1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
From 4da598a472e1d298825035e452e3bc68f714311c Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 14 Feb 2017 14:07:29 +0000
Subject: Fix handling of corrupt STABS enum type strings.
PR binutils/21157
* stabs.c (parse_stab_enum_type): Check for corrupt NAME:VALUE
pairs.
(parse_number): Exit early if passed an empty string.
CVE: CVE-2017-7210
Upstream-Status: Backport [master]
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
---
binutils/ChangeLog | 7 +++++++
binutils/stabs.c | 14 +++++++++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index cf92744c12..0045fbaaa6 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,10 @@
+2017-02-14 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21157
+ * stabs.c (parse_stab_enum_type): Check for corrupt NAME:VALUE
+ pairs.
+ (parse_number): Exit early if passed an empty string.
+
2017-02-13 Nick Clifton <nickc@redhat.com>
PR binutils/21135
diff --git a/binutils/stabs.c b/binutils/stabs.c
index f5c5d2d8e0..5d013cc361 100644
--- a/binutils/stabs.c
+++ b/binutils/stabs.c
@@ -232,6 +232,10 @@ parse_number (const char **pp, bfd_boolean *poverflow)
orig = *pp;
+ /* Stop early if we are passed an empty string. */
+ if (*orig == 0)
+ return (bfd_vma) 0;
+
errno = 0;
ul = strtoul (*pp, (char **) pp, 0);
if (ul + 1 != 0 || errno == 0)
@@ -1975,9 +1979,17 @@ parse_stab_enum_type (void *dhandle, const char **pp)
bfd_signed_vma val;
p = *pp;
- while (*p != ':')
+ while (*p != ':' && *p != 0)
++p;
+ if (*p == 0)
+ {
+ bad_stab (orig);
+ free (names);
+ free (values);
+ return DEBUG_TYPE_NULL;
+ }
+
name = savestring (*pp, p - *pp);
*pp = p + 1;
--
2.11.0
|