From 7e27a9d5f22f9f7ead11738b1546d0b5c737266b Mon Sep 17 00:00:00 2001 From: "Yuriy M. Kaminskiy" Date: Tue, 4 Aug 2015 16:51:53 +0100 Subject: [PATCH] Fix stack buffer overflows when parsing corrupt ihex files. PR binutils/18750 * ihex.c (ihex_scan): Fixes incorrect escape sequence in error message and stack overflow when char is signed and \200-\376 was in place of hex digit; also fixes \377 was handled as EOF instead of "incorrect character". (ihex_read_section): Changed for consistency. (ihex_bad_byte): Prevent (now impossible to trigger) stack overflow and incorrect escape sequence handling. * srec.c (srec_bad_byte): Likewise. * readelf.c (process_mips_specific): Fix incorrect escape sequence handling. --- bfd/ChangeLog | 12 ++++++++++++ bfd/ihex.c | 6 +++--- bfd/srec.c | 2 +- binutils/ChangeLog | 11 +++++++++++ binutils/readelf.c | 2 +- 5 files changed, 28 insertions(+), 5 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 986299d7796..a8b3646cfe4 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,15 @@ +2015-08-04 Yuriy M. Kaminskiy" + Tyler Hicks + + PR binutils/18750 + * ihex.c (ihex_scan): Fixes incorrect escape sequence in error message + and stack overflow when char is signed and \200-\376 was in place of hex + digit; also fixes \377 was handled as EOF instead of "incorrect character". + (ihex_read_section): Changed for consistency. + (ihex_bad_byte): Prevent (now impossible to trigger) stack + overflow and incorrect escape sequence handling. + * srec.c (srec_bad_byte): Likewise. + 2015-08-03 Hans-Peter Nilsson * elf32-cris.c (cris_elf_relocate_section) diff --git a/bfd/ihex.c b/bfd/ihex.c index 8e663726eee..38112f6e0d0 100644 --- a/bfd/ihex.c +++ b/bfd/ihex.c @@ -219,7 +219,7 @@ ihex_bad_byte (bfd *abfd, unsigned int lineno, int c, bfd_boolean error) char buf[10]; if (! ISPRINT (c)) - sprintf (buf, "\\%03o", (unsigned int) c); + sprintf (buf, "\\%03o", (unsigned int) c & 0xff); else { buf[0] = c; @@ -276,7 +276,7 @@ ihex_scan (bfd *abfd) else { file_ptr pos; - char hdr[8]; + unsigned char hdr[8]; unsigned int i; unsigned int len; bfd_vma addr; @@ -553,7 +553,7 @@ ihex_read_section (bfd *abfd, asection *section, bfd_byte *contents) error = FALSE; while ((c = ihex_get_byte (abfd, &error)) != EOF) { - char hdr[8]; + unsigned char hdr[8]; unsigned int len; unsigned int type; unsigned int i; diff --git a/bfd/srec.c b/bfd/srec.c index 24573cff61b..96b6a2f084f 100644 --- a/bfd/srec.c +++ b/bfd/srec.c @@ -249,7 +249,7 @@ srec_bad_byte (bfd *abfd, char buf[40]; if (! ISPRINT (c)) - sprintf (buf, "\\%03o", (unsigned int) c); + sprintf (buf, "\\%03o", (unsigned int) c & 0xff); else { buf[0] = c; diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 75f5d212513..33c5e7d794c 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,14 @@ +2015-08-04 Yuriy M. Kaminskiy" + Tyler Hicks + + PR binutils/18750 + * readelf.c (process_mips_specific): Fix incorrect escape + sequence handling. + +2015-08-04 Nick Clifton + + * ar.c (extract_file): Free cbuf if the path is invalid. + 2015-07-27 H.J. Lu * configure: Regenerated. diff --git a/binutils/readelf.c b/binutils/readelf.c index a9b9f2dbbd2..6298f1e29d8 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -14467,7 +14467,7 @@ process_mips_specific (FILE * file) len = sizeof (* eopt); while (len < option->size) { - char datum = * ((char *) eopt + offset + len); + unsigned char datum = * ((unsigned char *) eopt + offset + len); if (ISPRINT (datum)) printf ("%c", datum); -- 2.30.2