From 98a4fc78f9dab76b5ada3551a7bef36db8a3ed05 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 1 Jul 2016 12:35:01 +0100
Subject: [PATCH] Fix potential buffer overflows with sprintf and very large
 integer values.

binutuils* prdbg.c (pr_enum_type): Use a buffer big enough to hold an
	extremely large decimal value.
	(pr_range_type): Likewise.
	(pr_array_type): Likewise.
	(pr_struct_field): Likewise.
	(pr_class_baseclass): Likewise.
	(pr_class_method_variant): Likewise.
	(pr_tag_type): Likewise.
	(pr_int_constant): Likewise.
	(pr_typed_constant): Likewise.
	(pr_variable): Likewise.
	(pr_function_parameter): Likewise.
	(pr_start_block): Likewise.
	(pr_lineno): Likewise.
	(pr_end_block): Likewise.
	(tg_enum_type): Likewise.
	(tg_int_constant): Likewise.
	(tg_typed_constant): Likewise.
	(tg_start_block): Likewise.

gas	* macro.c (macro_expand_body): Use a buffer big enough to hold an
	extremely large integer.
---
 binutils/ChangeLog | 22 ++++++++++++++++++++++
 binutils/prdbg.c   | 36 ++++++++++++++++++------------------
 gas/ChangeLog      |  5 +++++
 gas/macro.c        |  2 +-
 4 files changed, 46 insertions(+), 19 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 83fde819487..4108b78c9b5 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,25 @@
+2016-07-01  Nick Clifton  <nickc@redhat.com>
+
+	* prdbg.c (pr_enum_type): Use a buffer big enough to hold an
+	extremely large decimal value.
+	(pr_range_type): Likewise.
+	(pr_array_type): Likewise.
+	(pr_struct_field): Likewise.
+	(pr_class_baseclass): Likewise.
+	(pr_class_method_variant): Likewise.
+	(pr_tag_type): Likewise.
+	(pr_int_constant): Likewise.
+	(pr_typed_constant): Likewise.
+	(pr_variable): Likewise.
+	(pr_function_parameter): Likewise.
+	(pr_start_block): Likewise.
+	(pr_lineno): Likewise.
+	(pr_end_block): Likewise.
+	(tg_enum_type): Likewise.
+	(tg_int_constant): Likewise.
+	(tg_typed_constant): Likewise.
+	(tg_start_block): Likewise.
+
 2016-07-01  Nick Clifton  <nickc@redhat.com>
 
 	* testsuite/binutils-all/objcopy.exp
diff --git a/binutils/prdbg.c b/binutils/prdbg.c
index 7f3dcceddba..92c608733cd 100644
--- a/binutils/prdbg.c
+++ b/binutils/prdbg.c
@@ -672,7 +672,7 @@ pr_enum_type (void *p, const char *tag, const char **names,
 
 	  if (values[i] != val)
 	    {
-	      char ab[20];
+	      char ab[22];
 
 	      print_vma (values[i], ab, FALSE, FALSE);
 	      if (! append_type (info, " = ")
@@ -802,7 +802,7 @@ static bfd_boolean
 pr_range_type (void *p, bfd_signed_vma lower, bfd_signed_vma upper)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char abl[20], abu[20];
+  char abl[22], abu[22];
 
   assert (info->stack != NULL);
 
@@ -827,7 +827,7 @@ pr_array_type (void *p, bfd_signed_vma lower, bfd_signed_vma upper,
 {
   struct pr_handle *info = (struct pr_handle *) p;
   char *range_type;
-  char abl[20], abu[20], ab[50];
+  char abl[22], abu[22], ab[50];
 
   range_type = pop_type (info);
   if (range_type == NULL)
@@ -1151,7 +1151,7 @@ pr_struct_field (void *p, const char *name, bfd_vma bitpos, bfd_vma bitsize,
 		 enum debug_visibility visibility)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
   char *t;
 
   if (! substitute_type (info, name))
@@ -1335,7 +1335,7 @@ pr_class_baseclass (void *p, bfd_vma bitpos, bfd_boolean is_virtual,
   struct pr_handle *info = (struct pr_handle *) p;
   char *t;
   const char *prefix;
-  char ab[20];
+  char ab[22];
   char *s, *l, *n;
 
   assert (info->stack != NULL && info->stack->next != NULL);
@@ -1495,7 +1495,7 @@ pr_class_method_variant (void *p, const char *physname,
     return FALSE;
   if (context || voffset != 0)
     {
-      char ab[20];
+      char ab[22];
 
       if (context)
 	{
@@ -1602,7 +1602,7 @@ pr_tag_type (void *p, const char *name, unsigned int id,
 {
   struct pr_handle *info = (struct pr_handle *) p;
   const char *t, *tag;
-  char idbuf[20];
+  char idbuf[22];
 
   switch (kind)
     {
@@ -1698,7 +1698,7 @@ static bfd_boolean
 pr_int_constant (void *p, const char *name, bfd_vma val)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
 
   indent (info);
   print_vma (val, ab, FALSE, FALSE);
@@ -1725,7 +1725,7 @@ pr_typed_constant (void *p, const char *name, bfd_vma val)
 {
   struct pr_handle *info = (struct pr_handle *) p;
   char *t;
-  char ab[20];
+  char ab[22];
 
   t = pop_type (info);
   if (t == NULL)
@@ -1748,7 +1748,7 @@ pr_variable (void *p, const char *name, enum debug_var_kind kind,
 {
   struct pr_handle *info = (struct pr_handle *) p;
   char *t;
-  char ab[20];
+  char ab[22];
 
   if (! substitute_type (info, name))
     return FALSE;
@@ -1811,7 +1811,7 @@ pr_function_parameter (void *p, const char *name,
 {
   struct pr_handle *info = (struct pr_handle *) p;
   char *t;
-  char ab[20];
+  char ab[22];
 
   if (kind == DEBUG_PARM_REFERENCE
       || kind == DEBUG_PARM_REF_REG)
@@ -1849,7 +1849,7 @@ static bfd_boolean
 pr_start_block (void *p, bfd_vma addr)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
 
   if (info->parameter > 0)
     {
@@ -1872,7 +1872,7 @@ static bfd_boolean
 pr_lineno (void *p, const char *filename, unsigned long lineno, bfd_vma addr)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
 
   indent (info);
   print_vma (addr, ab, TRUE, TRUE);
@@ -1887,7 +1887,7 @@ static bfd_boolean
 pr_end_block (void *p, bfd_vma addr)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
 
   info->indent -= 2;
 
@@ -1993,7 +1993,7 @@ tg_enum_type (void *p, const char *tag, const char **names,
   struct pr_handle *info = (struct pr_handle *) p;
   unsigned int i;
   const char *name;
-  char ab[20];
+  char ab[22];
 
   if (! pr_enum_type (p, tag, names, values))
     return FALSE;
@@ -2540,7 +2540,7 @@ static bfd_boolean
 tg_int_constant (void *p, const char *name, bfd_vma val)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20];
+  char ab[22];
 
   indent (info);
   print_vma (val, ab, FALSE, FALSE);
@@ -2569,7 +2569,7 @@ tg_typed_constant (void *p, const char *name, bfd_vma val)
 {
   struct pr_handle *info = (struct pr_handle *) p;
   char *t;
-  char ab[20];
+  char ab[22];
 
   t = pop_type (info);
   if (t == NULL)
@@ -2747,7 +2747,7 @@ static bfd_boolean
 tg_start_block (void *p, bfd_vma addr)
 {
   struct pr_handle *info = (struct pr_handle *) p;
-  char ab[20], kind, *partof;
+  char ab[22], kind, *partof;
   char *t;
   bfd_boolean local;
 
diff --git a/gas/ChangeLog b/gas/ChangeLog
index 18257389cf6..40a9a2b88ab 100644
--- a/gas/ChangeLog
+++ b/gas/ChangeLog
@@ -1,3 +1,8 @@
+2016-07-01  Nick Clifton  <nickc@redhat.com>
+
+	* macro.c (macro_expand_body): Use a buffer big enough to hold an
+	extremely large integer.
+
 2016-07-01  Jan Beulich  <jbeulich@suse.com>
 
 	* testsuite/gas/i386/mpx-inval-2.l: Relax for COFF targets.
diff --git a/gas/macro.c b/gas/macro.c
index 0d1a1d24eae..deb4a49c908 100644
--- a/gas/macro.c
+++ b/gas/macro.c
@@ -842,7 +842,7 @@ macro_expand_body (sb *in, sb *out, formal_entry *formals,
 	    {
 	      /* Sub in the macro invocation number.  */
 
-	      char buffer[10];
+	      char buffer[12];
 	      src++;
 	      sprintf (buffer, "%d", macro_number);
 	      sb_add_string (out, buffer);
-- 
2.30.2