aboutsummaryrefslogtreecommitdiff
path: root/bfd
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2014-10-28 10:48:14 +0000
committerNick Clifton <nickc@redhat.com>2014-10-28 10:48:14 +0000
commit708d7d0d11f0f2d776171979aa3479e8e12a38a0 (patch)
tree3cd4fc5f4d2774c3fc791cc4345dd5ba15189b7f /bfd
parent6fb9c0f83252a79b2f1a3f8e75fa117ca7a4d589 (diff)
downloadgdb-708d7d0d11f0f2d776171979aa3479e8e12a38a0.zip
gdb-708d7d0d11f0f2d776171979aa3479e8e12a38a0.tar.gz
gdb-708d7d0d11f0f2d776171979aa3479e8e12a38a0.tar.bz2
This patch fixes a flaw in the SREC parser which could cause a stack overflow
and potential secuiryt breach. PR binutils/17510 * srec.c (srec_bad_byte): Increase size of buf to allow for negative values. (srec_scan): Use an unsigned char buffer to hold header bytes.
Diffstat (limited to 'bfd')
-rw-r--r--bfd/ChangeLog8
-rw-r--r--bfd/elf.c2
-rw-r--r--bfd/peXXigen.c1
-rw-r--r--bfd/srec.c4
4 files changed, 11 insertions, 4 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 547ef1c..0a4d0b1 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2014-10-28 Andreas Schwab <schwab@suse.de>
+ Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17510
+ * srec.c (srec_bad_byte): Increase size of buf to allow for
+ negative values.
+ (srec_scan): Use an unsigned char buffer to hold header bytes.
+
2014-10-27 Nick Clifton <nickc@redhat.com>
PR binutils/17512
diff --git a/bfd/elf.c b/bfd/elf.c
index 3fcf2d8..949221f 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -629,7 +629,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
memset (shdr->contents, 0, amt);
continue;
}
-
+
/* Translate raw contents, a flag word followed by an
array of elf section indices all in target byte order,
to the flag word followed by an array of elf section
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index c7d6067..6129085 100644
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -515,7 +515,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
a->NumberOfRvaAndSizes = 0;
}
-
for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
{
/* If data directory is empty, rva also should be 0. */
diff --git a/bfd/srec.c b/bfd/srec.c
index 9ed2080..5f9a546 100644
--- a/bfd/srec.c
+++ b/bfd/srec.c
@@ -246,7 +246,7 @@ srec_bad_byte (bfd *abfd,
}
else
{
- char buf[10];
+ char buf[40];
if (! ISPRINT (c))
sprintf (buf, "\\%03o", (unsigned int) c);
@@ -452,7 +452,7 @@ srec_scan (bfd *abfd)
case 'S':
{
file_ptr pos;
- char hdr[3];
+ unsigned char hdr[3];
unsigned int bytes, min_bytes;
bfd_vma address;
bfd_byte *data;
generated by cgit v1.1 at 2024-11-29 09:04:21 +0000