1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
Upstream-Status: Backport
CVE-2014-8504 fix.
[YOCTO #7084]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
From 708d7d0d11f0f2d776171979aa3479e8e12a38a0 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 28 Oct 2014 10:48:14 +0000
Subject: [PATCH] This patch fixes a flaw in the SREC parser which could cause
a stack overflow and potential secuiryt breach.
PR binutils/17510
* srec.c (srec_bad_byte): Increase size of buf to allow for
negative values.
(srec_scan): Use an unsigned char buffer to hold header bytes.
---
bfd/ChangeLog | 8 ++++++++
bfd/elf.c | 2 +-
bfd/peXXigen.c | 1 -
bfd/srec.c | 4 ++--
4 files changed, 11 insertions(+), 4 deletions(-)
Index: binutils-2.24/bfd/ChangeLog
===================================================================
--- binutils-2.24.orig/bfd/ChangeLog
+++ binutils-2.24/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2014-10-28 Andreas Schwab <schwab@suse.de>
+ Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17510
+ * srec.c (srec_bad_byte): Increase size of buf to allow for
+ negative values.
+ (srec_scan): Use an unsigned char buffer to hold header bytes.
+
2014-10-30 Nick Clifton <nickc@redhat.com>
PR binutils/17512
Index: binutils-2.24/bfd/peXXigen.c
===================================================================
--- binutils-2.24.orig/bfd/peXXigen.c
+++ binutils-2.24/bfd/peXXigen.c
@@ -471,7 +471,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
a->NumberOfRvaAndSizes = 0;
}
-
for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
{
/* If data directory is empty, rva also should be 0. */
Index: binutils-2.24/bfd/srec.c
===================================================================
--- binutils-2.24.orig/bfd/srec.c
+++ binutils-2.24/bfd/srec.c
@@ -248,7 +248,7 @@ srec_bad_byte (bfd *abfd,
}
else
{
- char buf[10];
+ char buf[40];
if (! ISPRINT (c))
sprintf (buf, "\\%03o", (unsigned int) c);
@@ -454,7 +454,7 @@ srec_scan (bfd *abfd)
case 'S':
{
file_ptr pos;
- char hdr[3];
+ unsigned char hdr[3];
unsigned int bytes, min_bytes;
bfd_vma address;
bfd_byte *data;
|