From 7e27a9d5f22f9f7ead11738b1546d0b5c737266b Mon Sep 17 00:00:00 2001 From: "Yuriy M. Kaminskiy" Date: Tue, 4 Aug 2015 16:51:53 +0100 Subject: Fix stack buffer overflows when parsing corrupt ihex files. PR binutils/18750 * ihex.c (ihex_scan): Fixes incorrect escape sequence in error message and stack overflow when char is signed and \200-\376 was in place of hex digit; also fixes \377 was handled as EOF instead of "incorrect character". (ihex_read_section): Changed for consistency. (ihex_bad_byte): Prevent (now impossible to trigger) stack overflow and incorrect escape sequence handling. * srec.c (srec_bad_byte): Likewise. * readelf.c (process_mips_specific): Fix incorrect escape sequence handling. --- binutils/ChangeLog | 11 +++++++++++ binutils/readelf.c | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) (limited to 'binutils') diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 75f5d21..33c5e7d 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,14 @@ +2015-08-04 Yuriy M. Kaminskiy" + Tyler Hicks + + PR binutils/18750 + * readelf.c (process_mips_specific): Fix incorrect escape + sequence handling. + +2015-08-04 Nick Clifton + + * ar.c (extract_file): Free cbuf if the path is invalid. + 2015-07-27 H.J. Lu * configure: Regenerated. diff --git a/binutils/readelf.c b/binutils/readelf.c index a9b9f2d..6298f1e 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -14467,7 +14467,7 @@ process_mips_specific (FILE * file) len = sizeof (* eopt); while (len < option->size) { - char datum = * ((char *) eopt + offset + len); + unsigned char datum = * ((unsigned char *) eopt + offset + len); if (ISPRINT (datum)) printf ("%c", datum); -- cgit v1.1