Stop potential illegal memory access when parsing corrupt archives.

Resolves: #1680670

binutils-CVE-2019-9075.patch

@@ -0,0 +1,73 @@
+diff -rup binutils.orig/bfd/archive64.c binutils-2.31.1/bfd/archive64.c
+--- binutils.orig/bfd/archive64.c	2019-02-26 11:17:11.882530151 +0000
++++ binutils-2.31.1/bfd/archive64.c	2019-02-26 11:19:18.422488805 +0000
+@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab
+     return FALSE;
+   carsyms = ardata->symdefs;
+   stringbase = ((char *) ardata->symdefs) + carsym_size;
+-  stringbase[stringsize] = 0;
+-  stringend = stringbase + stringsize;
+ 
+   raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
+   if (raw_armap == NULL)
+@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab
+       goto release_raw_armap;
+     }
+ 
++  stringend = stringbase + stringsize;
++  *stringend = 0;
+   for (i = 0; i < nsymz; i++)
+     {
+       carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
+       carsyms->name = stringbase;
+-      if (stringbase < stringend)
+-	stringbase += strlen (stringbase) + 1;
++      stringbase += strlen (stringbase);
++      if (stringbase != stringend)
++	++stringbase;
+       ++carsyms;
+     }
+-  *stringbase = '\0';
+ 
+   ardata->symdef_count = nsymz;
+   ardata->first_file_filepos = bfd_tell (abfd);
+diff -rup binutils.orig/bfd/archive.c binutils-2.31.1/bfd/archive.c
+--- binutils.orig/bfd/archive.c	2019-02-26 11:17:11.884530134 +0000
++++ binutils-2.31.1/bfd/archive.c	2019-02-26 11:18:33.354859687 +0000
+@@ -1014,6 +1014,7 @@ do_slurp_coff_armap (bfd *abfd)
+   int *raw_armap, *rawptr;
+   struct artdata *ardata = bfd_ardata (abfd);
+   char *stringbase;
++  char *stringend;
+   bfd_size_type stringsize;
+   bfd_size_type parsed_size;
+   carsym *carsyms;
+@@ -1073,22 +1074,20 @@ do_slurp_coff_armap (bfd *abfd)
+     }
+ 
+   /* OK, build the carsyms.  */
+-  for (i = 0; i < nsymz && stringsize > 0; i++)
++  stringend = stringbase + stringsize;
++  *stringend = 0;
++  for (i = 0; i < nsymz; i++)
+     {
+       bfd_size_type len;
+ 
+       rawptr = raw_armap + i;
+       carsyms->file_offset = swap ((bfd_byte *) rawptr);
+       carsyms->name = stringbase;
+-      /* PR 17512: file: 4a1d50c1.  */
+-      len = strnlen (stringbase, stringsize);
+-      if (len < stringsize)
+-	len ++;
+-      stringbase += len;
+-      stringsize -= len;
++      stringbase += strlen (stringbase);
++      if (stringbase != stringend)
++	++stringbase;
+       carsyms++;
+     }
+-  *stringbase = 0;
+ 
+   ardata->symdef_count = nsymz;
+   ardata->first_file_filepos = bfd_tell (abfd);

binutils.spec

@@ -69,7 +69,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.31.1
-Release: 21%{?dist}
+Release: 22%{?dist}
 License: GPLv3+
 URL: https://sourceware.org/binutils
 
@@ -215,6 +215,10 @@ Patch23: binutils-CVE-2019-9073.patch
 # Lifetime: Fixed in 2.33
 Patch24: binutils-CVE-2019-9074.patch
 
+# Purpose:  Stop illegal memory access parsing corrupt archives.
+# Lifetime: Fixed in 2.33
+Patch25: binutils-CVE-2019-9075.patch
+
 #----------------------------------------------------------------------------
 
 Provides: bundled(libiberty)
@@ -361,6 +365,8 @@ using libelf instead of BFD.
 %patch21 -p1
 %patch22 -p1
 %patch23 -p1
+%patch24 -p1
+%patch25 -p1
 
 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 
@@ -768,6 +774,9 @@ exit 0
 
 #----------------------------------------------------------------------------
 %changelog
+* Tue Feb 26 2019 Nick Clifton  <nickc@redhat.com> - 2.31.1-22
+- Stop potential illegal memory access when parsing corrupt archives.  (#1680670)
+
 * Mon Feb 25 2019 Nick Clifton  <nickc@redhat.com> - 2.31.1-21
 - Stop potential illegal memory access when parsing corrupt PE files.  (#1680682)