From 708d7d0d11f0f2d776171979aa3479e8e12a38a0 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 28 Oct 2014 10:48:14 +0000 Subject: [PATCH] This patch fixes a flaw in the SREC parser which could cause a stack overflow and potential secuiryt breach. PR binutils/17510 * srec.c (srec_bad_byte): Increase size of buf to allow for negative values. (srec_scan): Use an unsigned char buffer to hold header bytes. --- bfd/ChangeLog | 8 ++++++++ bfd/elf.c | 2 +- bfd/peXXigen.c | 1 - bfd/srec.c | 4 ++-- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 547ef1ce6e4..0a4d0b10bbb 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,11 @@ +2014-10-28 Andreas Schwab + Nick Clifton + + PR binutils/17510 + * srec.c (srec_bad_byte): Increase size of buf to allow for + negative values. + (srec_scan): Use an unsigned char buffer to hold header bytes. + 2014-10-27 Nick Clifton PR binutils/17512 diff --git a/bfd/elf.c b/bfd/elf.c index 3fcf2d85846..949221f96fb 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -629,7 +629,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) memset (shdr->contents, 0, amt); continue; } - + /* Translate raw contents, a flag word followed by an array of elf section indices all in target byte order, to the flag word followed by an array of elf section diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index c7d606793f1..61290852ab1 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -515,7 +515,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, a->NumberOfRvaAndSizes = 0; } - for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) { /* If data directory is empty, rva also should be 0. */ diff --git a/bfd/srec.c b/bfd/srec.c index 9ed2080e7da..5f9a54624ee 100644 --- a/bfd/srec.c +++ b/bfd/srec.c @@ -246,7 +246,7 @@ srec_bad_byte (bfd *abfd, } else { - char buf[10]; + char buf[40]; if (! ISPRINT (c)) sprintf (buf, "\\%03o", (unsigned int) c); @@ -452,7 +452,7 @@ srec_scan (bfd *abfd) case 'S': { file_ptr pos; - char hdr[3]; + unsigned char hdr[3]; unsigned int bytes, min_bytes; bfd_vma address; bfd_byte *data; -- 2.30.2