Stop potential illegal memory access when parsing corrupt archives.

Resolves: #1680670
This commit is contained in:
Nick Clifton 2019-02-26 11:34:26 +00:00
parent d003e8dd8a
commit 43332bae43
2 changed files with 82 additions and 1 deletions

View File

@ -0,0 +1,73 @@
diff -rup binutils.orig/bfd/archive64.c binutils-2.31.1/bfd/archive64.c
--- binutils.orig/bfd/archive64.c 2019-02-26 11:17:11.882530151 +0000
+++ binutils-2.31.1/bfd/archive64.c 2019-02-26 11:19:18.422488805 +0000
@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab
return FALSE;
carsyms = ardata->symdefs;
stringbase = ((char *) ardata->symdefs) + carsym_size;
- stringbase[stringsize] = 0;
- stringend = stringbase + stringsize;
raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
if (raw_armap == NULL)
@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab
goto release_raw_armap;
}
+ stringend = stringbase + stringsize;
+ *stringend = 0;
for (i = 0; i < nsymz; i++)
{
carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
carsyms->name = stringbase;
- if (stringbase < stringend)
- stringbase += strlen (stringbase) + 1;
+ stringbase += strlen (stringbase);
+ if (stringbase != stringend)
+ ++stringbase;
++carsyms;
}
- *stringbase = '\0';
ardata->symdef_count = nsymz;
ardata->first_file_filepos = bfd_tell (abfd);
diff -rup binutils.orig/bfd/archive.c binutils-2.31.1/bfd/archive.c
--- binutils.orig/bfd/archive.c 2019-02-26 11:17:11.884530134 +0000
+++ binutils-2.31.1/bfd/archive.c 2019-02-26 11:18:33.354859687 +0000
@@ -1014,6 +1014,7 @@ do_slurp_coff_armap (bfd *abfd)
int *raw_armap, *rawptr;
struct artdata *ardata = bfd_ardata (abfd);
char *stringbase;
+ char *stringend;
bfd_size_type stringsize;
bfd_size_type parsed_size;
carsym *carsyms;
@@ -1073,22 +1074,20 @@ do_slurp_coff_armap (bfd *abfd)
}
/* OK, build the carsyms. */
- for (i = 0; i < nsymz && stringsize > 0; i++)
+ stringend = stringbase + stringsize;
+ *stringend = 0;
+ for (i = 0; i < nsymz; i++)
{
bfd_size_type len;
rawptr = raw_armap + i;
carsyms->file_offset = swap ((bfd_byte *) rawptr);
carsyms->name = stringbase;
- /* PR 17512: file: 4a1d50c1. */
- len = strnlen (stringbase, stringsize);
- if (len < stringsize)
- len ++;
- stringbase += len;
- stringsize -= len;
+ stringbase += strlen (stringbase);
+ if (stringbase != stringend)
+ ++stringbase;
carsyms++;
}
- *stringbase = 0;
ardata->symdef_count = nsymz;
ardata->first_file_filepos = bfd_tell (abfd);

View File

@ -75,7 +75,7 @@
Summary: A GNU collection of binary utilities Summary: A GNU collection of binary utilities
Name: %{?cross}binutils%{?_with_debug:-debug} Name: %{?cross}binutils%{?_with_debug:-debug}
Version: 2.32 Version: 2.32
Release: 4%{?dist} Release: 5%{?dist}
License: GPLv3+ License: GPLv3+
URL: https://sourceware.org/binutils URL: https://sourceware.org/binutils
@ -180,6 +180,10 @@ Patch14: binutils-CVE-2019-9073.patch
# Lifetime: Fixed in 2.33 # Lifetime: Fixed in 2.33
Patch15: binutils-CVE-2019-9074.patch Patch15: binutils-CVE-2019-9074.patch
# Purpose: Stop illegal memory access parsing corrupt archives.
# Lifetime: Fixed in 2.33
Patch16: binutils-CVE-2019-9075.patch
#---------------------------------------------------------------------------- #----------------------------------------------------------------------------
Provides: bundled(libiberty) Provides: bundled(libiberty)
@ -313,6 +317,7 @@ using libelf instead of BFD.
%patch13 -p1 %patch13 -p1
%patch14 -p1 %patch14 -p1
%patch15 -p1 %patch15 -p1
%patch16 -p1
# We cannot run autotools as there is an exact requirement of autoconf-2.59. # We cannot run autotools as there is an exact requirement of autoconf-2.59.
# FIXME - this is no longer true. Maybe try reinstating autotool use ? # FIXME - this is no longer true. Maybe try reinstating autotool use ?
@ -714,6 +719,9 @@ exit 0
#---------------------------------------------------------------------------- #----------------------------------------------------------------------------
%changelog %changelog
* Tue Feb 26 2019 Nick Clifton <nickc@redhat.com> - 2.32-5
- Stop potential illegal memory access when parsing corrupt archives. (#1680670)
* Mon Feb 25 2019 Nick Clifton <nickc@redhat.com> - 2.32-4 * Mon Feb 25 2019 Nick Clifton <nickc@redhat.com> - 2.32-4
- Stop potential illegal memory access when parsing corrupt PE files. (#1680682) - Stop potential illegal memory access when parsing corrupt PE files. (#1680682)