Stop potential illegal memory access when parsing corrupt archives.

Resolves: #1680670

binutils-CVE-2019-9075.patch

@@ -0,0 +1,73 @@
+diff -rup binutils.orig/bfd/archive64.c binutils-2.31.1/bfd/archive64.c
+--- binutils.orig/bfd/archive64.c	2019-02-26 11:17:11.882530151 +0000
++++ binutils-2.31.1/bfd/archive64.c	2019-02-26 11:19:18.422488805 +0000
+@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab
+     return FALSE;
+   carsyms = ardata->symdefs;
+   stringbase = ((char *) ardata->symdefs) + carsym_size;
+-  stringbase[stringsize] = 0;
+-  stringend = stringbase + stringsize;
+ 
+   raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
+   if (raw_armap == NULL)
+@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab
+       goto release_raw_armap;
+     }
+ 
++  stringend = stringbase + stringsize;
++  *stringend = 0;
+   for (i = 0; i < nsymz; i++)
+     {
+       carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
+       carsyms->name = stringbase;
+-      if (stringbase < stringend)
+-	stringbase += strlen (stringbase) + 1;
++      stringbase += strlen (stringbase);
++      if (stringbase != stringend)
++	++stringbase;
+       ++carsyms;
+     }
+-  *stringbase = '\0';
+ 
+   ardata->symdef_count = nsymz;
+   ardata->first_file_filepos = bfd_tell (abfd);
+diff -rup binutils.orig/bfd/archive.c binutils-2.31.1/bfd/archive.c
+--- binutils.orig/bfd/archive.c	2019-02-26 11:17:11.884530134 +0000
++++ binutils-2.31.1/bfd/archive.c	2019-02-26 11:18:33.354859687 +0000
+@@ -1014,6 +1014,7 @@ do_slurp_coff_armap (bfd *abfd)
+   int *raw_armap, *rawptr;
+   struct artdata *ardata = bfd_ardata (abfd);
+   char *stringbase;
++  char *stringend;
+   bfd_size_type stringsize;
+   bfd_size_type parsed_size;
+   carsym *carsyms;
+@@ -1073,22 +1074,20 @@ do_slurp_coff_armap (bfd *abfd)
+     }
+ 
+   /* OK, build the carsyms.  */
+-  for (i = 0; i < nsymz && stringsize > 0; i++)
++  stringend = stringbase + stringsize;
++  *stringend = 0;
++  for (i = 0; i < nsymz; i++)
+     {
+       bfd_size_type len;
+ 
+       rawptr = raw_armap + i;
+       carsyms->file_offset = swap ((bfd_byte *) rawptr);
+       carsyms->name = stringbase;
+-      /* PR 17512: file: 4a1d50c1.  */
+-      len = strnlen (stringbase, stringsize);
+-      if (len < stringsize)
+-	len ++;
+-      stringbase += len;
+-      stringsize -= len;
++      stringbase += strlen (stringbase);
++      if (stringbase != stringend)
++	++stringbase;
+       carsyms++;
+     }
+-  *stringbase = 0;
+ 
+   ardata->symdef_count = nsymz;
+   ardata->first_file_filepos = bfd_tell (abfd);

binutils.spec

@@ -75,7 +75,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.32
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv3+
 URL: https://sourceware.org/binutils
 
@@ -180,6 +180,10 @@ Patch14: binutils-CVE-2019-9073.patch
 # Lifetime: Fixed in 2.33
 Patch15: binutils-CVE-2019-9074.patch
 
+# Purpose:  Stop illegal memory access parsing corrupt archives.
+# Lifetime: Fixed in 2.33
+Patch16: binutils-CVE-2019-9075.patch
+
 #----------------------------------------------------------------------------
 
 Provides: bundled(libiberty)
@@ -313,6 +317,7 @@ using libelf instead of BFD.
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1
 
 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 # FIXME - this is no longer true.  Maybe try reinstating autotool use ?
@@ -714,6 +719,9 @@ exit 0
 
 #----------------------------------------------------------------------------
 %changelog
+* Tue Feb 26 2019 Nick Clifton  <nickc@redhat.com> - 2.32-5
+- Stop potential illegal memory access when parsing corrupt archives.  (#1680670)
+
 * Mon Feb 25 2019 Nick Clifton  <nickc@redhat.com> - 2.32-4
 - Stop potential illegal memory access when parsing corrupt PE files.  (#1680682)