Fix potential buffer overflows with sprintf and very large integer values.

binutuils* prdbg.c (pr_enum_type): Use a buffer big enough to hold an
	extremely large decimal value.
	(pr_range_type): Likewise.
	(pr_array_type): Likewise.
	(pr_struct_field): Likewise.
	(pr_class_baseclass): Likewise.
	(pr_class_method_variant): Likewise.
	(pr_tag_type): Likewise.
	(pr_int_constant): Likewise.
	(pr_typed_constant): Likewise.
	(pr_variable): Likewise.
	(pr_function_parameter): Likewise.
	(pr_start_block): Likewise.
	(pr_lineno): Likewise.
	(pr_end_block): Likewise.
	(tg_enum_type): Likewise.
	(tg_int_constant): Likewise.
	(tg_typed_constant): Likewise.
	(tg_start_block): Likewise.

gas	* macro.c (macro_expand_body): Use a buffer big enough to hold an
	extremely large integer.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 83fde8194877891231283b7dda66e408a5891671..4108b78c9b557362a76d430a483da9b01ff08b75 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,25 @@
+2016-07-01  Nick Clifton  <nickc@redhat.com>
+
+       * prdbg.c (pr_enum_type): Use a buffer big enough to hold an
+       extremely large decimal value.
+       (pr_range_type): Likewise.
+       (pr_array_type): Likewise.
+       (pr_struct_field): Likewise.
+       (pr_class_baseclass): Likewise.
+       (pr_class_method_variant): Likewise.
+       (pr_tag_type): Likewise.
+       (pr_int_constant): Likewise.
+       (pr_typed_constant): Likewise.
+       (pr_variable): Likewise.
+       (pr_function_parameter): Likewise.
+       (pr_start_block): Likewise.
+       (pr_lineno): Likewise.
+       (pr_end_block): Likewise.
+       (tg_enum_type): Likewise.
+       (tg_int_constant): Likewise.
+       (tg_typed_constant): Likewise.
+       (tg_start_block): Likewise.
+
 2016-07-01  Nick Clifton  <nickc@redhat.com>
 
        * testsuite/binutils-all/objcopy.exp

diff --git a/binutils/prdbg.c b/binutils/prdbg.c
index 7f3dcceddba11b509c960f88245deac28f19a467..92c608733cd6d8d0f14ccd9c1d08f883c8d45b1f 100644 (file)
--- a/binutils/prdbg.c
+++ b/binutils/prdbg.c
@@ -672,7 +672,7 @@ pr_enum_type (void *p, const char *tag, const char **names,
 
          if (values[i] != val)
            {
-             char ab[20];
+             char ab[22];
 
              print_vma (values[i], ab, FALSE, FALSE);
              if (! append_type (info, " = ")
@@ -802,7 +802,7 @@ static bfd_boolean
 pr_range_type (void *p, bfd_signed_vma lower, bfd_signed_vma upper)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char abl[20], abu[20];
+  char abl[22], abu[22];
 
   assert (info->stack != NULL);
 
@@ -827,7 +827,7 @@ pr_array_type (void *p, bfd_signed_vma lower, bfd_signed_vma upper,
 {
   struct pr_handle *info = (struct pr_handle *) p;
   char *range_type;
-  char abl[20], abu[20], ab[50];
+  char abl[22], abu[22], ab[50];
 
   range_type = pop_type (info);
   if (range_type == NULL)
@@ -1151,7 +1151,7 @@ pr_struct_field (void *p, const char *name, bfd_vma bitpos, bfd_vma bitsize,
                 enum debug_visibility visibility)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
   char *t;
 
   if (! substitute_type (info, name))
@@ -1335,7 +1335,7 @@ pr_class_baseclass (void *p, bfd_vma bitpos, bfd_boolean is_virtual,
   struct pr_handle *info = (struct pr_handle *) p;
   char *t;
   const char *prefix;
-  char ab[20];
+  char ab[22];
   char *s, *l, *n;
 
   assert (info->stack != NULL && info->stack->next != NULL);
@@ -1495,7 +1495,7 @@ pr_class_method_variant (void *p, const char *physname,
     return FALSE;
   if (context || voffset != 0)
     {
-      char ab[20];
+      char ab[22];
 
       if (context)
        {
@@ -1602,7 +1602,7 @@ pr_tag_type (void *p, const char *name, unsigned int id,
 {
   struct pr_handle *info = (struct pr_handle *) p;
   const char *t, *tag;
-  char idbuf[20];
+  char idbuf[22];
 
   switch (kind)
     {
@@ -1698,7 +1698,7 @@ static bfd_boolean
 pr_int_constant (void *p, const char *name, bfd_vma val)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
 
   indent (info);
   print_vma (val, ab, FALSE, FALSE);
@@ -1725,7 +1725,7 @@ pr_typed_constant (void *p, const char *name, bfd_vma val)
 {
   struct pr_handle *info = (struct pr_handle *) p;
   char *t;
-  char ab[20];
+  char ab[22];
 
   t = pop_type (info);
   if (t == NULL)
@@ -1748,7 +1748,7 @@ pr_variable (void *p, const char *name, enum debug_var_kind kind,
 {
   struct pr_handle *info = (struct pr_handle *) p;
   char *t;
-  char ab[20];
+  char ab[22];
 
   if (! substitute_type (info, name))
     return FALSE;
@@ -1811,7 +1811,7 @@ pr_function_parameter (void *p, const char *name,
 {
   struct pr_handle *info = (struct pr_handle *) p;
   char *t;
-  char ab[20];
+  char ab[22];
 
   if (kind == DEBUG_PARM_REFERENCE
       || kind == DEBUG_PARM_REF_REG)
@@ -1849,7 +1849,7 @@ static bfd_boolean
 pr_start_block (void *p, bfd_vma addr)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
 
   if (info->parameter > 0)
     {
@@ -1872,7 +1872,7 @@ static bfd_boolean
 pr_lineno (void *p, const char *filename, unsigned long lineno, bfd_vma addr)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
 
   indent (info);
   print_vma (addr, ab, TRUE, TRUE);
@@ -1887,7 +1887,7 @@ static bfd_boolean
 pr_end_block (void *p, bfd_vma addr)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
 
   info->indent -= 2;
 
@@ -1993,7 +1993,7 @@ tg_enum_type (void *p, const char *tag, const char **names,
   struct pr_handle *info = (struct pr_handle *) p;
   unsigned int i;
   const char *name;
-  char ab[20];
+  char ab[22];
 
   if (! pr_enum_type (p, tag, names, values))
     return FALSE;
@@ -2540,7 +2540,7 @@ static bfd_boolean
 tg_int_constant (void *p, const char *name, bfd_vma val)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
 
   indent (info);
   print_vma (val, ab, FALSE, FALSE);
@@ -2569,7 +2569,7 @@ tg_typed_constant (void *p, const char *name, bfd_vma val)
 {
   struct pr_handle *info = (struct pr_handle *) p;
   char *t;
-  char ab[20];
+  char ab[22];
 
   t = pop_type (info);
   if (t == NULL)
@@ -2747,7 +2747,7 @@ static bfd_boolean
 tg_start_block (void *p, bfd_vma addr)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20], kind, *partof;
+  char ab[22], kind, *partof;
   char *t;
   bfd_boolean local;
 

diff --git a/gas/ChangeLog b/gas/ChangeLog
index 18257389cf61e97f2a3922704d72900085474872..40a9a2b88aba86a59dd64032e1d1c271fc7e5eba 100644 (file)
--- a/gas/ChangeLog
+++ b/gas/ChangeLog
@@ -1,3 +1,8 @@
+2016-07-01  Nick Clifton  <nickc@redhat.com>
+
+       * macro.c (macro_expand_body): Use a buffer big enough to hold an
+       extremely large integer.
+
 2016-07-01  Jan Beulich  <jbeulich@suse.com>
 
        * testsuite/gas/i386/mpx-inval-2.l: Relax for COFF targets.

diff --git a/gas/macro.c b/gas/macro.c
index 0d1a1d24eae78ec003b9f7c74e97121c8de598e6..deb4a49c9083aa218fa7699e9314e829ed62eb1d 100644 (file)
--- a/gas/macro.c
+++ b/gas/macro.c
@@ -842,7 +842,7 @@ macro_expand_body (sb *in, sb *out, formal_entry *formals,
            {
              /* Sub in the macro invocation number.  */
 
-             char buffer[10];
+             char buffer[12];
              src++;
              sprintf (buffer, "%d", macro_number);
              sb_add_string (out, buffer);