1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
commit 76800cba595efc3fe95a446c2d664e42ae4ee869
Author: Nick Clifton <nickc@redhat.com>
Date: Thu Jun 15 12:08:57 2017 +0100
Handle EITR records in VMS Alpha binaries with overlarge command length parameters.
PR binutils/21579
* vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length.
Upstream-Status: CVE-2017-9745
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/vms-alpha.c
===================================================================
--- git.orig/bfd/vms-alpha.c 2017-09-21 16:08:57.863375204 +0530
+++ git/bfd/vms-alpha.c 2017-09-21 16:08:58.211377888 +0530
@@ -1801,14 +1801,8 @@
ptr += 4;
-#if VMS_DEBUG
- _bfd_vms_debug (4, "etir: %s(%d)\n",
- _bfd_vms_etir_name (cmd), cmd);
- _bfd_hexdump (8, ptr, cmd_length - 4, 0);
-#endif
-
- /* PR 21589: Check for a corrupt ETIR record. */
- if (cmd_length < 4)
+ /* PR 21589 and 21579: Check for a corrupt ETIR record. */
+ if (cmd_length < 4 || (ptr + cmd_length > maxptr + 4))
{
corrupt_etir:
_bfd_error_handler (_("Corrupt ETIR record encountered"));
@@ -1816,6 +1810,12 @@
return FALSE;
}
+#if VMS_DEBUG
+ _bfd_vms_debug (4, "etir: %s(%d)\n",
+ _bfd_vms_etir_name (cmd), cmd);
+ _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+#endif
+
switch (cmd)
{
/* Stack global
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 16:08:57.927375697 +0530
+++ git/bfd/ChangeLog 2017-09-21 16:11:35.192613756 +0530
@@ -81,6 +81,11 @@
PR binutils/21581
(ieee_archive_p): Likewise.
+2017-06-15 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21579
+ * vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length.
+
2017-06-14 Nick Clifton <nickc@redhat.com>
PR binutils/21589
|