-decode.opc" + ID(mov); DM(None, SADDR); SC(IMMU(1)); + + } +@@ -5151,7 +5153,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %s0, #%1"); +-#line 750 "rl78-decode.opc" ++#line 752 "rl78-decode.opc" + op0 = SFR; + op1 = IMMU(1); + ID(mov); DM(None, op0); SC(op1); +@@ -5193,7 +5195,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %e!0, #%1"); +-#line 609 "rl78-decode.opc" ++#line 611 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); SC(IMMU(1)); + + } +@@ -5204,7 +5206,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xd3: + { + /** 1101 00rg cmp0 %0 */ +-#line 518 "rl78-decode.opc" ++#line 520 "rl78-decode.opc" + int rg AU = op[0] & 0x03; + if (trace) + { +@@ -5214,7 +5216,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rg = 0x%x\n", rg); + } + SYNTAX("cmp0 %0"); +-#line 518 "rl78-decode.opc" ++#line 520 "rl78-decode.opc" + ID(cmp); DRB(rg); SC(0); Fzac; + + } +@@ -5229,7 +5231,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmp0 %0"); +-#line 521 "rl78-decode.opc" ++#line 523 "rl78-decode.opc" + ID(cmp); DM(None, SADDR); SC(0); Fzac; + + /*----------------------------------------------------------------------*/ +@@ -5246,7 +5248,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("cmp0 %e!0"); +-#line 515 "rl78-decode.opc" ++#line 517 "rl78-decode.opc" + ID(cmp); DM(None, IMMU(2)); SC(0); Fzac; + + } +@@ -5261,7 +5263,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mulu x"); +-#line 906 "rl78-decode.opc" ++#line 908 "rl78-decode.opc" + ID(mulu); + + /*----------------------------------------------------------------------*/ +@@ -5278,7 +5280,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("ret"); +-#line 1002 "rl78-decode.opc" ++#line 1004 "rl78-decode.opc" + ID(ret); + + } +@@ -5293,7 +5295,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %1"); +-#line 711 "rl78-decode.opc" ++#line 713 "rl78-decode.opc" + ID(mov); DR(X); SM(None, SADDR); + + } +@@ -5308,7 +5310,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %e!1"); +-#line 708 "rl78-decode.opc" ++#line 710 "rl78-decode.opc" + ID(mov); DR(X); SM(None, IMMU(2)); + + } +@@ -5318,7 +5320,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xfa: + { + /** 11ra 1010 movw %0, %1 */ +-#line 889 "rl78-decode.opc" ++#line 891 "rl78-decode.opc" + int ra AU = (op[0] >> 4) & 0x03; + if (trace) + { +@@ -5328,7 +5330,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" ra = 0x%x\n", ra); + } + SYNTAX("movw %0, %1"); +-#line 889 "rl78-decode.opc" ++#line 891 "rl78-decode.opc" + ID(mov); W(); DRW(ra); SM(None, SADDR); + + } +@@ -5338,7 +5340,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xfb: + { + /** 11ra 1011 movw %0, %es!1 */ +-#line 886 "rl78-decode.opc" ++#line 888 "rl78-decode.opc" + int ra AU = (op[0] >> 4) & 0x03; + if (trace) + { +@@ -5348,7 +5350,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" ra = 0x%x\n", ra); + } + SYNTAX("movw %0, %es!1"); +-#line 886 "rl78-decode.opc" ++#line 888 "rl78-decode.opc" + ID(mov); W(); DRW(ra); SM(None, IMMU(2)); + + } +@@ -5363,7 +5365,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("bc $%a0"); +-#line 334 "rl78-decode.opc" ++#line 336 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(C); + + } +@@ -5378,7 +5380,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("bz $%a0"); +-#line 346 "rl78-decode.opc" ++#line 348 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(Z); + + } +@@ -5393,7 +5395,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("bnc $%a0"); +-#line 337 "rl78-decode.opc" ++#line 339 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(NC); + + } +@@ -5408,7 +5410,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("bnz $%a0"); +-#line 349 "rl78-decode.opc" ++#line 351 "rl78-decode.opc" + ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(NZ); + + /*----------------------------------------------------------------------*/ +@@ -5421,7 +5423,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xe3: + { + /** 1110 00rg oneb %0 */ +-#line 924 "rl78-decode.opc" ++#line 926 "rl78-decode.opc" + int rg AU = op[0] & 0x03; + if (trace) + { +@@ -5431,7 +5433,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rg = 0x%x\n", rg); + } + SYNTAX("oneb %0"); +-#line 924 "rl78-decode.opc" ++#line 926 "rl78-decode.opc" + ID(mov); DRB(rg); SC(1); + + } +@@ -5446,7 +5448,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("oneb %0"); +-#line 927 "rl78-decode.opc" ++#line 929 "rl78-decode.opc" + ID(mov); DM(None, SADDR); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -5463,7 +5465,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("oneb %e!0"); +-#line 921 "rl78-decode.opc" ++#line 923 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); SC(1); + + } +@@ -5478,7 +5480,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("onew %0"); +-#line 932 "rl78-decode.opc" ++#line 934 "rl78-decode.opc" + ID(mov); DR(AX); SC(1); + + } +@@ -5493,7 +5495,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("onew %0"); +-#line 935 "rl78-decode.opc" ++#line 937 "rl78-decode.opc" + ID(mov); DR(BC); SC(1); + + /*----------------------------------------------------------------------*/ +@@ -5510,7 +5512,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %1"); +-#line 699 "rl78-decode.opc" ++#line 701 "rl78-decode.opc" + ID(mov); DR(B); SM(None, SADDR); + + } +@@ -5525,7 +5527,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %e!1"); +-#line 693 "rl78-decode.opc" ++#line 695 "rl78-decode.opc" + ID(mov); DR(B); SM(None, IMMU(2)); + + } +@@ -5540,7 +5542,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("br !%!a0"); +-#line 368 "rl78-decode.opc" ++#line 370 "rl78-decode.opc" + ID(branch); DC(IMMU(3)); + + } +@@ -5555,7 +5557,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("br %!a0"); +-#line 371 "rl78-decode.opc" ++#line 373 "rl78-decode.opc" + ID(branch); DC(IMMU(2)); + + } +@@ -5570,7 +5572,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("br $%!a0"); +-#line 374 "rl78-decode.opc" ++#line 376 "rl78-decode.opc" + ID(branch); DC(pc+IMMS(2)+3); + + } +@@ -5585,7 +5587,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("br $%a0"); +-#line 377 "rl78-decode.opc" ++#line 379 "rl78-decode.opc" + ID(branch); DC(pc+IMMS(1)+2); + + } +@@ -5596,7 +5598,7 @@ rl78_decode_opcode (unsigned long pc AU, + case 0xf3: + { + /** 1111 00rg clrb %0 */ +-#line 464 "rl78-decode.opc" ++#line 466 "rl78-decode.opc" + int rg AU = op[0] & 0x03; + if (trace) + { +@@ -5606,7 +5608,7 @@ rl78_decode_opcode (unsigned long pc AU, + printf (" rg = 0x%x\n", rg); + } + SYNTAX("clrb %0"); +-#line 464 "rl78-decode.opc" ++#line 466 "rl78-decode.opc" + ID(mov); DRB(rg); SC(0); + + } +@@ -5621,7 +5623,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("clrb %0"); +-#line 467 "rl78-decode.opc" ++#line 469 "rl78-decode.opc" + ID(mov); DM(None, SADDR); SC(0); + + /*----------------------------------------------------------------------*/ +@@ -5638,7 +5640,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("clrb %e!0"); +-#line 461 "rl78-decode.opc" ++#line 463 "rl78-decode.opc" + ID(mov); DM(None, IMMU(2)); SC(0); + + } +@@ -5653,7 +5655,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("clrw %0"); +-#line 472 "rl78-decode.opc" ++#line 474 "rl78-decode.opc" + ID(mov); DR(AX); SC(0); + + } +@@ -5668,7 +5670,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("clrw %0"); +-#line 475 "rl78-decode.opc" ++#line 477 "rl78-decode.opc" + ID(mov); DR(BC); SC(0); + + /*----------------------------------------------------------------------*/ +@@ -5685,7 +5687,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %1"); +-#line 705 "rl78-decode.opc" ++#line 707 "rl78-decode.opc" + ID(mov); DR(C); SM(None, SADDR); + + } +@@ -5700,7 +5702,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("mov %0, %e!1"); +-#line 702 "rl78-decode.opc" ++#line 704 "rl78-decode.opc" + ID(mov); DR(C); SM(None, IMMU(2)); + + } +@@ -5715,7 +5717,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("call !%!a0"); +-#line 421 "rl78-decode.opc" ++#line 423 "rl78-decode.opc" + ID(call); DC(IMMU(3)); + + } +@@ -5730,7 +5732,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("call %!a0"); +-#line 424 "rl78-decode.opc" ++#line 426 "rl78-decode.opc" + ID(call); DC(IMMU(2)); + + } +@@ -5745,7 +5747,7 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("call $%!a0"); +-#line 427 "rl78-decode.opc" ++#line 429 "rl78-decode.opc" + ID(call); DC(pc+IMMS(2)+3); + + } +@@ -5760,13 +5762,13 @@ rl78_decode_opcode (unsigned long pc AU, + op[0]); + } + SYNTAX("brk1"); +-#line 385 "rl78-decode.opc" ++#line 387 "rl78-decode.opc" + ID(break); + + } + break; + } +-#line 1290 "rl78-decode.opc" ++#line 1292 "rl78-decode.opc" + + return rl78->n_bytes; + } +diff --git a/opcodes/rl78-decode.opc b/opcodes/rl78-decode.opc +index 6212f08..b25e441 100644 +--- a/opcodes/rl78-decode.opc ++++ b/opcodes/rl78-decode.opc +@@ -50,7 +50,9 @@ typedef struct + #define W() rl78->size = RL78_Word + + #define AU ATTRIBUTE_UNUSED +-#define GETBYTE() (ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr)) ++ ++#define OP_BUF_LEN 20 ++#define GETBYTE() (ld->rl78->n_bytes < (OP_BUF_LEN - 1) ? ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr): 0) + #define B ((unsigned long) GETBYTE()) + + #define SYNTAX(x) rl78->syntax = x +@@ -168,7 +170,7 @@ rl78_decode_opcode (unsigned long pc AU, + RL78_Dis_Isa isa) + { + LocalData lds, * ld = &lds; +- unsigned char op_buf[20] = {0}; ++ unsigned char op_buf[OP_BUF_LEN] = {0}; + unsigned char *op = op_buf; + int op0, op1; + +-- +2.7.4 + diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch new file mode 100644 index 0000000000..f63a993b29 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch @@ -0,0 +1,208 @@ +From c53d2e6d744da000aaafe0237bced090aab62818 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 14 Jun 2017 11:27:15 +0100 +Subject: [PATCH] Fix potential address violations when processing a corrupt + Alpha VMA binary. + + PR binutils/21589 + * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the + maximum value for the ascic pointer. Check that name processing + does not read beyond this value. + (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the + end of etir record. + +Upstream-Status: Backport +CVE: CVE-2017-9752 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 9 +++++++++ + bfd/vms-alpha.c | 51 +++++++++++++++++++++++++++++++++++++++++---------- + 2 files changed, 50 insertions(+), 10 deletions(-) + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -9,6 +9,15 @@ + + 2017-06-14 Nick Clifton <nickc@redhat.com> + ++ PR binutils/21589 ++ * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the ++ maximum value for the ascic pointer. Check that name processing ++ does not read beyond this value. ++ (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the ++ end of etir record. ++ ++2017-06-14 Nick Clifton <nickc@redhat.com> ++ + PR binutils/21578 + * elf32-sh.c (sh_elf_set_mach_from_flags): Fix check for invalid + flag value. +Index: git/bfd/vms-alpha.c +=================================================================== +--- git.orig/bfd/vms-alpha.c ++++ git/bfd/vms-alpha.c +@@ -1456,7 +1456,7 @@ dst_retrieve_location (bfd *abfd, unsign + /* Write multiple bytes to section image. */ + + static bfd_boolean +-image_write (bfd *abfd, unsigned char *ptr, int size) ++image_write (bfd *abfd, unsigned char *ptr, unsigned int size) + { + #if VMS_DEBUG + _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size, +@@ -1603,14 +1603,16 @@ _bfd_vms_etir_name (int cmd) + #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L) + + static void +-_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic, ++_bfd_vms_get_value (bfd *abfd, ++ const unsigned char *ascic, ++ const unsigned char *max_ascic, + struct bfd_link_info *info, + bfd_vma *vma, + struct alpha_vms_link_hash_entry **hp) + { + char name[257]; +- int len; +- int i; ++ unsigned int len; ++ unsigned int i; + struct alpha_vms_link_hash_entry *h; + + /* Not linking. Do not try to resolve the symbol. */ +@@ -1622,6 +1624,14 @@ _bfd_vms_get_value (bfd *abfd, const uns + } + + len = *ascic; ++ if (ascic + len >= max_ascic) ++ { ++ _bfd_error_handler (_("Corrupt vms value")); ++ *vma = 0; ++ *hp = NULL; ++ return; ++ } ++ + for (i = 0; i < len; i++) + name[i] = ascic[i + 1]; + name[i] = 0; +@@ -1741,6 +1751,15 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + _bfd_hexdump (8, ptr, cmd_length - 4, 0); + #endif + ++ /* PR 21589: Check for a corrupt ETIR record. */ ++ if (cmd_length < 4) ++ { ++ corrupt_etir: ++ _bfd_error_handler (_("Corrupt ETIR record encountered")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + switch (cmd) + { + /* Stack global +@@ -1748,7 +1767,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + + stack 32 bit value of symbol (high bits set to 0). */ + case ETIR__C_STA_GBL: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h)); + break; + +@@ -1757,6 +1776,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + + stack 32 bit value, sign extend to 64 bit. */ + case ETIR__C_STA_LW: ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE); + break; + +@@ -1765,6 +1786,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + + stack 64 bit value of symbol. */ + case ETIR__C_STA_QW: ++ if (ptr + 8 >= maxptr) ++ goto corrupt_etir; + _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE); + break; + +@@ -1778,6 +1801,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + { + int psect; + ++ if (ptr + 12 >= maxptr) ++ goto corrupt_etir; + psect = bfd_getl32 (ptr); + if ((unsigned int) psect >= PRIV (section_count)) + { +@@ -1867,6 +1892,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + { + int size; + ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + size = bfd_getl32 (ptr); + _bfd_vms_pop (abfd, &op1, &rel1); + if (rel1 != RELC_NONE) +@@ -1879,7 +1906,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + /* Store global: write symbol value + arg: cs global symbol name. */ + case ETIR__C_STO_GBL: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + if (h && h->sym) + { + if (h->sym->typ == EGSD__C_SYMG) +@@ -1901,7 +1928,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + /* Store code address: write address of entry point + arg: cs global symbol name (procedure). */ + case ETIR__C_STO_CA: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + if (h && h->sym) + { + if (h->sym->flags & EGSY__V_NORM) +@@ -1946,8 +1973,10 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + da data. */ + case ETIR__C_STO_IMM: + { +- int size; ++ unsigned int size; + ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + size = bfd_getl32 (ptr); + image_write (abfd, ptr + 4, size); + } +@@ -1960,7 +1989,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + store global longword: store 32bit value of symbol + arg: cs symbol name. */ + case ETIR__C_STO_GBL_LW: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + #if 0 + abort (); + #endif +@@ -2013,7 +2042,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + da signature. */ + + case ETIR__C_STC_LP_PSB: +- _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h); + if (h && h->sym) + { + if (h->sym->typ == EGSD__C_SYMG) +@@ -2109,6 +2138,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b + /* Augment relocation base: increment image location counter by offset + arg: lw offset value. */ + case ETIR__C_CTL_AUGRB: ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + op1 = bfd_getl32 (ptr); + image_inc_ptr (abfd, op1); + break; diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch new file mode 100644 index 0000000000..241142b570 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch @@ -0,0 +1,79 @@ +From 04f963fd489cae724a60140e13984415c205f4ac Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 14 Jun 2017 10:35:16 +0100 +Subject: [PATCH] Fix seg-faults in objdump when disassembling a corrupt + versados binary. + + PR binutils/21591 + * versados.c (versados_mkobject): Zero the allocated tdata structure. + (process_otr): Check for an invalid offset in the otr structure. + +Upstream-Status: Backport +CVE: CVE-2017-9753 +CVE: CVE-2017-9754 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/versados.c | 12 ++++++++---- + 2 files changed, 14 insertions(+), 4 deletions(-) + +Index: git/bfd/versados.c +=================================================================== +--- git.orig/bfd/versados.c ++++ git/bfd/versados.c +@@ -149,7 +149,7 @@ versados_mkobject (bfd *abfd) + if (abfd->tdata.versados_data == NULL) + { + bfd_size_type amt = sizeof (tdata_type); +- tdata_type *tdata = bfd_alloc (abfd, amt); ++ tdata_type *tdata = bfd_zalloc (abfd, amt); + + if (tdata == NULL) + return FALSE; +@@ -345,13 +345,13 @@ reloc_howto_type versados_howto_table[] + }; + + static int +-get_offset (int len, unsigned char *ptr) ++get_offset (unsigned int len, unsigned char *ptr) + { + int val = 0; + + if (len) + { +- int i; ++ unsigned int i; + + val = *ptr++; + if (val & 0x80) +@@ -394,9 +394,13 @@ process_otr (bfd *abfd, struct ext_otr * + int flag = *srcp++; + int esdids = (flag >> 5) & 0x7; + int sizeinwords = ((flag >> 3) & 1) ? 2 : 1; +- int offsetlen = flag & 0x7; ++ unsigned int offsetlen = flag & 0x7; + int j; + ++ /* PR 21591: Check for invalid lengths. */ ++ if (srcp + esdids + offsetlen >= endp) ++ return; ++ + if (esdids == 0) + { + /* A zero esdid means the new pc is the offset given. */ +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -8,6 +8,10 @@ + (ieee_archive_p): Likewise. + + 2017-06-14 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21591 ++ * versados.c (versados_mkobject): Zero the allocated tdata structure. ++ (process_otr): Check for an invalid offset in the otr structure. + + PR binutils/21589 + * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755.patch new file mode 100644 index 0000000000..15dc9090d8 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755.patch @@ -0,0 +1,63 @@ +From 0d96e4df4812c3bad77c229dfef47a9bc115ac12 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Thu, 15 Jun 2017 06:40:17 -0700 +Subject: [PATCH] i386-dis: Check valid bnd register + +Since there are only 4 bnd registers, return "(bad)" for register +number > 3. + + PR binutils/21594 + * i386-dis.c (OP_E_register): Check valid bnd register. + (OP_G): Likewise. + +Upstream-Status: Backport +CVE: CVE-2017-9755 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + opcodes/ChangeLog | 6 ++++++ + opcodes/i386-dis.c | 10 ++++++++++ + 2 files changed, 16 insertions(+) + +Index: git/opcodes/ChangeLog +=================================================================== +--- git.orig/opcodes/ChangeLog ++++ git/opcodes/ChangeLog +@@ -1,3 +1,9 @@ ++2017-06-15 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21594 ++ * i386-dis.c (OP_E_register): Check valid bnd register. ++ (OP_G): Likewise. ++ + 2017-06-15 Nick Clifton <nickc@redhat.com> + + PR binutils/21588 +Index: git/opcodes/i386-dis.c +=================================================================== +--- git.orig/opcodes/i386-dis.c ++++ git/opcodes/i386-dis.c +@@ -14939,6 +14939,11 @@ OP_E_register (int bytemode, int sizefla + names = address_mode == mode_64bit ? names64 : names32; + break; + case bnd_mode: ++ if (reg > 0x3) ++ { ++ oappend ("(bad)"); ++ return; ++ } + names = names_bnd; + break; + case indir_v_mode: +@@ -15483,6 +15488,11 @@ OP_G (int bytemode, int sizeflag) + oappend (names64[modrm.reg + add]); + break; + case bnd_mode: ++ if (modrm.reg > 0x3) ++ { ++ oappend ("(bad)"); ++ return; ++ } + oappend (names_bnd[modrm.reg]); + break; + case v_mode: diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9756.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9756.patch new file mode 100644 index 0000000000..191d0be198 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9756.patch @@ -0,0 +1,50 @@ +From cd3ea7c69acc5045eb28f9bf80d923116e15e4f5 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 15 Jun 2017 13:26:54 +0100 +Subject: [PATCH] Prevent address violation problem when disassembling corrupt + aarch64 binary. + + PR binutils/21595 + * aarch64-dis.c (aarch64_ext_ldst_reglist): Check for an out of + range value. + +Upstream-Status: Backport +CVE: CVE-2017-9756 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + opcodes/ChangeLog | 6 ++++++ + opcodes/aarch64-dis.c | 3 +++ + 2 files changed, 9 insertions(+) + +Index: git/opcodes/ChangeLog +=================================================================== +--- git.orig/opcodes/ChangeLog ++++ git/opcodes/ChangeLog +@@ -6,6 +6,12 @@ + + 2017-06-15 Nick Clifton <nickc@redhat.com> + ++ PR binutils/21595 ++ * aarch64-dis.c (aarch64_ext_ldst_reglist): Check for an out of ++ range value. ++ ++2017-06-15 Nick Clifton <nickc@redhat.com> ++ + PR binutils/21588 + * rl78-decode.opc (OP_BUF_LEN): Define. + (GETBYTE): Check for the index exceeding OP_BUF_LEN. +Index: git/opcodes/aarch64-dis.c +=================================================================== +--- git.orig/opcodes/aarch64-dis.c ++++ git/opcodes/aarch64-dis.c +@@ -409,6 +409,9 @@ aarch64_ext_ldst_reglist (const aarch64_ + info->reglist.first_regno = extract_field (FLD_Rt, code, 0); + /* opcode */ + value = extract_field (FLD_opcode, code, 0); ++ /* PR 21595: Check for a bogus value. */ ++ if (value >= ARRAY_SIZE (data)) ++ return 0; + if (expected_num != data[value].num_elements || data[value].is_reserved) + return 0; + info->reglist.num_regs = data[value].num_regs; diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch new file mode 100644 index 0000000000..8a9d7ebd9f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch @@ -0,0 +1,58 @@ +From 04e15b4a9462cb1ae819e878a6009829aab8020b Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 26 Jun 2017 15:46:34 +0100 +Subject: [PATCH] Fix address violation parsing a corrupt texhex format file. + + PR binutils/21670 + * tekhex.c (getvalue): Check for the source pointer exceeding the + end pointer before the first byte is read. + +Upstream-Status: Backport +CVE: CVE_2017-9954 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/tekhex.c | 6 +++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +Index: git/bfd/tekhex.c +=================================================================== +--- git.orig/bfd/tekhex.c ++++ git/bfd/tekhex.c +@@ -273,6 +273,9 @@ getvalue (char **srcp, bfd_vma *valuep, + bfd_vma value = 0; + unsigned int len; + ++ if (src >= endp) ++ return FALSE; ++ + if (!ISHEX (*src)) + return FALSE; + +@@ -514,9 +517,10 @@ pass_over (bfd *abfd, bfd_boolean (*func + /* To the front of the file. */ + if (bfd_seek (abfd, (file_ptr) 0, SEEK_SET) != 0) + return FALSE; ++ + while (! is_eof) + { +- char src[MAXCHUNK]; ++ static char src[MAXCHUNK]; + char type; + + /* Find first '%'. */ +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-06-26 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21670 ++ * tekhex.c (getvalue): Check for the source pointer exceeding the ++ end pointer before the first byte is read. ++ + 2017-06-15 Nick Clifton <nickc@redhat.com> + + PR binutils/21582 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch new file mode 100644 index 0000000000..774670fb0e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch @@ -0,0 +1,168 @@ +From cfd14a500e0485374596234de4db10e88ebc7618 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 26 Jun 2017 15:25:08 +0100 +Subject: [PATCH] Fix address violations when atempting to parse fuzzed + binaries. + + PR binutils/21665 +bfd * opncls.c (get_build_id): Check that the section is beig enough + to contain the whole note. + * compress.c (bfd_get_full_section_contents): Check for and reject + a section whoes size is greater than the size of the entire file. + * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not + contain a notes section. + +binutils* objdump.c (disassemble_section): Skip any section that is bigger + than the entire file. + +Upstream-Status: Backport +CVE: CVE-2017-9955 #1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 10 ++++++++++ + bfd/compress.c | 6 ++++++ + bfd/elf32-v850.c | 4 +++- + bfd/opncls.c | 18 ++++++++++++++++-- + binutils/ChangeLog | 6 ++++++ + binutils/objdump.c | 4 ++-- + 6 files changed, 43 insertions(+), 5 deletions(-) + +Index: git/bfd/compress.c +=================================================================== +--- git.orig/bfd/compress.c ++++ git/bfd/compress.c +@@ -239,6 +239,12 @@ bfd_get_full_section_contents (bfd *abfd + *ptr = NULL; + return TRUE; + } ++ else if (bfd_get_file_size (abfd) > 0 ++ && sz > (bfd_size_type) bfd_get_file_size (abfd)) ++ { ++ *ptr = NULL; ++ return FALSE; ++ } + + switch (sec->compress_status) + { +Index: git/bfd/elf32-v850.c +=================================================================== +--- git.orig/bfd/elf32-v850.c ++++ git/bfd/elf32-v850.c +@@ -2450,7 +2450,9 @@ v850_elf_copy_notes (bfd *ibfd, bfd *obf + BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont)); + + if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL) +- BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont)); ++ /* If the output is being stripped then it is possible for ++ the notes section to disappear. In this case do nothing. */ ++ return; + + /* Copy/overwrite notes from the input to the output. */ + memcpy (ocont, icont, bfd_section_size (obfd, onotes)); +Index: git/bfd/opncls.c +=================================================================== +--- git.orig/bfd/opncls.c ++++ git/bfd/opncls.c +@@ -1776,6 +1776,7 @@ get_build_id (bfd *abfd) + Elf_External_Note *enote; + bfd_byte *contents; + asection *sect; ++ bfd_size_type size; + + BFD_ASSERT (abfd); + +@@ -1790,8 +1791,9 @@ get_build_id (bfd *abfd) + return NULL; + } + ++ size = bfd_get_section_size (sect); + /* FIXME: Should we support smaller build-id notes ? */ +- if (bfd_get_section_size (sect) < 0x24) ++ if (size < 0x24) + { + bfd_set_error (bfd_error_invalid_operation); + return NULL; +@@ -1804,6 +1806,17 @@ get_build_id (bfd *abfd) + return NULL; + } + ++ /* FIXME: Paranoia - allow for compressed build-id sections. ++ Maybe we should complain if this size is different from ++ the one obtained above... */ ++ size = bfd_get_section_size (sect); ++ if (size < sizeof (Elf_External_Note)) ++ { ++ bfd_set_error (bfd_error_invalid_operation); ++ free (contents); ++ return NULL; ++ } ++ + enote = (Elf_External_Note *) contents; + inote.type = H_GET_32 (abfd, enote->type); + inote.namesz = H_GET_32 (abfd, enote->namesz); +@@ -1815,7 +1828,8 @@ get_build_id (bfd *abfd) + if (inote.descsz == 0 + || inote.type != NT_GNU_BUILD_ID + || inote.namesz != 4 /* sizeof "GNU" */ +- || strcmp (inote.namedata, "GNU") != 0) ++ || strncmp (inote.namedata, "GNU", 4) != 0 ++ || size < (12 + BFD_ALIGN (inote.namesz, 4) + inote.descsz)) + { + free (contents); + bfd_set_error (bfd_error_invalid_operation); +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c ++++ git/binutils/objdump.c +@@ -2048,7 +2048,7 @@ disassemble_section (bfd *abfd, asection + return; + + datasize = bfd_get_section_size (section); +- if (datasize == 0) ++ if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd)) + return; + + if (start_address == (bfd_vma) -1 +@@ -2912,7 +2912,7 @@ dump_target_specific (bfd *abfd) + static void + dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED) + { +- bfd_byte *data = 0; ++ bfd_byte *data = NULL; + bfd_size_type datasize; + bfd_vma addr_offset; + bfd_vma start_offset; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,14 @@ + 2017-06-26 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21665 ++ * opncls.c (get_build_id): Check that the section is beig enough ++ to contain the whole note. ++ * compress.c (bfd_get_full_section_contents): Check for and reject ++ a section whoes size is greater than the size of the entire file. ++ * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not ++ contain a notes section. ++ ++2017-06-26 Nick Clifton <nickc@redhat.com> + + PR binutils/21670 + * tekhex.c (getvalue): Check for the source pointer exceeding the +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2017-06-26 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21665 ++ * objdump.c (disassemble_section): Skip any section that is bigger ++ than the entire file. ++ + 2017-04-03 Nick Clifton <nickc@redhat.com> + + PR binutils/21345 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch new file mode 100644 index 0000000000..f95295f183 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch @@ -0,0 +1,122 @@ +From 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Mon, 26 Jun 2017 09:24:49 -0700 +Subject: [PATCH] Check file size before getting section contents + +Don't check the section size in bfd_get_full_section_contents since +the size of a decompressed section may be larger than the file size. +Instead, check file size in _bfd_generic_get_section_contents. + + PR binutils/21665 + * compress.c (bfd_get_full_section_contents): Don't check the + file size here. + * libbfd.c (_bfd_generic_get_section_contents): Check for and + reject a section whoes size + offset is greater than the size + of the entire file. + (_bfd_generic_get_section_contents_in_window): Likewise. + +Upstream-Status: Backport +CVE: CVE-2017-9955 #2 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 10 +++++++++- + bfd/compress.c | 8 +------- + bfd/libbfd.c | 17 ++++++++++++++++- + 3 files changed, 26 insertions(+), 9 deletions(-) + +Index: git/bfd/compress.c +=================================================================== +--- git.orig/bfd/compress.c ++++ git/bfd/compress.c +@@ -239,12 +239,6 @@ bfd_get_full_section_contents (bfd *abfd + *ptr = NULL; + return TRUE; + } +- else if (bfd_get_file_size (abfd) > 0 +- && sz > (bfd_size_type) bfd_get_file_size (abfd)) +- { +- *ptr = NULL; +- return FALSE; +- } + + switch (sec->compress_status) + { +@@ -260,7 +254,7 @@ bfd_get_full_section_contents (bfd *abfd + /* xgettext:c-format */ + (_("error: %B(%A) is too large (%#lx bytes)"), + abfd, sec, (long) sz); +- return FALSE; ++ return FALSE; + } + } + +Index: git/bfd/libbfd.c +=================================================================== +--- git.orig/bfd/libbfd.c ++++ git/bfd/libbfd.c +@@ -780,6 +780,7 @@ _bfd_generic_get_section_contents (bfd * + bfd_size_type count) + { + bfd_size_type sz; ++ file_ptr filesz; + if (count == 0) + return TRUE; + +@@ -802,8 +803,15 @@ _bfd_generic_get_section_contents (bfd * + sz = section->rawsize; + else + sz = section->size; ++ filesz = bfd_get_file_size (abfd); ++ if (filesz < 0) ++ { ++ /* This should never happen. */ ++ abort (); ++ } + if (offset + count < count +- || offset + count > sz) ++ || offset + count > sz ++ || (section->filepos + offset + sz) > (bfd_size_type) filesz) + { + bfd_set_error (bfd_error_invalid_operation); + return FALSE; +@@ -826,6 +834,7 @@ _bfd_generic_get_section_contents_in_win + { + #ifdef USE_MMAP + bfd_size_type sz; ++ file_ptr filesz; + + if (count == 0) + return TRUE; +@@ -858,7 +867,13 @@ _bfd_generic_get_section_contents_in_win + sz = section->rawsize; + else + sz = section->size; ++ filesz = bfd_get_file_size (abfd); ++ { ++ /* This should never happen. */ ++ abort (); ++ } + if (offset + count > sz ++ || (section->filepos + offset + sz) > (bfd_size_type) filesz + || ! bfd_get_file_window (abfd, section->filepos + offset, count, w, + TRUE)) + return FALSE; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,13 @@ ++2017-06-26 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21665 ++ * compress.c (bfd_get_full_section_contents): Don't check the ++ file size here. ++ * libbfd.c (_bfd_generic_get_section_contents): Check for and ++ reject a section whoes size + offset is greater than the size ++ of the entire file. ++ (_bfd_generic_get_section_contents_in_window): Likewise. ++ + 2017-06-26 Nick Clifton <nickc@redhat.com> + + PR binutils/21665 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch new file mode 100644 index 0000000000..1b67c4e956 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch @@ -0,0 +1,48 @@ +From 1f473e3d0ad285195934e6a077c7ed32afe66437 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Mon, 26 Jun 2017 15:47:16 -0700 +Subject: [PATCH] Add a missing line to + _bfd_generic_get_section_contents_in_window + + PR binutils/21665 + * libbfd.c (_bfd_generic_get_section_contents_in_window): Add + a missing line. + +Upstream-Status: Backport +CVE: CVE-2017-9955 #3 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/libbfd.c | 1 + + 2 files changed, 7 insertions(+) + +Index: git/bfd/libbfd.c +=================================================================== +--- git.orig/bfd/libbfd.c ++++ git/bfd/libbfd.c +@@ -868,6 +868,7 @@ _bfd_generic_get_section_contents_in_win + else + sz = section->size; + filesz = bfd_get_file_size (abfd); ++ if (filesz < 0) + { + /* This should never happen. */ + abort (); +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,6 +1,12 @@ + 2017-06-26 H.J. Lu <hongjiu.lu@intel.com> + + PR binutils/21665 ++ * libbfd.c (_bfd_generic_get_section_contents_in_window): Add ++ a missing line. ++ ++2017-06-26 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21665 + * compress.c (bfd_get_full_section_contents): Don't check the + file size here. + * libbfd.c (_bfd_generic_get_section_contents): Check for and diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch new file mode 100644 index 0000000000..97d529a789 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch @@ -0,0 +1,51 @@ +From ab27f80c5dceaa23c4ba7f62c0d5d22a5d5dd7a1 Mon Sep 17 00:00:00 2001 +From: Pedro Alves <palves@redhat.com> +Date: Tue, 27 Jun 2017 00:21:25 +0100 +Subject: [PATCH] Fix GDB regressions caused by previous + bfd_get_section_contents changes + +Ref: https://sourceware.org/ml/binutils/2017-06/msg00343.html + +bfd/ChangeLog: +2017-06-26 Pedro Alves <palves@redhat.com> + + PR binutils/21665 + * libbfd.c (_bfd_generic_get_section_contents): Add "count", not + "sz". + +Upstream-Status: Backport +CVE: CVE-2017-9955 #4 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/libbfd.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-06-26 Pedro Alves <palves@redhat.com> ++ ++ PR binutils/21665 ++ * libbfd.c (_bfd_generic_get_section_contents): Add "count", not ++ "sz". ++ + 2017-06-26 H.J. Lu <hongjiu.lu@intel.com> + + PR binutils/21665 +Index: git/bfd/libbfd.c +=================================================================== +--- git.orig/bfd/libbfd.c ++++ git/bfd/libbfd.c +@@ -811,7 +811,7 @@ _bfd_generic_get_section_contents (bfd * + } + if (offset + count < count + || offset + count > sz +- || (section->filepos + offset + sz) > (bfd_size_type) filesz) ++ || (section->filepos + offset + count) > (bfd_size_type) filesz) + { + bfd_set_error (bfd_error_invalid_operation); + return FALSE; diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch new file mode 100644 index 0000000000..da3bd37e87 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch @@ -0,0 +1,89 @@ +From 7211ae501eb0de1044983f2dfb00091a58fbd66c Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 27 Jun 2017 09:45:04 +0930 +Subject: [PATCH] More fixes for bfd_get_section_contents change + + PR binutils/21665 + * libbfd.c (_bfd_generic_get_section_contents): Delete abort. + Use unsigned file pointer type, and remove cast. + * libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise. + Add "count", not "sz". + +Upstream-Status: Backport +CVE: CVE-2017-9955 #5 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 8 ++++++++ + bfd/libbfd.c | 18 ++++-------------- + 2 files changed, 12 insertions(+), 14 deletions(-) + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,11 @@ ++2017-06-27 Alan Modra <amodra@gmail.com> ++ ++ PR binutils/21665 ++ * libbfd.c (_bfd_generic_get_section_contents): Delete abort. ++ Use unsigned file pointer type, and remove cast. ++ * libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise. ++ Add "count", not "sz". ++ + 2017-06-26 Pedro Alves <palves@redhat.com> + + PR binutils/21665 +Index: git/bfd/libbfd.c +=================================================================== +--- git.orig/bfd/libbfd.c ++++ git/bfd/libbfd.c +@@ -780,7 +780,7 @@ _bfd_generic_get_section_contents (bfd * + bfd_size_type count) + { + bfd_size_type sz; +- file_ptr filesz; ++ ufile_ptr filesz; + if (count == 0) + return TRUE; + +@@ -804,14 +804,9 @@ _bfd_generic_get_section_contents (bfd * + else + sz = section->size; + filesz = bfd_get_file_size (abfd); +- if (filesz < 0) +- { +- /* This should never happen. */ +- abort (); +- } + if (offset + count < count + || offset + count > sz +- || (section->filepos + offset + count) > (bfd_size_type) filesz) ++ || section->filepos + offset + count > filesz) + { + bfd_set_error (bfd_error_invalid_operation); + return FALSE; +@@ -834,7 +829,7 @@ _bfd_generic_get_section_contents_in_win + { + #ifdef USE_MMAP + bfd_size_type sz; +- file_ptr filesz; ++ ufile_ptr filesz; + + if (count == 0) + return TRUE; +@@ -868,13 +863,8 @@ _bfd_generic_get_section_contents_in_win + else + sz = section->size; + filesz = bfd_get_file_size (abfd); +- if (filesz < 0) +- { +- /* This should never happen. */ +- abort (); +- } + if (offset + count > sz +- || (section->filepos + offset + sz) > (bfd_size_type) filesz ++ || section->filepos + offset + count > filesz + || ! bfd_get_file_window (abfd, section->filepos + offset, count, w, + TRUE)) + return FALSE; diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch new file mode 100644 index 0000000000..e36429ad5b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch @@ -0,0 +1,56 @@ +From ea9aafc41a764e4e2dbb88a7b031e886b481b99a Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 27 Jun 2017 14:43:49 +0930 +Subject: [PATCH] Warning fix + + PR binutils/21665 + * libbfd.c (_bfd_generic_get_section_contents): Warning fix. + (_bfd_generic_get_section_contents_in_window): Likewise. + +Upstream-Status: Backport +CVE: CVE-2017-9955 #6 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 12 +++++++++--- + bfd/libbfd.c | 4 ++-- + 2 files changed, 11 insertions(+), 5 deletions(-) + +Index: git/bfd/libbfd.c +=================================================================== +--- git.orig/bfd/libbfd.c ++++ git/bfd/libbfd.c +@@ -806,7 +806,7 @@ _bfd_generic_get_section_contents (bfd * + filesz = bfd_get_file_size (abfd); + if (offset + count < count + || offset + count > sz +- || section->filepos + offset + count > filesz) ++ || (ufile_ptr) section->filepos + offset + count > filesz) + { + bfd_set_error (bfd_error_invalid_operation); + return FALSE; +@@ -864,7 +864,7 @@ _bfd_generic_get_section_contents_in_win + sz = section->size; + filesz = bfd_get_file_size (abfd); + if (offset + count > sz +- || section->filepos + offset + count > filesz ++ || (ufile_ptr) section->filepos + offset + count > filesz + || ! bfd_get_file_window (abfd, section->filepos + offset, count, w, + TRUE)) + return FALSE; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,5 +1,11 @@ + 2017-06-27 Alan Modra <amodra@gmail.com> + ++ PR binutils/21665 ++ * libbfd.c (_bfd_generic_get_section_contents): Warning fix. ++ (_bfd_generic_get_section_contents_in_window): Likewise. ++ ++2017-06-27 Alan Modra <amodra@gmail.com> ++ + PR binutils/21665 + * libbfd.c (_bfd_generic_get_section_contents): Delete abort. + Use unsigned file pointer type, and remove cast. diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch new file mode 100644 index 0000000000..2cae63b4fc --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch @@ -0,0 +1,80 @@ +From 60a02042bacf8d25814430080adda61ed086bca6 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 30 Jun 2017 11:03:37 +0100 +Subject: [PATCH] Fix failures in MMIX linker tests introduced by fix for PR + 21665. + + PR binutils/21665 + * objdump.c (disassemble_section): Move check for an overlarge + section to just before the allocation of memory. Do not check + section size against file size, but instead use an arbitrary 2Gb + limit. Issue a warning message if the section is too big. + +Upstream-Status: Backport +CVE: CVE-2017-9955 #7 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 8 ++++++++ + binutils/objdump.c | 25 ++++++++++++++++++++++++- + 2 files changed, 32 insertions(+), 1 deletion(-) + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c ++++ git/binutils/objdump.c +@@ -2048,7 +2048,7 @@ disassemble_section (bfd *abfd, asection + return; + + datasize = bfd_get_section_size (section); +- if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd)) ++ if (datasize == 0) + return; + + if (start_address == (bfd_vma) -1 +@@ -2112,6 +2112,29 @@ disassemble_section (bfd *abfd, asection + } + rel_ppend = rel_pp + rel_count; + ++ /* PR 21665: Check for overlarge datasizes. ++ Note - we used to check for "datasize > bfd_get_file_size (abfd)" but ++ this fails when using compressed sections or compressed file formats ++ (eg MMO, tekhex). ++ ++ The call to xmalloc below will fail if too much memory is requested, ++ which will catch the problem in the normal use case. But if a memory ++ checker is in use, eg valgrind or sanitize, then an exception will ++ be still generated, so we try to catch the problem first. ++ ++ Unfortunately there is no simple way to determine how much memory can ++ be allocated by calling xmalloc. So instead we use a simple, arbitrary ++ limit of 2Gb. Hopefully this should be enough for most users. If ++ someone does start trying to disassemble sections larger then 2Gb in ++ size they will doubtless complain and we can increase the limit. */ ++#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */ ++ if (datasize > MAX_XMALLOC) ++ { ++ non_fatal (_("Reading section %s failed because it is too big (%#lx)"), ++ section->name, (unsigned long) datasize); ++ return; ++ } ++ + data = (bfd_byte *) xmalloc (datasize); + + bfd_get_section_contents (abfd, section, data, 0, datasize); +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,11 @@ ++2017-06-30 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21665 ++ * objdump.c (disassemble_section): Move check for an overlarge ++ section to just before the allocation of memory. Do not check ++ section size against file size, but instead use an arbitrary 2Gb ++ limit. Issue a warning message if the section is too big. ++ + 2017-06-26 Nick Clifton <nickc@redhat.com> + + PR binutils/21665 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch new file mode 100644 index 0000000000..45dd974672 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch @@ -0,0 +1,187 @@ +From bae7501e87ab614115d9d3213b4dd18d96e604db Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 1 Jul 2017 21:58:10 +0930 +Subject: [PATCH] Use bfd_malloc_and_get_section + +It's nicer than xmalloc followed by bfd_get_section_contents, since +xmalloc exits on failure and needs a check that its size_t arg doesn't +lose high bits when converted from bfd_size_type. + + PR binutils/21665 + * objdump.c (strtab): Make var a bfd_byte*. + (disassemble_section): Don't limit malloc size. Instead, use + bfd_malloc_and_get_section. + (read_section_stabs): Use bfd_malloc_and_get_section. Return + bfd_byte*. + (find_stabs_section): Remove now unnecessary cast. + * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free + contents on error return. + * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section. + +Upstream-Status: Backport +CVE: CVE-2017-9955 #8 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 13 +++++++++++++ + binutils/nlmconv.c | 6 ++---- + binutils/objcopy.c | 5 +++-- + binutils/objdump.c | 44 +++++++------------------------------------- + 4 files changed, 25 insertions(+), 43 deletions(-) + +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,16 @@ ++2017-07-01 Alan Modra <amodra@gmail.com> ++ ++ PR binutils/21665 ++ * objdump.c (strtab): Make var a bfd_byte*. ++ (disassemble_section): Don't limit malloc size. Instead, use ++ bfd_malloc_and_get_section. ++ (read_section_stabs): Use bfd_malloc_and_get_section. Return ++ bfd_byte*. ++ (find_stabs_section): Remove now unnecessary cast. ++ * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free ++ contents on error return. ++ * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section. ++ + 2017-06-30 Nick Clifton <nickc@redhat.com> + + PR binutils/21665 +Index: git/binutils/nlmconv.c +=================================================================== +--- git.orig/binutils/nlmconv.c ++++ git/binutils/nlmconv.c +@@ -1224,7 +1224,7 @@ copy_sections (bfd *inbfd, asection *ins + const char *inname; + asection *outsec; + bfd_size_type size; +- void *contents; ++ bfd_byte *contents; + long reloc_size; + bfd_byte buf[4]; + bfd_size_type add; +@@ -1240,9 +1240,7 @@ copy_sections (bfd *inbfd, asection *ins + contents = NULL; + else + { +- contents = xmalloc (size); +- if (! bfd_get_section_contents (inbfd, insec, contents, +- (file_ptr) 0, size)) ++ if (!bfd_malloc_and_get_section (inbfd, insec, &contents)) + bfd_fatal (bfd_get_filename (inbfd)); + } + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c ++++ git/binutils/objdump.c +@@ -180,7 +180,7 @@ static long dynsymcount = 0; + static bfd_byte *stabs; + static bfd_size_type stab_size; + +-static char *strtab; ++static bfd_byte *strtab; + static bfd_size_type stabstr_size; + + static bfd_boolean is_relocatable = FALSE; +@@ -2112,29 +2112,6 @@ disassemble_section (bfd *abfd, asection + } + rel_ppend = rel_pp + rel_count; + +- /* PR 21665: Check for overlarge datasizes. +- Note - we used to check for "datasize > bfd_get_file_size (abfd)" but +- this fails when using compressed sections or compressed file formats +- (eg MMO, tekhex). +- +- The call to xmalloc below will fail if too much memory is requested, +- which will catch the problem in the normal use case. But if a memory +- checker is in use, eg valgrind or sanitize, then an exception will +- be still generated, so we try to catch the problem first. +- +- Unfortunately there is no simple way to determine how much memory can +- be allocated by calling xmalloc. So instead we use a simple, arbitrary +- limit of 2Gb. Hopefully this should be enough for most users. If +- someone does start trying to disassemble sections larger then 2Gb in +- size they will doubtless complain and we can increase the limit. */ +-#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */ +- if (datasize > MAX_XMALLOC) +- { +- non_fatal (_("Reading section %s failed because it is too big (%#lx)"), +- section->name, (unsigned long) datasize); +- return; +- } +- + data = (bfd_byte *) xmalloc (datasize); + + bfd_get_section_contents (abfd, section, data, 0, datasize); +@@ -2652,12 +2629,11 @@ dump_dwarf (bfd *abfd) + /* Read ABFD's stabs section STABSECT_NAME, and return a pointer to + it. Return NULL on failure. */ + +-static char * ++static bfd_byte * + read_section_stabs (bfd *abfd, const char *sect_name, bfd_size_type *size_ptr) + { + asection *stabsect; +- bfd_size_type size; +- char *contents; ++ bfd_byte *contents; + + stabsect = bfd_get_section_by_name (abfd, sect_name); + if (stabsect == NULL) +@@ -2666,10 +2642,7 @@ read_section_stabs (bfd *abfd, const cha + return FALSE; + } + +- size = bfd_section_size (abfd, stabsect); +- contents = (char *) xmalloc (size); +- +- if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size)) ++ if (!bfd_malloc_and_get_section (abfd, stabsect, &contents)) + { + non_fatal (_("reading %s section of %s failed: %s"), + sect_name, bfd_get_filename (abfd), +@@ -2679,7 +2652,7 @@ read_section_stabs (bfd *abfd, const cha + return NULL; + } + +- *size_ptr = size; ++ *size_ptr = bfd_section_size (abfd, stabsect); + + return contents; + } +@@ -2806,8 +2779,7 @@ find_stabs_section (bfd *abfd, asection + + if (strtab) + { +- stabs = (bfd_byte *) read_section_stabs (abfd, section->name, +- &stab_size); ++ stabs = read_section_stabs (abfd, section->name, &stab_size); + if (stabs) + print_section_stabs (abfd, section->name, &sought->string_offset); + } +Index: git/binutils/objcopy.c +=================================================================== +--- git.orig/binutils/objcopy.c ++++ git/binutils/objcopy.c +@@ -2186,14 +2186,15 @@ copy_object (bfd *ibfd, bfd *obfd, const + continue; + } + +- bfd_byte * contents = xmalloc (size); +- if (bfd_get_section_contents (ibfd, sec, contents, 0, size)) ++ bfd_byte *contents; ++ if (bfd_malloc_and_get_section (ibfd, sec, &contents)) + { + if (fwrite (contents, 1, size, f) != size) + { + non_fatal (_("error writing section contents to %s (error: %s)"), + pdump->filename, + strerror (errno)); ++ free (contents); + return FALSE; + } + } diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch new file mode 100644 index 0000000000..c6353d8ce0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch @@ -0,0 +1,361 @@ +From 8e2f54bcee7e3e8315d4a39a302eaf8e4389e07d Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Tue, 30 May 2017 06:34:05 -0700 +Subject: [PATCH] Add bfd_get_file_size to get archive element size + +We can't use stat() to get archive element size. Add bfd_get_file_size +to get size for both normal files and archive elements. + +bfd/ + + PR binutils/21519 + * bfdio.c (bfd_get_file_size): New function. + * bfd-in2.h: Regenerated. + +binutils/ + + PR binutils/21519 + * objdump.c (dump_relocs_in_section): Replace get_file_size + with bfd_get_file_size to get archive element size. + * testsuite/binutils-all/objdump.exp (test_objdump_f): New + proc. + (test_objdump_h): Likewise. + (test_objdump_t): Likewise. + (test_objdump_r): Likewise. + (test_objdump_s): Likewise. + Add objdump tests on archive. + +Upstream-Status: Backport +CVE: CVE-2017-9955 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 + + bfd/bfd-in2.h | 2 + + bfd/bfdio.c | 23 ++++ + binutils/ChangeLog | 13 ++ + binutils/objdump.c | 2 +- + binutils/testsuite/binutils-all/objdump.exp | 178 +++++++++++++++++++--------- + 6 files changed, 170 insertions(+), 54 deletions(-) + +Index: git/bfd/bfd-in2.h +=================================================================== +--- git.orig/bfd/bfd-in2.h ++++ git/bfd/bfd-in2.h +@@ -1241,6 +1241,8 @@ long bfd_get_mtime (bfd *abfd); + + file_ptr bfd_get_size (bfd *abfd); + ++file_ptr bfd_get_file_size (bfd *abfd); ++ + void *bfd_mmap (bfd *abfd, void *addr, bfd_size_type len, + int prot, int flags, file_ptr offset, + void **map_addr, bfd_size_type *map_len); +Index: git/bfd/bfdio.c +=================================================================== +--- git.orig/bfd/bfdio.c ++++ git/bfd/bfdio.c +@@ -434,6 +434,29 @@ bfd_get_size (bfd *abfd) + return buf.st_size; + } + ++/* ++FUNCTION ++ bfd_get_file_size ++ ++SYNOPSIS ++ file_ptr bfd_get_file_size (bfd *abfd); ++ ++DESCRIPTION ++ Return the file size (as read from file system) for the file ++ associated with BFD @var{abfd}. It supports both normal files ++ and archive elements. ++ ++*/ ++ ++file_ptr ++bfd_get_file_size (bfd *abfd) ++{ ++ if (abfd->my_archive != NULL ++ && !bfd_is_thin_archive (abfd->my_archive)) ++ return arelt_size (abfd); ++ ++ return bfd_get_size (abfd); ++} + + /* + FUNCTION +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c ++++ git/binutils/objdump.c +@@ -3310,7 +3310,7 @@ dump_relocs_in_section (bfd *abfd, + } + + if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 +- && relsize > get_file_size (bfd_get_filename (abfd))) ++ && relsize > bfd_get_file_size (abfd)) + { + printf (" (too many: 0x%x)\n", section->reloc_count); + bfd_set_error (bfd_error_file_truncated); +Index: git/binutils/testsuite/binutils-all/objdump.exp +=================================================================== +--- git.orig/binutils/testsuite/binutils-all/objdump.exp ++++ git/binutils/testsuite/binutils-all/objdump.exp +@@ -64,96 +64,168 @@ if [regexp $want $got] then { + if {![binutils_assemble $srcdir/$subdir/bintest.s tmpdir/bintest.o]} then { + return + } ++if {![binutils_assemble $srcdir/$subdir/bintest.s tmpdir/bintest2.o]} then { ++ return ++} + if [is_remote host] { + set testfile [remote_download host tmpdir/bintest.o] ++ set testfile2 [remote_download host tmpdir/bintest2.o] + } else { + set testfile tmpdir/bintest.o ++ set testfile2 tmpdir/bintest2.o ++} ++ ++if { ![istarget "alpha-*-*"] || [is_elf_format] } then { ++ remote_file host file delete tmpdir/bintest.a ++ set got [binutils_run $AR "rc tmpdir/bintest.a $testfile2"] ++ if ![string match "" $got] then { ++ fail "bintest.a" ++ remote_file host delete tmpdir/bintest.a ++ } else { ++ if [is_remote host] { ++ set testarchive [remote_download host tmpdir/bintest.a] ++ } else { ++ set testarchive tmpdir/bintest.a ++ } ++ } ++ remote_file host delete tmpdir/bintest2.o + } + + # Test objdump -f + +-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -f $testfile"] ++proc test_objdump_f { testfile dumpfile } { ++ global OBJDUMP ++ global OBJDUMPFLAGS ++ global cpus_regex + +-set want "$testfile:\[ \]*file format.*architecture:\[ \]*${cpus_regex}.*HAS_RELOC.*HAS_SYMS" ++ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -f $testfile"] + +-if ![regexp $want $got] then { +- fail "objdump -f" +-} else { +- pass "objdump -f" ++ set want "$dumpfile:\[ \]*file format.*architecture:\[ \]*${cpus_regex}.*HAS_RELOC.*HAS_SYMS" ++ ++ if ![regexp $want $got] then { ++ fail "objdump -f ($testfile, $dumpfile)" ++ } else { ++ pass "objdump -f ($testfile, $dumpfile)" ++ } ++} ++ ++test_objdump_f $testfile $testfile ++if { [ remote_file host exists $testarchive ] } then { ++ test_objdump_f $testarchive bintest2.o + } + + # Test objdump -h + +-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -h $testfile"] ++proc test_objdump_h { testfile dumpfile } { ++ global OBJDUMP ++ global OBJDUMPFLAGS + +-set want "$testfile:\[ \]*file format.*Sections.*\[0-9\]+\[ \]+\[^ \]*(text|TEXT|P|\\\$CODE\\\$)\[^ \]*\[ \]*(\[0-9a-fA-F\]+).*\[0-9\]+\[ \]+\[^ \]*(\\.data|DATA|D_1)\[^ \]*\[ \]*(\[0-9a-fA-F\]+)" ++ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -h $testfile"] + +-if ![regexp $want $got all text_name text_size data_name data_size] then { +- fail "objdump -h" +-} else { +- verbose "text name is $text_name size is $text_size" +- verbose "data name is $data_name size is $data_size" +- set ets 8 +- set eds 4 +- # The [ti]c4x target has the property sizeof(char)=sizeof(long)=1 +- if [istarget *c4x*-*-*] then { +- set ets 2 +- set eds 1 +- } +- # c54x section sizes are in bytes, not octets; adjust accordingly +- if [istarget *c54x*-*-*] then { +- set ets 4 +- set eds 2 +- } +- if {[expr "0x$text_size"] < $ets || [expr "0x$data_size"] < $eds} then { +- send_log "sizes too small\n" +- fail "objdump -h" ++ set want "$dumpfile:\[ \]*file format.*Sections.*\[0-9\]+\[ \]+\[^ \]*(text|TEXT|P|\\\$CODE\\\$)\[^ \]*\[ \]*(\[0-9a-fA-F\]+).*\[0-9\]+\[ \]+\[^ \]*(\\.data|DATA|D_1)\[^ \]*\[ \]*(\[0-9a-fA-F\]+)" ++ ++ if ![regexp $want $got all text_name text_size data_name data_size] then { ++ fail "objdump -h ($testfile, $dumpfile)" + } else { +- pass "objdump -h" ++ verbose "text name is $text_name size is $text_size" ++ verbose "data name is $data_name size is $data_size" ++ set ets 8 ++ set eds 4 ++ # The [ti]c4x target has the property sizeof(char)=sizeof(long)=1 ++ if [istarget *c4x*-*-*] then { ++ set ets 2 ++ set eds 1 ++ } ++ # c54x section sizes are in bytes, not octets; adjust accordingly ++ if [istarget *c54x*-*-*] then { ++ set ets 4 ++ set eds 2 ++ } ++ if {[expr "0x$text_size"] < $ets || [expr "0x$data_size"] < $eds} then { ++ send_log "sizes too small\n" ++ fail "objdump -h ($testfile, $dumpfile)" ++ } else { ++ pass "objdump -h ($testfile, $dumpfile)" ++ } + } + } + ++test_objdump_h $testfile $testfile ++if { [ remote_file host exists $testarchive ] } then { ++ test_objdump_h $testarchive bintest2.o ++} ++ + # Test objdump -t + +-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -t $testfile"] ++proc test_objdump_t { testfile} { ++ global OBJDUMP ++ global OBJDUMPFLAGS ++ ++ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -t $testfile"] ++ ++ if [info exists vars] then { unset vars } ++ while {[regexp "(\[a-z\]*_symbol)(.*)" $got all symbol rest]} { ++ set vars($symbol) 1 ++ set got $rest ++ } + +-if [info exists vars] then { unset vars } +-while {[regexp "(\[a-z\]*_symbol)(.*)" $got all symbol rest]} { +- set vars($symbol) 1 +- set got $rest ++ if {![info exists vars(text_symbol)] \ ++ || ![info exists vars(data_symbol)] \ ++ || ![info exists vars(common_symbol)] \ ++ || ![info exists vars(external_symbol)]} then { ++ fail "objdump -t ($testfile)" ++ } else { ++ pass "objdump -t ($testfile)" ++ } + } + +-if {![info exists vars(text_symbol)] \ +- || ![info exists vars(data_symbol)] \ +- || ![info exists vars(common_symbol)] \ +- || ![info exists vars(external_symbol)]} then { +- fail "objdump -t" +-} else { +- pass "objdump -t" ++test_objdump_t $testfile ++if { [ remote_file host exists $testarchive ] } then { ++ test_objdump_t $testarchive + } + + # Test objdump -r + +-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -r $testfile"] ++proc test_objdump_r { testfile dumpfile } { ++ global OBJDUMP ++ global OBJDUMPFLAGS + +-set want "$testfile:\[ \]*file format.*RELOCATION RECORDS FOR \\\[\[^\]\]*(text|TEXT|P|\\\$CODE\\\$)\[^\]\]*\\\].*external_symbol" ++ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -r $testfile"] + +-if [regexp $want $got] then { +- pass "objdump -r" +-} else { +- fail "objdump -r" ++ set want "$dumpfile:\[ \]*file format.*RELOCATION RECORDS FOR \\\[\[^\]\]*(text|TEXT|P|\\\$CODE\\\$)\[^\]\]*\\\].*external_symbol" ++ ++ if [regexp $want $got] then { ++ pass "objdump -r ($testfile, $dumpfile)" ++ } else { ++ fail "objdump -r ($testfile, $dumpfile)" ++ } ++} ++ ++test_objdump_r $testfile $testfile ++if { [ remote_file host exists $testarchive ] } then { ++ test_objdump_r $testarchive bintest2.o + } + + # Test objdump -s + +-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -s $testfile"] ++proc test_objdump_s { testfile dumpfile } { ++ global OBJDUMP ++ global OBJDUMPFLAGS + +-set want "$testfile:\[ \]*file format.*Contents.*(text|TEXT|P|\\\$CODE\\\$)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000001|01000000|00000100).*Contents.*(data|DATA|D_1)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000002|02000000|00000200)" ++ set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -s $testfile"] + +-if [regexp $want $got] then { +- pass "objdump -s" +-} else { +- fail "objdump -s" ++ set want "$dumpfile:\[ \]*file format.*Contents.*(text|TEXT|P|\\\$CODE\\\$)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000001|01000000|00000100).*Contents.*(data|DATA|D_1)\[^0-9\]*\[ \]*\[0-9a-fA-F\]*\[ \]*(00000002|02000000|00000200)" ++ ++ if [regexp $want $got] then { ++ pass "objdump -s ($testfile, $dumpfile)" ++ } else { ++ fail "objdump -s ($testfile, $dumpfile)" ++ } ++} ++ ++test_objdump_s $testfile $testfile ++if { [ remote_file host exists $testarchive ] } then { ++ test_objdump_s $testarchive bintest2.o + } + + # Test objdump -s on a file that contains a compressed .debug section +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-05-30 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21519 ++ * bfdio.c (bfd_get_file_size): New function. ++ * bfd-in2.h: Regenerated. ++ + 2017-06-27 Alan Modra <amodra@gmail.com> + + PR binutils/21665 +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,16 @@ ++2017-05-30 H.J. Lu <hongjiu.lu@intel.com> ++ ++ PR binutils/21519 ++ * objdump.c (dump_relocs_in_section): Replace get_file_size ++ with bfd_get_file_size to get archive element size. ++ * testsuite/binutils-all/objdump.exp (test_objdump_f): New ++ proc. ++ (test_objdump_h): Likewise. ++ (test_objdump_t): Likewise. ++ (test_objdump_r): Likewise. ++ (test_objdump_s): Likewise. ++ Add objdump tests on archive. ++ + 2017-07-01 Alan Modra <amodra@gmail.com> + + PR binutils/21665 |