1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
commit cb06d03ad92ffcfaa09c3f065837cb39e9e1486d
Author: Nick Clifton <nickc@redhat.com>
Date: Wed Jun 21 11:13:49 2017 +0100
Fix address violation parsing a corrupt IEEE Alpha binary.
PR binutils/21637
* vms-alpha.c (_bfd_vms_slurp_egsd): Check for an empty section
list.
(image_set_ptr): Likewise.
(alpha_vms_fix_sec_rel): Likewise.
(alpha_vms_slurp_relocs): Likewise.
Upstream-Status: Backport
CVE: CVE-2017-12450, CVE-2017-12452, CVE-2017-12453, CVE-2017-12454, CVE-2017-12456
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/vms-alpha.c
===================================================================
--- git.orig/bfd/vms-alpha.c 2017-08-31 18:01:00.742098130 +0530
+++ git/bfd/vms-alpha.c 2017-08-31 18:01:06.000000000 +0530
@@ -1257,6 +1257,8 @@
struct vms_esdf *esdf = (struct vms_esdf *)vms_rec;
entry->value = bfd_getl64 (esdf->value);
+ if (PRIV (sections) == NULL)
+ return FALSE;
entry->section = PRIV (sections)[bfd_getl32 (esdf->psindx)];
if (old_flags & EGSY__V_NORM)
@@ -1291,7 +1293,11 @@
entry->symbol_vector = bfd_getl32 (egst->value);
if (old_flags & EGSY__V_REL)
- entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
+ {
+ if (PRIV (sections) == NULL)
+ return FALSE;
+ entry->section = PRIV (sections)[bfd_getl32 (egst->psindx)];
+ }
else
entry->section = bfd_abs_section_ptr;
@@ -1379,6 +1385,8 @@
vms_debug2 ((4, "image_set_ptr (0x%08x, sect=%d)\n", (unsigned)vma, sect));
+ if (PRIV (sections) == NULL)
+ return;
sec = PRIV (sections)[sect];
if (info)
@@ -1691,7 +1699,12 @@
alpha_vms_fix_sec_rel (bfd *abfd, struct bfd_link_info *info,
unsigned int rel, bfd_vma vma)
{
- asection *sec = PRIV (sections)[rel & RELC_MASK];
+ asection *sec;
+
+ if (PRIV (sections) == NULL)
+ return 0;
+
+ sec = PRIV (sections)[rel & RELC_MASK];
if (info)
{
@@ -5000,6 +5013,8 @@
return FALSE;
}
+ if (PRIV (sections) == NULL)
+ return FALSE;
sec = PRIV (sections)[cur_psect];
if (sec == bfd_abs_section_ptr)
{
@@ -5058,8 +5073,12 @@
reloc->sym_ptr_ptr = sym;
}
else if (cur_psidx >= 0)
- reloc->sym_ptr_ptr =
- PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
+ {
+ if (PRIV (sections) == NULL)
+ return FALSE;
+ reloc->sym_ptr_ptr =
+ PRIV (sections)[cur_psidx]->symbol_ptr_ptr;
+ }
else
reloc->sym_ptr_ptr = NULL;
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-08-31 18:01:06.000000000 +0530
+++ git/bfd/ChangeLog 2017-08-31 18:01:49.114384620 +0530
@@ -31,7 +31,16 @@
correct magic bytes at the start, set the error to wrong format
and clear the format selector before returning NULL.
- 2017-06-19 Nick Clifton <nickc@redhat.com>
+ 2017-06-21 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21637
+ * vms-alpha.c (_bfd_vms_slurp_egsd): Check for an empty section
+ list.
+ (image_set_ptr): Likewise.
+ (alpha_vms_fix_sec_rel): Likewise.
+ (alpha_vms_slurp_relocs): Likewise.
+
+2017-06-19 Nick Clifton <nickc@redhat.com>
PR binutils/21618
* vms-alpha.c (evax_bfd_print_emh): Check for insufficient record
|