commit 04f963fd489cae724a60140e13984415c205f4ac Author: Nick Clifton Date: Wed Jun 14 10:35:16 2017 +0100 Fix seg-faults in objdump when disassembling a corrupt versados binary. PR binutils/21591 * versados.c (versados_mkobject): Zero the allocated tdata structure. (process_otr): Check for an invalid offset in the otr structure. Upstream-Status: Backport CVE: CVE-2017-9753 and CVE-2017-9754 Signed-off-by: Thiruvadi Rajaraman Index: git/bfd/versados.c =================================================================== --- git.orig/bfd/versados.c 2017-09-21 15:08:34.445197987 +0530 +++ git/bfd/versados.c 2017-09-21 15:08:34.429197878 +0530 @@ -149,7 +149,7 @@ if (abfd->tdata.versados_data == NULL) { bfd_size_type amt = sizeof (tdata_type); - tdata_type *tdata = bfd_alloc (abfd, amt); + tdata_type *tdata = bfd_zalloc (abfd, amt); if (tdata == NULL) return FALSE; @@ -344,13 +344,13 @@ }; static int -get_offset (int len, unsigned char *ptr) +get_offset (unsigned int len, unsigned char *ptr) { int val = 0; if (len) { - int i; + unsigned int i; val = *ptr++; if (val & 0x80) @@ -393,9 +393,13 @@ int flag = *srcp++; int esdids = (flag >> 5) & 0x7; int sizeinwords = ((flag >> 3) & 1) ? 2 : 1; - int offsetlen = flag & 0x7; + unsigned int offsetlen = flag & 0x7; int j; + /* PR 21591: Check for invalid lengths. */ + if (srcp + esdids + offsetlen >= endp) + return; + if (esdids == 0) { /* A zero esdid means the new pc is the offset given. */ Index: git/bfd/ChangeLog =================================================================== --- git.orig/bfd/ChangeLog 2017-09-21 15:08:34.445197987 +0530 +++ git/bfd/ChangeLog 2017-09-21 15:08:34.429197878 +0530 @@ -90,6 +90,12 @@ (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the end of etir record. +2017-06-14 Nick Clifton + + PR binutils/21591 + * versados.c (versados_mkobject): Zero the allocated tdata structure. + (process_otr): Check for an invalid offset in the otr structure. + 2017-04-29 Alan Modra PR 21432