This patch fixes a flaw in the SREC parser which could cause a stack overflow
authorNick Clifton <nickc@redhat.com>
Tue, 28 Oct 2014 10:48:14 +0000 (10:48 +0000)
committerNick Clifton <nickc@redhat.com>
Tue, 28 Oct 2014 10:48:14 +0000 (10:48 +0000)
and potential secuiryt breach.

PR binutils/17510
* srec.c (srec_bad_byte): Increase size of buf to allow for
negative values.
(srec_scan): Use an unsigned char buffer to hold header bytes.

bfd/ChangeLog
bfd/elf.c
bfd/peXXigen.c
bfd/srec.c

index 547ef1ce6e468941b205d1fb09e3869b3fc4cfad..0a4d0b10bbb70b431a52f31621b47b1acef1e480 100644 (file)
@@ -1,3 +1,11 @@
+2014-10-28  Andreas Schwab  <schwab@suse.de>
+           Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/17510
+       * srec.c (srec_bad_byte): Increase size of buf to allow for
+       negative values.
+       (srec_scan): Use an unsigned char buffer to hold header bytes.
+
 2014-10-27  Nick Clifton  <nickc@redhat.com>
 
        PR binutils/17512
index 3fcf2d85846819cb8eabe53de27dd681cc3b4aca..949221f96fb4d3d5114ad78f9bac52fdcf737315 100644 (file)
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -629,7 +629,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
                      memset (shdr->contents, 0, amt);
                      continue;
                    }
-                 
+
                  /* Translate raw contents, a flag word followed by an
                     array of elf section indices all in target byte order,
                     to the flag word followed by an array of elf section
index c7d606793f111a3f8f5094f831bf13d843f0c6d4..61290852ab13d25401fc0126ff40b3cc24e86a88 100644 (file)
@@ -515,7 +515,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
        a->NumberOfRvaAndSizes = 0;
       }
 
-
     for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
       {
         /* If data directory is empty, rva also should be 0.  */
index 9ed2080e7dabfef7d48c66cfef5ceb3f95e33135..5f9a54624ee5200eec7bd1735a83562696f651ff 100644 (file)
@@ -246,7 +246,7 @@ srec_bad_byte (bfd *abfd,
     }
   else
     {
-      char buf[10];
+      char buf[40];
 
       if (! ISPRINT (c))
        sprintf (buf, "\\%03o", (unsigned int) c);
@@ -452,7 +452,7 @@ srec_scan (bfd *abfd)
        case 'S':
          {
            file_ptr pos;
-           char hdr[3];
+           unsigned char hdr[3];
            unsigned int bytes, min_bytes;
            bfd_vma address;
            bfd_byte *data;