mirror of
https://git.yoctoproject.org/poky
synced 2026-03-12 02:09:39 +01:00
8073f5664b
Affects: <= 2.29.1 (From OE-Core rev: 9fa2d818018420f3c9afc30012267e6a46fe1d09) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
96 lines
2.9 KiB
Diff
96 lines
2.9 KiB
Diff
From 0301ce1486b1450f219202677f30d0fa97335419 Mon Sep 17 00:00:00 2001
|
|
From: Alan Modra <amodra@gmail.com>
|
|
Date: Tue, 17 Oct 2017 16:43:47 +1030
|
|
Subject: [PATCH] PR22306, Invalid free() in slurp_symtab()
|
|
|
|
PR 22306
|
|
* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
|
|
and error for any other size that doesn't cover the header word.
|
|
|
|
Upstream-Status: Backport
|
|
Affects: <= 2.29.1
|
|
CVE: CVE-2017-16827
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
|
|
---
|
|
bfd/ChangeLog | 6 ++++++
|
|
bfd/aoutx.h | 45 ++++++++++++++++++++++++++++++---------------
|
|
2 files changed, 36 insertions(+), 15 deletions(-)
|
|
|
|
Index: git/bfd/aoutx.h
|
|
===================================================================
|
|
--- git.orig/bfd/aoutx.h
|
|
+++ git/bfd/aoutx.h
|
|
@@ -1352,27 +1352,42 @@ aout_get_external_symbols (bfd *abfd)
|
|
|| bfd_bread ((void *) string_chars, amt, abfd) != amt)
|
|
return FALSE;
|
|
stringsize = GET_WORD (abfd, string_chars);
|
|
+ if (stringsize == 0)
|
|
+ stringsize = 1;
|
|
+ else if (stringsize < BYTES_IN_WORD
|
|
+ || (size_t) stringsize != stringsize)
|
|
+ {
|
|
+ bfd_set_error (bfd_error_bad_value);
|
|
+ return FALSE;
|
|
+ }
|
|
|
|
#ifdef USE_MMAP
|
|
- if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
|
|
- &obj_aout_string_window (abfd), TRUE))
|
|
- return FALSE;
|
|
- strings = (char *) obj_aout_string_window (abfd).data;
|
|
-#else
|
|
- strings = (char *) bfd_malloc (stringsize + 1);
|
|
- if (strings == NULL)
|
|
- return FALSE;
|
|
-
|
|
- /* Skip space for the string count in the buffer for convenience
|
|
- when using indexes. */
|
|
- amt = stringsize - BYTES_IN_WORD;
|
|
- if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
|
|
+ if (stringsize >= BYTES_IN_WORD)
|
|
{
|
|
- free (strings);
|
|
- return FALSE;
|
|
+ if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
|
|
+ &obj_aout_string_window (abfd), TRUE))
|
|
+ return FALSE;
|
|
+ strings = (char *) obj_aout_string_window (abfd).data;
|
|
}
|
|
+ else
|
|
#endif
|
|
+ {
|
|
+ strings = (char *) bfd_malloc (stringsize);
|
|
+ if (strings == NULL)
|
|
+ return FALSE;
|
|
|
|
+ if (stringsize >= BYTES_IN_WORD)
|
|
+ {
|
|
+ /* Keep the string count in the buffer for convenience
|
|
+ when indexing with e_strx. */
|
|
+ amt = stringsize - BYTES_IN_WORD;
|
|
+ if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
|
|
+ {
|
|
+ free (strings);
|
|
+ return FALSE;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
/* Ensure that a zero index yields an empty string. */
|
|
strings[0] = '\0';
|
|
|
|
Index: git/bfd/ChangeLog
|
|
===================================================================
|
|
--- git.orig/bfd/ChangeLog
|
|
+++ git/bfd/ChangeLog
|
|
@@ -1,3 +1,9 @@
|
|
+2017-10-17 Alan Modra <amodra@gmail.com>
|
|
+
|
|
+ PR 22306
|
|
+ * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
|
|
+ and error for any other size that doesn't cover the header word.
|
|
+
|
|
2017-11-01 Nick Clifton <nickc@redhat.com>
|
|
|
|
PR 22376
|