blob: 1fa98e19bebcb5414bbd838f38efa48ad7b435ef (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
commit 406bd128dba2a59d0736839fc87a59bce319076c
Author: Nick Clifton <nickc@redhat.com>
Date: Mon Dec 5 16:00:43 2016 +0000
Fix seg-fault in linker when passed a bogus input script.
PR ld/20906
* ldlex.l: Check for bogus strings in linker scripts.
Upstream-Status: backport
CVE: CVE-2017-7227
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/ld/ChangeLog
===================================================================
--- git.orig/ld/ChangeLog 2017-09-04 13:18:09.660584245 +0530
+++ git/ld/ChangeLog 2017-09-04 13:20:34.286155911 +0530
@@ -1,3 +1,8 @@
+2016-12-05 Nick Clifton <nickc@redhat.com>
+
+ PR ld/20906
+ * ldlex.l: Check for bogus strings in linker scripts.
+
2016-08-02 Nick Clifton <nickc@redhat.com>
PR ld/17739
Index: git/ld/ldlex.l
===================================================================
--- git.orig/ld/ldlex.l 2017-09-04 13:18:09.692584605 +0530
+++ git/ld/ldlex.l 2017-09-04 13:22:54.483583368 +0530
@@ -416,9 +416,15 @@
<EXPRESSION,BOTH,SCRIPT,VERS_NODE,INPUTLIST>"\""[^\"]*"\"" {
/* No matter the state, quotes
- give what's inside */
+ give what's inside. */
+ bfd_size_type len;
yylval.name = xstrdup (yytext + 1);
- yylval.name[yyleng - 2] = 0;
+ /* PR ld/20906. A corrupt input file
+ can contain bogus strings. */
+ len = strlen (yylval.name);
+ if (len > yyleng - 2)
+ len = yyleng - 2;
+ yylval.name[len] = 0;
return NAME;
}
<BOTH,SCRIPT,EXPRESSION>"\n" { lineno++;}
|
