From 369c2993f7e8d06e556d7a20eaaa8d3b3a53d878 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Oct 31 2014 12:26:15 +0000 Subject: - Fix buffer overrun in ihex parser. - Fix memory corruption in previous patch. - Consoldiate corrupt handling patches into just one patch. - Default strings command to using -a. --- diff --git a/binutils-2.24-corrupt-binaries.patch b/binutils-2.24-corrupt-binaries.patch new file mode 100644 index 0000000..b3985a9 --- /dev/null +++ b/binutils-2.24-corrupt-binaries.patch @@ -0,0 +1,1041 @@ +diff -cpr ../binutils-2.24.orig/bfd/elf.c bfd/elf.c +*** ../binutils-2.24.orig/bfd/elf.c 2014-10-31 11:50:20.132220820 +0000 +--- bfd/elf.c 2014-10-31 11:53:23.669281197 +0000 +*************** setup_group (bfd *abfd, Elf_Internal_Shd +*** 608,616 **** + if (shdr->contents == NULL) + { + _bfd_error_handler +! (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); + bfd_set_error (bfd_error_bad_value); +! return FALSE; + } + + memset (shdr->contents, 0, amt); +--- 608,617 ---- + if (shdr->contents == NULL) + { + _bfd_error_handler +! (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); + bfd_set_error (bfd_error_bad_value); +! -- num_group; +! continue; + } + + memset (shdr->contents, 0, amt); +*************** setup_group (bfd *abfd, Elf_Internal_Shd +*** 618,625 **** + if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 + || (bfd_bread (shdr->contents, shdr->sh_size, abfd) + != shdr->sh_size)) +! return FALSE; +! + /* Translate raw contents, a flag word followed by an + array of elf section indices all in target byte order, + to the flag word followed by an array of elf section +--- 619,635 ---- + if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 + || (bfd_bread (shdr->contents, shdr->sh_size, abfd) + != shdr->sh_size)) +! { +! _bfd_error_handler +! (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size); +! bfd_set_error (bfd_error_bad_value); +! -- num_group; +! /* PR 17510: If the group contents are even partially +! corrupt, do not allow any of the contents to be used. */ +! memset (shdr->contents, 0, amt); +! continue; +! } +! + /* Translate raw contents, a flag word followed by an + array of elf section indices all in target byte order, + to the flag word followed by an array of elf section +*************** setup_group (bfd *abfd, Elf_Internal_Shd +*** 651,656 **** +--- 661,681 ---- + } + } + } ++ ++ /* PR 17510: Corrupt binaries might contain invalid groups. */ ++ if (num_group != (unsigned) elf_tdata (abfd)->num_group) ++ { ++ elf_tdata (abfd)->num_group = num_group; ++ ++ /* If all groups are invalid then fail. */ ++ if (num_group == 0) ++ { ++ elf_tdata (abfd)->group_sect_ptr = NULL; ++ elf_tdata (abfd)->num_group = num_group = -1; ++ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd); ++ bfd_set_error (bfd_error_bad_value); ++ } ++ } + } + } + +*************** setup_group (bfd *abfd, Elf_Internal_Shd +*** 716,721 **** +--- 741,747 ---- + { + (*_bfd_error_handler) (_("%B: no group info for section %A"), + abfd, newsect); ++ return FALSE; + } + return TRUE; + } +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1556,1593 **** + Elf_Internal_Ehdr *ehdr; + const struct elf_backend_data *bed; + const char *name; + + if (shindex >= elf_numsections (abfd)) + return FALSE; + + hdr = elf_elfsections (abfd)[shindex]; + ehdr = elf_elfheader (abfd); + name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx, + hdr->sh_name); + if (name == NULL) +! return FALSE; + + bed = get_elf_backend_data (abfd); + switch (hdr->sh_type) + { + case SHT_NULL: + /* Inactive section. Throw it away. */ +! return TRUE; + +! case SHT_PROGBITS: /* Normal section with contents. */ +! case SHT_NOBITS: /* .bss section. */ +! case SHT_HASH: /* .hash section. */ +! case SHT_NOTE: /* .note section. */ + case SHT_INIT_ARRAY: /* .init_array section. */ + case SHT_FINI_ARRAY: /* .fini_array section. */ + case SHT_PREINIT_ARRAY: /* .preinit_array section. */ + case SHT_GNU_LIBLIST: /* .gnu.liblist section. */ + case SHT_GNU_HASH: /* .gnu.hash section. */ +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); + + case SHT_DYNAMIC: /* Dynamic linking information. */ + if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +! return FALSE; + if (hdr->sh_link > elf_numsections (abfd)) + { + /* PR 10478: Accept Solaris binaries with a sh_link +--- 1582,1655 ---- + Elf_Internal_Ehdr *ehdr; + const struct elf_backend_data *bed; + const char *name; ++ bfd_boolean ret = TRUE; ++ static bfd_boolean * sections_being_created = NULL; ++ static bfd * sections_being_created_abfd = NULL; ++ static unsigned int nesting = 0; + + if (shindex >= elf_numsections (abfd)) + return FALSE; + ++ if (++ nesting > 3) ++ { ++ /* PR17512: A corrupt ELF binary might contain a recursive group of ++ sections, each the string indicies pointing to the next in the ++ loop. Detect this here, by refusing to load a section that we are ++ already in the process of loading. We only trigger this test if ++ we have nested at least three sections deep as normal ELF binaries ++ can expect to recurse at least once. ++ ++ FIXME: It would be better if this array was attached to the bfd, ++ rather than being held in a static pointer. */ ++ ++ if (sections_being_created_abfd != abfd) ++ sections_being_created = NULL; ++ if (sections_being_created == NULL) ++ { ++ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ ++ sections_being_created = (bfd_boolean *) ++ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); ++ sections_being_created_abfd = abfd; ++ } ++ if (sections_being_created [shindex]) ++ { ++ (*_bfd_error_handler) ++ (_("%B: warning: loop in section dependencies detected"), abfd); ++ return FALSE; ++ } ++ sections_being_created [shindex] = TRUE; ++ } ++ + hdr = elf_elfsections (abfd)[shindex]; + ehdr = elf_elfheader (abfd); + name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx, + hdr->sh_name); + if (name == NULL) +! goto fail; + + bed = get_elf_backend_data (abfd); + switch (hdr->sh_type) + { + case SHT_NULL: + /* Inactive section. Throw it away. */ +! goto success; + +! case SHT_PROGBITS: /* Normal section with contents. */ +! case SHT_NOBITS: /* .bss section. */ +! case SHT_HASH: /* .hash section. */ +! case SHT_NOTE: /* .note section. */ + case SHT_INIT_ARRAY: /* .init_array section. */ + case SHT_FINI_ARRAY: /* .fini_array section. */ + case SHT_PREINIT_ARRAY: /* .preinit_array section. */ + case SHT_GNU_LIBLIST: /* .gnu.liblist section. */ + case SHT_GNU_HASH: /* .gnu.hash section. */ +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); +! goto success; + + case SHT_DYNAMIC: /* Dynamic linking information. */ + if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +! goto fail; +! + if (hdr->sh_link > elf_numsections (abfd)) + { + /* PR 10478: Accept Solaris binaries with a sh_link +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1601,1611 **** + break; + /* Otherwise fall through. */ + default: +! return FALSE; + } + } + else if (elf_elfsections (abfd)[hdr->sh_link] == NULL) +! return FALSE; + else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB) + { + Elf_Internal_Shdr *dynsymhdr; +--- 1663,1673 ---- + break; + /* Otherwise fall through. */ + default: +! goto fail; + } + } + else if (elf_elfsections (abfd)[hdr->sh_link] == NULL) +! goto fail; + else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB) + { + Elf_Internal_Shdr *dynsymhdr; +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1634,1657 **** + } + } + } +! break; + +! case SHT_SYMTAB: /* A symbol table */ + if (elf_onesymtab (abfd) == shindex) +! return TRUE; + + if (hdr->sh_entsize != bed->s->sizeof_sym) +! return FALSE; + if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) + { + if (hdr->sh_size != 0) +! return FALSE; + /* Some assemblers erroneously set sh_info to one with a + zero sh_size. ld sees this as a global symbol count + of (unsigned) -1. Fix it here. */ + hdr->sh_info = 0; +! return TRUE; + } + BFD_ASSERT (elf_onesymtab (abfd) == 0); + elf_onesymtab (abfd) = shindex; + elf_tdata (abfd)->symtab_hdr = *hdr; +--- 1696,1721 ---- + } + } + } +! goto success; + +! case SHT_SYMTAB: /* A symbol table. */ + if (elf_onesymtab (abfd) == shindex) +! goto success; + + if (hdr->sh_entsize != bed->s->sizeof_sym) +! goto fail; +! + if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) + { + if (hdr->sh_size != 0) +! goto fail; + /* Some assemblers erroneously set sh_info to one with a + zero sh_size. ld sees this as a global symbol count + of (unsigned) -1. Fix it here. */ + hdr->sh_info = 0; +! goto success; + } ++ + BFD_ASSERT (elf_onesymtab (abfd) == 0); + elf_onesymtab (abfd) = shindex; + elf_tdata (abfd)->symtab_hdr = *hdr; +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1668,1674 **** + && (abfd->flags & DYNAMIC) != 0 + && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name, + shindex)) +! return FALSE; + + /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we + can't read symbols without that section loaded as well. It +--- 1732,1738 ---- + && (abfd->flags & DYNAMIC) != 0 + && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name, + shindex)) +! goto fail; + + /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we + can't read symbols without that section loaded as well. It +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1694,1719 **** + break; + } + if (i != shindex) +! return bfd_section_from_shdr (abfd, i); + } +! return TRUE; + +! case SHT_DYNSYM: /* A dynamic symbol table */ + if (elf_dynsymtab (abfd) == shindex) +! return TRUE; + + if (hdr->sh_entsize != bed->s->sizeof_sym) +! return FALSE; + if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) + { + if (hdr->sh_size != 0) +! return FALSE; + /* Some linkers erroneously set sh_info to one with a + zero sh_size. ld sees this as a global symbol count + of (unsigned) -1. Fix it here. */ + hdr->sh_info = 0; +! return TRUE; + } + BFD_ASSERT (elf_dynsymtab (abfd) == 0); + elf_dynsymtab (abfd) = shindex; + elf_tdata (abfd)->dynsymtab_hdr = *hdr; +--- 1758,1786 ---- + break; + } + if (i != shindex) +! ret = bfd_section_from_shdr (abfd, i); + } +! goto success; + +! case SHT_DYNSYM: /* A dynamic symbol table. */ + if (elf_dynsymtab (abfd) == shindex) +! goto success; + + if (hdr->sh_entsize != bed->s->sizeof_sym) +! goto fail; +! + if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) + { + if (hdr->sh_size != 0) +! goto fail; +! + /* Some linkers erroneously set sh_info to one with a + zero sh_size. ld sees this as a global symbol count + of (unsigned) -1. Fix it here. */ + hdr->sh_info = 0; +! goto success; + } ++ + BFD_ASSERT (elf_dynsymtab (abfd) == 0); + elf_dynsymtab (abfd) = shindex; + elf_tdata (abfd)->dynsymtab_hdr = *hdr; +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1722,1755 **** + + /* Besides being a symbol table, we also treat this as a regular + section, so that objcopy can handle it. */ +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); + +! case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections */ + if (elf_symtab_shndx (abfd) == shindex) +! return TRUE; + + BFD_ASSERT (elf_symtab_shndx (abfd) == 0); + elf_symtab_shndx (abfd) = shindex; + elf_tdata (abfd)->symtab_shndx_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr; +! return TRUE; + +! case SHT_STRTAB: /* A string table */ + if (hdr->bfd_section != NULL) +! return TRUE; + if (ehdr->e_shstrndx == shindex) + { + elf_tdata (abfd)->shstrtab_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr; +! return TRUE; + } + if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex) + { + symtab_strtab: + elf_tdata (abfd)->strtab_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr; +! return TRUE; + } + if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex) + { + dynsymtab_strtab: +--- 1789,1826 ---- + + /* Besides being a symbol table, we also treat this as a regular + section, so that objcopy can handle it. */ +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); +! goto success; + +! case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections. */ + if (elf_symtab_shndx (abfd) == shindex) +! goto success; + + BFD_ASSERT (elf_symtab_shndx (abfd) == 0); + elf_symtab_shndx (abfd) = shindex; + elf_tdata (abfd)->symtab_shndx_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr; +! goto success; + +! case SHT_STRTAB: /* A string table. */ + if (hdr->bfd_section != NULL) +! goto success; +! + if (ehdr->e_shstrndx == shindex) + { + elf_tdata (abfd)->shstrtab_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr; +! goto success; + } ++ + if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex) + { + symtab_strtab: + elf_tdata (abfd)->strtab_hdr = *hdr; + elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr; +! goto success; + } ++ + if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex) + { + dynsymtab_strtab: +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1758,1765 **** + elf_elfsections (abfd)[shindex] = hdr; + /* We also treat this as a regular section, so that objcopy + can handle it. */ +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +! shindex); + } + + /* If the string table isn't one of the above, then treat it as a +--- 1829,1837 ---- + elf_elfsections (abfd)[shindex] = hdr; + /* We also treat this as a regular section, so that objcopy + can handle it. */ +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, +! shindex); +! goto success; + } + + /* If the string table isn't one of the above, then treat it as a +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1777,1785 **** + { + /* Prevent endless recursion on broken objects. */ + if (i == shindex) +! return FALSE; + if (! bfd_section_from_shdr (abfd, i)) +! return FALSE; + if (elf_onesymtab (abfd) == i) + goto symtab_strtab; + if (elf_dynsymtab (abfd) == i) +--- 1849,1857 ---- + { + /* Prevent endless recursion on broken objects. */ + if (i == shindex) +! goto fail; + if (! bfd_section_from_shdr (abfd, i)) +! goto fail; + if (elf_onesymtab (abfd) == i) + goto symtab_strtab; + if (elf_dynsymtab (abfd) == i) +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1787,1793 **** + } + } + } +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); + + case SHT_REL: + case SHT_RELA: +--- 1859,1866 ---- + } + } + } +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); +! goto success; + + case SHT_REL: + case SHT_RELA: +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1802,1808 **** + if (hdr->sh_entsize + != (bfd_size_type) (hdr->sh_type == SHT_REL + ? bed->s->sizeof_rel : bed->s->sizeof_rela)) +! return FALSE; + + /* Check for a bogus link to avoid crashing. */ + if (hdr->sh_link >= num_sec) +--- 1875,1881 ---- + if (hdr->sh_entsize + != (bfd_size_type) (hdr->sh_type == SHT_REL + ? bed->s->sizeof_rel : bed->s->sizeof_rela)) +! goto fail; + + /* Check for a bogus link to avoid crashing. */ + if (hdr->sh_link >= num_sec) +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1810,1817 **** + ((*_bfd_error_handler) + (_("%B: invalid link %lu for reloc section %s (index %u)"), + abfd, hdr->sh_link, name, shindex)); +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +! shindex); + } + + /* For some incomprehensible reason Oracle distributes +--- 1883,1891 ---- + ((*_bfd_error_handler) + (_("%B: invalid link %lu for reloc section %s (index %u)"), + abfd, hdr->sh_link, name, shindex)); +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, +! shindex); +! goto success; + } + + /* For some incomprehensible reason Oracle distributes +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1852,1858 **** + if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB + || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM) + && ! bfd_section_from_shdr (abfd, hdr->sh_link)) +! return FALSE; + + /* If this reloc section does not use the main symbol table we + don't treat it as a reloc section. BFD can't adequately +--- 1926,1932 ---- + if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB + || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM) + && ! bfd_section_from_shdr (abfd, hdr->sh_link)) +! goto fail; + + /* If this reloc section does not use the main symbol table we + don't treat it as a reloc section. BFD can't adequately +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1867,1880 **** + || hdr->sh_info >= num_sec + || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL + || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA) +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +! shindex); + + if (! bfd_section_from_shdr (abfd, hdr->sh_info)) +! return FALSE; + target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info); + if (target_sect == NULL) +! return FALSE; + + esdt = elf_section_data (target_sect); + if (hdr->sh_type == SHT_RELA) +--- 1941,1958 ---- + || hdr->sh_info >= num_sec + || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL + || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA) +! { +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, +! shindex); +! goto success; +! } + + if (! bfd_section_from_shdr (abfd, hdr->sh_info)) +! goto fail; +! + target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info); + if (target_sect == NULL) +! goto fail; + + esdt = elf_section_data (target_sect); + if (hdr->sh_type == SHT_RELA) +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1886,1892 **** + amt = sizeof (*hdr2); + hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); + if (hdr2 == NULL) +! return FALSE; + *hdr2 = *hdr; + *p_hdr = hdr2; + elf_elfsections (abfd)[shindex] = hdr2; +--- 1964,1970 ---- + amt = sizeof (*hdr2); + hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); + if (hdr2 == NULL) +! goto fail; + *hdr2 = *hdr; + *p_hdr = hdr2; + elf_elfsections (abfd)[shindex] = hdr2; +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1902,1935 **** + target_sect->use_rela_p = 1; + } + abfd->flags |= HAS_RELOC; +! return TRUE; + } + + case SHT_GNU_verdef: + elf_dynverdef (abfd) = shindex; + elf_tdata (abfd)->dynverdef_hdr = *hdr; +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); + + case SHT_GNU_versym: + if (hdr->sh_entsize != sizeof (Elf_External_Versym)) +! return FALSE; + elf_dynversym (abfd) = shindex; + elf_tdata (abfd)->dynversym_hdr = *hdr; +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); + + case SHT_GNU_verneed: + elf_dynverref (abfd) = shindex; + elf_tdata (abfd)->dynverref_hdr = *hdr; +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); + + case SHT_SHLIB: +! return TRUE; + + case SHT_GROUP: + if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE)) +! return FALSE; + if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +! return FALSE; + if (hdr->contents != NULL) + { + Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents; +--- 1980,2019 ---- + target_sect->use_rela_p = 1; + } + abfd->flags |= HAS_RELOC; +! goto success; + } + + case SHT_GNU_verdef: + elf_dynverdef (abfd) = shindex; + elf_tdata (abfd)->dynverdef_hdr = *hdr; +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); +! goto success; + + case SHT_GNU_versym: + if (hdr->sh_entsize != sizeof (Elf_External_Versym)) +! goto fail; +! + elf_dynversym (abfd) = shindex; + elf_tdata (abfd)->dynversym_hdr = *hdr; +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); +! goto success; + + case SHT_GNU_verneed: + elf_dynverref (abfd) = shindex; + elf_tdata (abfd)->dynverref_hdr = *hdr; +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); +! goto success; + + case SHT_SHLIB: +! goto success; + + case SHT_GROUP: + if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE)) +! goto fail; +! + if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +! goto fail; +! + if (hdr->contents != NULL) + { + Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents; +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1955,1961 **** + } + } + } +! break; + + default: + /* Possibly an attributes section. */ +--- 2039,2045 ---- + } + } + } +! goto success; + + default: + /* Possibly an attributes section. */ +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1963,1976 **** + || hdr->sh_type == bed->obj_attrs_section_type) + { + if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +! return FALSE; + _bfd_elf_parse_attributes (abfd, hdr); +! return TRUE; + } + + /* Check for any processor-specific section types. */ + if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex)) +! return TRUE; + + if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER) + { +--- 2047,2060 ---- + || hdr->sh_type == bed->obj_attrs_section_type) + { + if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) +! goto fail; + _bfd_elf_parse_attributes (abfd, hdr); +! goto success; + } + + /* Check for any processor-specific section types. */ + if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex)) +! goto success; + + if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER) + { +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 1982,1990 **** + "specific section `%s' [0x%8x]"), + abfd, name, hdr->sh_type); + else +! /* Allow sections reserved for applications. */ +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, +! shindex); + } + else if (hdr->sh_type >= SHT_LOPROC + && hdr->sh_type <= SHT_HIPROC) +--- 2066,2077 ---- + "specific section `%s' [0x%8x]"), + abfd, name, hdr->sh_type); + else +! { +! /* Allow sections reserved for applications. */ +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, +! shindex); +! goto success; +! } + } + else if (hdr->sh_type >= SHT_LOPROC + && hdr->sh_type <= SHT_HIPROC) +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 2005,2012 **** + "`%s' [0x%8x]"), + abfd, name, hdr->sh_type); + else +! /* Otherwise it should be processed. */ +! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); + } + else + /* FIXME: We should handle this section. */ +--- 2092,2102 ---- + "`%s' [0x%8x]"), + abfd, name, hdr->sh_type); + else +! { +! /* Otherwise it should be processed. */ +! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); +! goto success; +! } + } + else + /* FIXME: We should handle this section. */ +*************** bfd_section_from_shdr (bfd *abfd, unsign +*** 2014,2023 **** + (_("%B: don't know how to handle section `%s' [0x%8x]"), + abfd, name, hdr->sh_type); + +! return FALSE; + } + +! return TRUE; + } + + /* Return the local symbol specified by ABFD, R_SYMNDX. */ +--- 2104,2123 ---- + (_("%B: don't know how to handle section `%s' [0x%8x]"), + abfd, name, hdr->sh_type); + +! goto fail; + } + +! fail: +! ret = FALSE; +! success: +! if (sections_being_created && sections_being_created_abfd == abfd) +! sections_being_created [shindex] = FALSE; +! if (-- nesting == 0) +! { +! sections_being_created = NULL; +! sections_being_created_abfd = abfd; +! } +! return ret; + } + + /* Return the local symbol specified by ABFD, R_SYMNDX. */ +*************** elfcore_write_lwpstatus (bfd *abfd, +*** 9296,9302 **** + lwpstat.pr_lwpid = pid >> 16; + lwpstat.pr_cursig = cursig; + #if defined (HAVE_LWPSTATUS_T_PR_REG) +! memcpy (lwpstat.pr_reg, gregs, sizeof (lwpstat.pr_reg)); + #elif defined (HAVE_LWPSTATUS_T_PR_CONTEXT) + #if !defined(gregs) + memcpy (lwpstat.pr_context.uc_mcontext.gregs, +--- 9396,9402 ---- + lwpstat.pr_lwpid = pid >> 16; + lwpstat.pr_cursig = cursig; + #if defined (HAVE_LWPSTATUS_T_PR_REG) +! memcpy (&lwpstat.pr_reg, gregs, sizeof (lwpstat.pr_reg)); + #elif defined (HAVE_LWPSTATUS_T_PR_CONTEXT) + #if !defined(gregs) + memcpy (lwpstat.pr_context.uc_mcontext.gregs, +diff -cpr ../binutils-2.24.orig/bfd/ihex.c bfd/ihex.c +*** ../binutils-2.24.orig/bfd/ihex.c 2014-10-31 11:50:20.143220890 +0000 +--- bfd/ihex.c 2014-10-31 11:51:45.746721162 +0000 +*************** ihex_scan (bfd *abfd) +*** 322,328 **** + { + if (! ISHEX (buf[i])) + { +! ihex_bad_byte (abfd, lineno, hdr[i], error); + goto error_return; + } + } +--- 322,328 ---- + { + if (! ISHEX (buf[i])) + { +! ihex_bad_byte (abfd, lineno, buf[i], error); + goto error_return; + } + } +diff -cpr ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c +*** ../binutils-2.24.orig/bfd/peXXigen.c 2014-10-31 11:50:20.149220928 +0000 +--- bfd/peXXigen.c 2014-10-31 11:51:00.397462266 +0000 +*************** _bfd_XXi_swap_aouthdr_in (bfd * abfd, +*** 460,465 **** +--- 460,476 ---- + { + int idx; + ++ /* PR 17512: Corrupt PE binaries can cause seg-faults. */ ++ if (a->NumberOfRvaAndSizes > 16) ++ { ++ (*_bfd_error_handler) ++ (_("%B: aout header specifies an invalid number of data-directory entries: %d"), ++ abfd, a->NumberOfRvaAndSizes); ++ /* Paranoia: If the number is corrupt, then assume that the ++ actual entries themselves might be corrupt as well. */ ++ a->NumberOfRvaAndSizes = 0; ++ } ++ + for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) + { + /* If data directory is empty, rva also should be 0. */ +*************** pe_print_edata (bfd * abfd, void * vfile +*** 1364,1370 **** + bfd_size_type datasize = 0; + bfd_size_type dataoff; + bfd_size_type i; +! bfd_signed_vma adj; + struct EDT_type + { + long export_flags; /* Reserved - should be zero. */ +--- 1375,1381 ---- + bfd_size_type datasize = 0; + bfd_size_type dataoff; + bfd_size_type i; +! bfd_vma adj; + struct EDT_type + { + long export_flags; /* Reserved - should be zero. */ +*************** pe_print_edata (bfd * abfd, void * vfile +*** 1414,1419 **** +--- 1425,1437 ---- + _("\nThere is an export table, but the section containing it could not be found\n")); + return TRUE; + } ++ else if (!(section->flags & SEC_HAS_CONTENTS)) ++ { ++ fprintf (file, ++ _("\nThere is an export table in %s, but that section has no contents\n"), ++ section->name); ++ return TRUE; ++ } + + dataoff = addr - section->vma; + datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size; +*************** pe_print_edata (bfd * abfd, void * vfile +*** 1426,1431 **** +--- 1444,1458 ---- + } + } + ++ /* PR 17512: Handle corrupt PE binaries. */ ++ if (datasize < 36) ++ { ++ fprintf (file, ++ _("\nThere is an export table in %s, but it is too small (%d)\n"), ++ section->name, (int) datasize); ++ return TRUE; ++ } ++ + fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"), + section->name, (unsigned long) addr); + +*************** pe_print_edata (bfd * abfd, void * vfile +*** 1469,1476 **** + fprintf (file, + _("Name \t\t\t\t")); + bfd_fprintf_vma (abfd, file, edt.name); +! fprintf (file, +! " %s\n", data + edt.name - adj); + + fprintf (file, + _("Ordinal Base \t\t\t%ld\n"), edt.base); +--- 1496,1506 ---- + fprintf (file, + _("Name \t\t\t\t")); + bfd_fprintf_vma (abfd, file, edt.name); +! +! if ((edt.name >= adj) && (edt.name < adj + datasize)) +! fprintf (file, " %s\n", data + edt.name - adj); +! else +! fprintf (file, "(outside .edata section)\n"); + + fprintf (file, + _("Ordinal Base \t\t\t%ld\n"), edt.base); +*************** pe_print_edata (bfd * abfd, void * vfile +*** 1516,1522 **** + _("\nExport Address Table -- Ordinal Base %ld\n"), + edt.base); + +! for (i = 0; i < edt.num_functions; ++i) + { + bfd_vma eat_member = bfd_get_32 (abfd, + data + edt.eat_addr + (i * 4) - adj); +--- 1546,1557 ---- + _("\nExport Address Table -- Ordinal Base %ld\n"), + edt.base); + +! /* PR 17512: Handle corrupt PE binaries. */ +! if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize) +! fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), +! (long) edt.eat_addr, +! (long) edt.num_functions); +! else for (i = 0; i < edt.num_functions; ++i) + { + bfd_vma eat_member = bfd_get_32 (abfd, + data + edt.eat_addr + (i * 4) - adj); +*************** pe_print_edata (bfd * abfd, void * vfile +*** 1552,1558 **** + fprintf (file, + _("\n[Ordinal/Name Pointer] Table\n")); + +! for (i = 0; i < edt.num_names; ++i) + { + bfd_vma name_ptr = bfd_get_32 (abfd, + data + +--- 1587,1602 ---- + fprintf (file, + _("\n[Ordinal/Name Pointer] Table\n")); + +! /* PR 17512: Handle corrupt PE binaries. */ +! if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize) +! fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"), +! (long) edt.npt_addr, +! (long) edt.num_names); +! else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize) +! fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"), +! (long) edt.ot_addr, +! (long) edt.num_names); +! else for (i = 0; i < edt.num_names; ++i) + { + bfd_vma name_ptr = bfd_get_32 (abfd, + data + +diff -cpr ../binutils-2.24.orig/bfd/srec.c bfd/srec.c +*** ../binutils-2.24.orig/bfd/srec.c 2014-10-31 11:50:20.144220896 +0000 +--- bfd/srec.c 2014-10-31 11:50:55.808436025 +0000 +*************** srec_bad_byte (bfd *abfd, +*** 248,254 **** + } + else + { +! char buf[10]; + + if (! ISPRINT (c)) + sprintf (buf, "\\%03o", (unsigned int) c); +--- 248,254 ---- + } + else + { +! char buf[40]; + + if (! ISPRINT (c)) + sprintf (buf, "\\%03o", (unsigned int) c); +*************** srec_scan (bfd *abfd) +*** 454,461 **** + case 'S': + { + file_ptr pos; +! char hdr[3]; +! unsigned int bytes; + bfd_vma address; + bfd_byte *data; + unsigned char check_sum; +--- 454,461 ---- + case 'S': + { + file_ptr pos; +! unsigned char hdr[3]; +! unsigned int bytes, min_bytes; + bfd_vma address; + bfd_byte *data; + unsigned char check_sum; +*************** srec_scan (bfd *abfd) +*** 478,483 **** +--- 478,496 ---- + } + + check_sum = bytes = HEX (hdr + 1); ++ min_bytes = 3; ++ if (hdr[0] == '2' || hdr[0] == '8') ++ min_bytes = 4; ++ else if (hdr[0] == '3' || hdr[0] == '7') ++ min_bytes = 5; ++ if (bytes < min_bytes) ++ { ++ (*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"), ++ abfd, lineno, bytes); ++ bfd_set_error (bfd_error_bad_value); ++ goto error_return; ++ } ++ + if (bytes * 2 > bufsize) + { + if (buf != NULL) diff --git a/binutils-2.24-corrupt-elf.2.patch b/binutils-2.24-corrupt-elf.2.patch deleted file mode 100644 index 0ad40dd..0000000 --- a/binutils-2.24-corrupt-elf.2.patch +++ /dev/null @@ -1,91 +0,0 @@ -diff -cpr ../binutils-2.24.orig/bfd/elf.c bfd/elf.c -*** ../binutils-2.24.orig/bfd/elf.c 2014-10-28 16:02:16.233549448 +0000 ---- bfd/elf.c 2014-10-28 16:02:36.754653055 +0000 -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1584,1589 **** ---- 1584,1590 ---- - const char *name; - bfd_boolean ret = TRUE; - static bfd_boolean * sections_being_created = NULL; -+ static bfd * sections_being_created_abfd = NULL; - static unsigned int nesting = 0; - - if (shindex >= elf_numsections (abfd)) -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1596,1608 **** - loop. Detect this here, by refusing to load a section that we are - already in the process of loading. We only trigger this test if - we have nested at least three sections deep as normal ELF binaries -! can expect to recurse at least once. */ -! - if (sections_being_created == NULL) - { - /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ - sections_being_created = (bfd_boolean *) - bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); - } - if (sections_being_created [shindex]) - { ---- 1597,1615 ---- - loop. Detect this here, by refusing to load a section that we are - already in the process of loading. We only trigger this test if - we have nested at least three sections deep as normal ELF binaries -! can expect to recurse at least once. -! -! FIXME: It would be better if this array was attached to the bfd, -! rather than being held in a static pointer. */ -! -! if (sections_being_created_abfd != abfd) -! sections_being_created = NULL; - if (sections_being_created == NULL) - { - /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ - sections_being_created = (bfd_boolean *) - bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); -+ sections_being_created_abfd = abfd; - } - if (sections_being_created [shindex]) - { -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 2106,2112 **** - if (sections_being_created) - sections_being_created [shindex] = FALSE; - if (-- nesting == 0) -! sections_being_created = NULL; - return ret; - } - ---- 2113,2122 ---- - if (sections_being_created) - sections_being_created [shindex] = FALSE; - if (-- nesting == 0) -! { -! sections_being_created = NULL; -! sections_being_created_abfd = abfd; -! } - return ret; - } - -Only in bfd: elf.c.orig -diff -cpr ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c -*** ../binutils-2.24.orig/bfd/peXXigen.c 2014-10-28 16:02:16.251549538 +0000 ---- bfd/peXXigen.c 2014-10-28 16:02:36.755653060 +0000 -*************** pe_print_edata (bfd * abfd, void * vfile -*** 1444,1449 **** ---- 1444,1458 ---- - } - } - -+ /* PR 17512: Handle corrupt PE binaries. */ -+ if (datasize < 36) -+ { -+ fprintf (file, -+ _("\nThere is an export table in %s, but it is too small (%d)\n"), -+ section->name, (int) datasize); -+ return TRUE; -+ } -+ - fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"), - section->name, (unsigned long) addr); - -Only in bfd: peXXigen.c.orig diff --git a/binutils-2.24-corrupt-elf.patch b/binutils-2.24-corrupt-elf.patch deleted file mode 100644 index 0b5d5f8..0000000 --- a/binutils-2.24-corrupt-elf.patch +++ /dev/null @@ -1,868 +0,0 @@ -diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c -*** ../binutils-2.24.orig/bfd/elf.c 2014-10-28 09:39:29.505064397 +0000 ---- bfd/elf.c 2014-10-28 09:45:17.973958424 +0000 -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1582,1619 **** - Elf_Internal_Ehdr *ehdr; - const struct elf_backend_data *bed; - const char *name; - - if (shindex >= elf_numsections (abfd)) - return FALSE; - - hdr = elf_elfsections (abfd)[shindex]; - ehdr = elf_elfheader (abfd); - name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx, - hdr->sh_name); - if (name == NULL) -! return FALSE; - - bed = get_elf_backend_data (abfd); - switch (hdr->sh_type) - { - case SHT_NULL: - /* Inactive section. Throw it away. */ -! return TRUE; - -! case SHT_PROGBITS: /* Normal section with contents. */ -! case SHT_NOBITS: /* .bss section. */ -! case SHT_HASH: /* .hash section. */ -! case SHT_NOTE: /* .note section. */ - case SHT_INIT_ARRAY: /* .init_array section. */ - case SHT_FINI_ARRAY: /* .fini_array section. */ - case SHT_PREINIT_ARRAY: /* .preinit_array section. */ - case SHT_GNU_LIBLIST: /* .gnu.liblist section. */ - case SHT_GNU_HASH: /* .gnu.hash section. */ -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); - - case SHT_DYNAMIC: /* Dynamic linking information. */ - if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) -! return FALSE; - if (hdr->sh_link > elf_numsections (abfd)) - { - /* PR 10478: Accept Solaris binaries with a sh_link ---- 1582,1648 ---- - Elf_Internal_Ehdr *ehdr; - const struct elf_backend_data *bed; - const char *name; -+ bfd_boolean ret = TRUE; -+ static bfd_boolean * sections_being_created = NULL; -+ static unsigned int nesting = 0; - - if (shindex >= elf_numsections (abfd)) - return FALSE; - -+ if (++ nesting > 3) -+ { -+ /* PR17512: A corrupt ELF binary might contain a recursive group of -+ sections, each the string indicies pointing to the next in the -+ loop. Detect this here, by refusing to load a section that we are -+ already in the process of loading. We only trigger this test if -+ we have nested at least three sections deep as normal ELF binaries -+ can expect to recurse at least once. */ -+ -+ if (sections_being_created == NULL) -+ { -+ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ -+ sections_being_created = (bfd_boolean *) -+ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); -+ } -+ if (sections_being_created [shindex]) -+ { -+ (*_bfd_error_handler) -+ (_("%B: warning: loop in section dependencies detected"), abfd); -+ return FALSE; -+ } -+ sections_being_created [shindex] = TRUE; -+ } -+ - hdr = elf_elfsections (abfd)[shindex]; - ehdr = elf_elfheader (abfd); - name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx, - hdr->sh_name); - if (name == NULL) -! goto fail; - - bed = get_elf_backend_data (abfd); - switch (hdr->sh_type) - { - case SHT_NULL: - /* Inactive section. Throw it away. */ -! goto success; - -! case SHT_PROGBITS: /* Normal section with contents. */ -! case SHT_NOBITS: /* .bss section. */ -! case SHT_HASH: /* .hash section. */ -! case SHT_NOTE: /* .note section. */ - case SHT_INIT_ARRAY: /* .init_array section. */ - case SHT_FINI_ARRAY: /* .fini_array section. */ - case SHT_PREINIT_ARRAY: /* .preinit_array section. */ - case SHT_GNU_LIBLIST: /* .gnu.liblist section. */ - case SHT_GNU_HASH: /* .gnu.hash section. */ -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); -! goto success; - - case SHT_DYNAMIC: /* Dynamic linking information. */ - if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) -! goto fail; -! - if (hdr->sh_link > elf_numsections (abfd)) - { - /* PR 10478: Accept Solaris binaries with a sh_link -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1627,1637 **** - break; - /* Otherwise fall through. */ - default: -! return FALSE; - } - } - else if (elf_elfsections (abfd)[hdr->sh_link] == NULL) -! return FALSE; - else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB) - { - Elf_Internal_Shdr *dynsymhdr; ---- 1656,1666 ---- - break; - /* Otherwise fall through. */ - default: -! goto fail; - } - } - else if (elf_elfsections (abfd)[hdr->sh_link] == NULL) -! goto fail; - else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB) - { - Elf_Internal_Shdr *dynsymhdr; -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1660,1683 **** - } - } - } -! break; - -! case SHT_SYMTAB: /* A symbol table */ - if (elf_onesymtab (abfd) == shindex) -! return TRUE; - - if (hdr->sh_entsize != bed->s->sizeof_sym) -! return FALSE; - if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) - { - if (hdr->sh_size != 0) -! return FALSE; - /* Some assemblers erroneously set sh_info to one with a - zero sh_size. ld sees this as a global symbol count - of (unsigned) -1. Fix it here. */ - hdr->sh_info = 0; -! return TRUE; - } - BFD_ASSERT (elf_onesymtab (abfd) == 0); - elf_onesymtab (abfd) = shindex; - elf_tdata (abfd)->symtab_hdr = *hdr; ---- 1689,1714 ---- - } - } - } -! goto success; - -! case SHT_SYMTAB: /* A symbol table. */ - if (elf_onesymtab (abfd) == shindex) -! goto success; - - if (hdr->sh_entsize != bed->s->sizeof_sym) -! goto fail; -! - if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) - { - if (hdr->sh_size != 0) -! goto fail; - /* Some assemblers erroneously set sh_info to one with a - zero sh_size. ld sees this as a global symbol count - of (unsigned) -1. Fix it here. */ - hdr->sh_info = 0; -! goto success; - } -+ - BFD_ASSERT (elf_onesymtab (abfd) == 0); - elf_onesymtab (abfd) = shindex; - elf_tdata (abfd)->symtab_hdr = *hdr; -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1694,1700 **** - && (abfd->flags & DYNAMIC) != 0 - && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name, - shindex)) -! return FALSE; - - /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we - can't read symbols without that section loaded as well. It ---- 1725,1731 ---- - && (abfd->flags & DYNAMIC) != 0 - && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name, - shindex)) -! goto fail; - - /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we - can't read symbols without that section loaded as well. It -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1720,1745 **** - break; - } - if (i != shindex) -! return bfd_section_from_shdr (abfd, i); - } -! return TRUE; - -! case SHT_DYNSYM: /* A dynamic symbol table */ - if (elf_dynsymtab (abfd) == shindex) -! return TRUE; - - if (hdr->sh_entsize != bed->s->sizeof_sym) -! return FALSE; - if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) - { - if (hdr->sh_size != 0) -! return FALSE; - /* Some linkers erroneously set sh_info to one with a - zero sh_size. ld sees this as a global symbol count - of (unsigned) -1. Fix it here. */ - hdr->sh_info = 0; -! return TRUE; - } - BFD_ASSERT (elf_dynsymtab (abfd) == 0); - elf_dynsymtab (abfd) = shindex; - elf_tdata (abfd)->dynsymtab_hdr = *hdr; ---- 1751,1779 ---- - break; - } - if (i != shindex) -! ret = bfd_section_from_shdr (abfd, i); - } -! goto success; - -! case SHT_DYNSYM: /* A dynamic symbol table. */ - if (elf_dynsymtab (abfd) == shindex) -! goto success; - - if (hdr->sh_entsize != bed->s->sizeof_sym) -! goto fail; -! - if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) - { - if (hdr->sh_size != 0) -! goto fail; -! - /* Some linkers erroneously set sh_info to one with a - zero sh_size. ld sees this as a global symbol count - of (unsigned) -1. Fix it here. */ - hdr->sh_info = 0; -! goto success; - } -+ - BFD_ASSERT (elf_dynsymtab (abfd) == 0); - elf_dynsymtab (abfd) = shindex; - elf_tdata (abfd)->dynsymtab_hdr = *hdr; -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1748,1781 **** - - /* Besides being a symbol table, we also treat this as a regular - section, so that objcopy can handle it. */ -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); - -! case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections */ - if (elf_symtab_shndx (abfd) == shindex) -! return TRUE; - - BFD_ASSERT (elf_symtab_shndx (abfd) == 0); - elf_symtab_shndx (abfd) = shindex; - elf_tdata (abfd)->symtab_shndx_hdr = *hdr; - elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr; -! return TRUE; - -! case SHT_STRTAB: /* A string table */ - if (hdr->bfd_section != NULL) -! return TRUE; - if (ehdr->e_shstrndx == shindex) - { - elf_tdata (abfd)->shstrtab_hdr = *hdr; - elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr; -! return TRUE; - } - if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex) - { - symtab_strtab: - elf_tdata (abfd)->strtab_hdr = *hdr; - elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr; -! return TRUE; - } - if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex) - { - dynsymtab_strtab: ---- 1782,1819 ---- - - /* Besides being a symbol table, we also treat this as a regular - section, so that objcopy can handle it. */ -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); -! goto success; - -! case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections. */ - if (elf_symtab_shndx (abfd) == shindex) -! goto success; - - BFD_ASSERT (elf_symtab_shndx (abfd) == 0); - elf_symtab_shndx (abfd) = shindex; - elf_tdata (abfd)->symtab_shndx_hdr = *hdr; - elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr; -! goto success; - -! case SHT_STRTAB: /* A string table. */ - if (hdr->bfd_section != NULL) -! goto success; -! - if (ehdr->e_shstrndx == shindex) - { - elf_tdata (abfd)->shstrtab_hdr = *hdr; - elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr; -! goto success; - } -+ - if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex) - { - symtab_strtab: - elf_tdata (abfd)->strtab_hdr = *hdr; - elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr; -! goto success; - } -+ - if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex) - { - dynsymtab_strtab: -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1784,1791 **** - elf_elfsections (abfd)[shindex] = hdr; - /* We also treat this as a regular section, so that objcopy - can handle it. */ -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, -! shindex); - } - - /* If the string table isn't one of the above, then treat it as a ---- 1822,1830 ---- - elf_elfsections (abfd)[shindex] = hdr; - /* We also treat this as a regular section, so that objcopy - can handle it. */ -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, -! shindex); -! goto success; - } - - /* If the string table isn't one of the above, then treat it as a -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1803,1811 **** - { - /* Prevent endless recursion on broken objects. */ - if (i == shindex) -! return FALSE; - if (! bfd_section_from_shdr (abfd, i)) -! return FALSE; - if (elf_onesymtab (abfd) == i) - goto symtab_strtab; - if (elf_dynsymtab (abfd) == i) ---- 1842,1850 ---- - { - /* Prevent endless recursion on broken objects. */ - if (i == shindex) -! goto fail; - if (! bfd_section_from_shdr (abfd, i)) -! goto fail; - if (elf_onesymtab (abfd) == i) - goto symtab_strtab; - if (elf_dynsymtab (abfd) == i) -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1813,1819 **** - } - } - } -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); - - case SHT_REL: - case SHT_RELA: ---- 1852,1859 ---- - } - } - } -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); -! goto success; - - case SHT_REL: - case SHT_RELA: -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1828,1834 **** - if (hdr->sh_entsize - != (bfd_size_type) (hdr->sh_type == SHT_REL - ? bed->s->sizeof_rel : bed->s->sizeof_rela)) -! return FALSE; - - /* Check for a bogus link to avoid crashing. */ - if (hdr->sh_link >= num_sec) ---- 1868,1874 ---- - if (hdr->sh_entsize - != (bfd_size_type) (hdr->sh_type == SHT_REL - ? bed->s->sizeof_rel : bed->s->sizeof_rela)) -! goto fail; - - /* Check for a bogus link to avoid crashing. */ - if (hdr->sh_link >= num_sec) -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1836,1843 **** - ((*_bfd_error_handler) - (_("%B: invalid link %lu for reloc section %s (index %u)"), - abfd, hdr->sh_link, name, shindex)); -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, -! shindex); - } - - /* For some incomprehensible reason Oracle distributes ---- 1876,1884 ---- - ((*_bfd_error_handler) - (_("%B: invalid link %lu for reloc section %s (index %u)"), - abfd, hdr->sh_link, name, shindex)); -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, -! shindex); -! goto success; - } - - /* For some incomprehensible reason Oracle distributes -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1878,1884 **** - if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB - || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM) - && ! bfd_section_from_shdr (abfd, hdr->sh_link)) -! return FALSE; - - /* If this reloc section does not use the main symbol table we - don't treat it as a reloc section. BFD can't adequately ---- 1919,1925 ---- - if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB - || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM) - && ! bfd_section_from_shdr (abfd, hdr->sh_link)) -! goto fail; - - /* If this reloc section does not use the main symbol table we - don't treat it as a reloc section. BFD can't adequately -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1893,1906 **** - || hdr->sh_info >= num_sec - || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL - || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA) -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, -! shindex); - - if (! bfd_section_from_shdr (abfd, hdr->sh_info)) -! return FALSE; - target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info); - if (target_sect == NULL) -! return FALSE; - - esdt = elf_section_data (target_sect); - if (hdr->sh_type == SHT_RELA) ---- 1934,1951 ---- - || hdr->sh_info >= num_sec - || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL - || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA) -! { -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, -! shindex); -! goto success; -! } - - if (! bfd_section_from_shdr (abfd, hdr->sh_info)) -! goto fail; -! - target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info); - if (target_sect == NULL) -! goto fail; - - esdt = elf_section_data (target_sect); - if (hdr->sh_type == SHT_RELA) -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1912,1918 **** - amt = sizeof (*hdr2); - hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); - if (hdr2 == NULL) -! return FALSE; - *hdr2 = *hdr; - *p_hdr = hdr2; - elf_elfsections (abfd)[shindex] = hdr2; ---- 1957,1963 ---- - amt = sizeof (*hdr2); - hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); - if (hdr2 == NULL) -! goto fail; - *hdr2 = *hdr; - *p_hdr = hdr2; - elf_elfsections (abfd)[shindex] = hdr2; -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1928,1961 **** - target_sect->use_rela_p = 1; - } - abfd->flags |= HAS_RELOC; -! return TRUE; - } - - case SHT_GNU_verdef: - elf_dynverdef (abfd) = shindex; - elf_tdata (abfd)->dynverdef_hdr = *hdr; -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); - - case SHT_GNU_versym: - if (hdr->sh_entsize != sizeof (Elf_External_Versym)) -! return FALSE; - elf_dynversym (abfd) = shindex; - elf_tdata (abfd)->dynversym_hdr = *hdr; -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); - - case SHT_GNU_verneed: - elf_dynverref (abfd) = shindex; - elf_tdata (abfd)->dynverref_hdr = *hdr; -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); - - case SHT_SHLIB: -! return TRUE; - - case SHT_GROUP: - if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE)) -! return FALSE; - if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) -! return FALSE; - if (hdr->contents != NULL) - { - Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents; ---- 1973,2012 ---- - target_sect->use_rela_p = 1; - } - abfd->flags |= HAS_RELOC; -! goto success; - } - - case SHT_GNU_verdef: - elf_dynverdef (abfd) = shindex; - elf_tdata (abfd)->dynverdef_hdr = *hdr; -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); -! goto success; - - case SHT_GNU_versym: - if (hdr->sh_entsize != sizeof (Elf_External_Versym)) -! goto fail; -! - elf_dynversym (abfd) = shindex; - elf_tdata (abfd)->dynversym_hdr = *hdr; -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); -! goto success; - - case SHT_GNU_verneed: - elf_dynverref (abfd) = shindex; - elf_tdata (abfd)->dynverref_hdr = *hdr; -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); -! goto success; - - case SHT_SHLIB: -! goto success; - - case SHT_GROUP: - if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE)) -! goto fail; -! - if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) -! goto fail; -! - if (hdr->contents != NULL) - { - Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents; -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1981,1987 **** - } - } - } -! break; - - default: - /* Possibly an attributes section. */ ---- 2032,2038 ---- - } - } - } -! goto success; - - default: - /* Possibly an attributes section. */ -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 1989,2002 **** - || hdr->sh_type == bed->obj_attrs_section_type) - { - if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) -! return FALSE; - _bfd_elf_parse_attributes (abfd, hdr); -! return TRUE; - } - - /* Check for any processor-specific section types. */ - if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex)) -! return TRUE; - - if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER) - { ---- 2040,2053 ---- - || hdr->sh_type == bed->obj_attrs_section_type) - { - if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) -! goto fail; - _bfd_elf_parse_attributes (abfd, hdr); -! goto success; - } - - /* Check for any processor-specific section types. */ - if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex)) -! goto success; - - if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER) - { -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 2008,2016 **** - "specific section `%s' [0x%8x]"), - abfd, name, hdr->sh_type); - else -! /* Allow sections reserved for applications. */ -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, -! shindex); - } - else if (hdr->sh_type >= SHT_LOPROC - && hdr->sh_type <= SHT_HIPROC) ---- 2059,2070 ---- - "specific section `%s' [0x%8x]"), - abfd, name, hdr->sh_type); - else -! { -! /* Allow sections reserved for applications. */ -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, -! shindex); -! goto success; -! } - } - else if (hdr->sh_type >= SHT_LOPROC - && hdr->sh_type <= SHT_HIPROC) -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 2031,2038 **** - "`%s' [0x%8x]"), - abfd, name, hdr->sh_type); - else -! /* Otherwise it should be processed. */ -! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); - } - else - /* FIXME: We should handle this section. */ ---- 2085,2095 ---- - "`%s' [0x%8x]"), - abfd, name, hdr->sh_type); - else -! { -! /* Otherwise it should be processed. */ -! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); -! goto success; -! } - } - else - /* FIXME: We should handle this section. */ -*************** bfd_section_from_shdr (bfd *abfd, unsign -*** 2040,2049 **** - (_("%B: don't know how to handle section `%s' [0x%8x]"), - abfd, name, hdr->sh_type); - -! return FALSE; - } - -! return TRUE; - } - - /* Return the local symbol specified by ABFD, R_SYMNDX. */ ---- 2097,2113 ---- - (_("%B: don't know how to handle section `%s' [0x%8x]"), - abfd, name, hdr->sh_type); - -! goto fail; - } - -! fail: -! ret = FALSE; -! success: -! if (sections_being_created) -! sections_being_created [shindex] = FALSE; -! if (-- nesting == 0) -! sections_being_created = NULL; -! return ret; - } - - /* Return the local symbol specified by ABFD, R_SYMNDX. */ -diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c -*** ../binutils-2.24.orig/bfd/peXXigen.c 2014-10-28 09:39:31.656075721 +0000 ---- bfd/peXXigen.c 2014-10-28 09:43:31.011370536 +0000 -*************** _bfd_XXi_swap_aouthdr_in (bfd * abfd, -*** 460,465 **** ---- 460,476 ---- - { - int idx; - -+ /* PR 17512: Corrupt PE binaries can cause seg-faults. */ -+ if (a->NumberOfRvaAndSizes > 16) -+ { -+ (*_bfd_error_handler) -+ (_("%B: aout header specifies an invalid number of data-directory entries: %d"), -+ abfd, a->NumberOfRvaAndSizes); -+ /* Paranoia: If the number is corrupt, then assume that the -+ actual entries themselves might be corrupt as well. */ -+ a->NumberOfRvaAndSizes = 0; -+ } -+ - for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) - { - /* If data directory is empty, rva also should be 0. */ -*************** pe_print_edata (bfd * abfd, void * vfile -*** 1364,1370 **** - bfd_size_type datasize = 0; - bfd_size_type dataoff; - bfd_size_type i; -! bfd_signed_vma adj; - struct EDT_type - { - long export_flags; /* Reserved - should be zero. */ ---- 1375,1381 ---- - bfd_size_type datasize = 0; - bfd_size_type dataoff; - bfd_size_type i; -! bfd_vma adj; - struct EDT_type - { - long export_flags; /* Reserved - should be zero. */ -*************** pe_print_edata (bfd * abfd, void * vfile -*** 1414,1419 **** ---- 1425,1437 ---- - _("\nThere is an export table, but the section containing it could not be found\n")); - return TRUE; - } -+ else if (!(section->flags & SEC_HAS_CONTENTS)) -+ { -+ fprintf (file, -+ _("\nThere is an export table in %s, but that section has no contents\n"), -+ section->name); -+ return TRUE; -+ } - - dataoff = addr - section->vma; - datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size; -*************** pe_print_edata (bfd * abfd, void * vfile -*** 1469,1476 **** - fprintf (file, - _("Name \t\t\t\t")); - bfd_fprintf_vma (abfd, file, edt.name); -! fprintf (file, -! " %s\n", data + edt.name - adj); - - fprintf (file, - _("Ordinal Base \t\t\t%ld\n"), edt.base); ---- 1487,1497 ---- - fprintf (file, - _("Name \t\t\t\t")); - bfd_fprintf_vma (abfd, file, edt.name); -! -! if ((edt.name >= adj) && (edt.name < adj + datasize)) -! fprintf (file, " %s\n", data + edt.name - adj); -! else -! fprintf (file, "(outside .edata section)\n"); - - fprintf (file, - _("Ordinal Base \t\t\t%ld\n"), edt.base); -*************** pe_print_edata (bfd * abfd, void * vfile -*** 1516,1522 **** - _("\nExport Address Table -- Ordinal Base %ld\n"), - edt.base); - -! for (i = 0; i < edt.num_functions; ++i) - { - bfd_vma eat_member = bfd_get_32 (abfd, - data + edt.eat_addr + (i * 4) - adj); ---- 1537,1548 ---- - _("\nExport Address Table -- Ordinal Base %ld\n"), - edt.base); - -! /* PR 17512: Handle corrupt PE binaries. */ -! if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize) -! fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), -! (long) edt.eat_addr, -! (long) edt.num_functions); -! else for (i = 0; i < edt.num_functions; ++i) - { - bfd_vma eat_member = bfd_get_32 (abfd, - data + edt.eat_addr + (i * 4) - adj); -*************** pe_print_edata (bfd * abfd, void * vfile -*** 1552,1558 **** - fprintf (file, - _("\n[Ordinal/Name Pointer] Table\n")); - -! for (i = 0; i < edt.num_names; ++i) - { - bfd_vma name_ptr = bfd_get_32 (abfd, - data + ---- 1578,1593 ---- - fprintf (file, - _("\n[Ordinal/Name Pointer] Table\n")); - -! /* PR 17512: Handle corrupt PE binaries. */ -! if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize) -! fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"), -! (long) edt.npt_addr, -! (long) edt.num_names); -! else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize) -! fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"), -! (long) edt.ot_addr, -! (long) edt.num_names); -! else for (i = 0; i < edt.num_names; ++i) - { - bfd_vma name_ptr = bfd_get_32 (abfd, - data + -diff -rcp ../binutils-2.24.orig/bfd/srec.c bfd/srec.c -*** ../binutils-2.24.orig/bfd/srec.c 2014-10-28 09:39:30.762071014 +0000 ---- bfd/srec.c 2014-10-28 09:40:54.769513267 +0000 -*************** srec_bad_byte (bfd *abfd, -*** 248,254 **** - } - else - { -! char buf[10]; - - if (! ISPRINT (c)) - sprintf (buf, "\\%03o", (unsigned int) c); ---- 248,254 ---- - } - else - { -! char buf[40]; - - if (! ISPRINT (c)) - sprintf (buf, "\\%03o", (unsigned int) c); -*************** srec_scan (bfd *abfd) -*** 454,460 **** - case 'S': - { - file_ptr pos; -! char hdr[3]; - unsigned int bytes, min_bytes; - bfd_vma address; - bfd_byte *data; ---- 454,460 ---- - case 'S': - { - file_ptr pos; -! unsigned char hdr[3]; - unsigned int bytes, min_bytes; - bfd_vma address; - bfd_byte *data; diff --git a/binutils-2.24-corrupt-groups.patch b/binutils-2.24-corrupt-groups.patch deleted file mode 100644 index b0637f3..0000000 --- a/binutils-2.24-corrupt-groups.patch +++ /dev/null @@ -1,86 +0,0 @@ -*** ../binutils-2.24.orig/bfd/elf.c 2014-10-27 12:47:20.989181791 +0000 ---- bfd/elf.c 2014-10-27 12:47:33.296248170 +0000 -*************** setup_group (bfd *abfd, Elf_Internal_Shd -*** 608,616 **** - if (shdr->contents == NULL) - { - _bfd_error_handler -! (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); - bfd_set_error (bfd_error_bad_value); -! return FALSE; - } - - memset (shdr->contents, 0, amt); ---- 608,617 ---- - if (shdr->contents == NULL) - { - _bfd_error_handler -! (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); - bfd_set_error (bfd_error_bad_value); -! -- num_group; -! continue; - } - - memset (shdr->contents, 0, amt); -*************** setup_group (bfd *abfd, Elf_Internal_Shd -*** 618,625 **** - if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 - || (bfd_bread (shdr->contents, shdr->sh_size, abfd) - != shdr->sh_size)) -! return FALSE; -! - /* Translate raw contents, a flag word followed by an - array of elf section indices all in target byte order, - to the flag word followed by an array of elf section ---- 619,635 ---- - if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 - || (bfd_bread (shdr->contents, shdr->sh_size, abfd) - != shdr->sh_size)) -! { -! _bfd_error_handler -! (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size); -! bfd_set_error (bfd_error_bad_value); -! -- num_group; -! /* PR 17510: If the group contents are even partially -! corrupt, do not allow any of the contents to be used. */ -! memset (shdr->contents, 0, amt); -! continue; -! } -! - /* Translate raw contents, a flag word followed by an - array of elf section indices all in target byte order, - to the flag word followed by an array of elf section -*************** setup_group (bfd *abfd, Elf_Internal_Shd -*** 651,656 **** ---- 661,681 ---- - } - } - } -+ -+ /* PR 17510: Corrupt binaries might contain invalid groups. */ -+ if (num_group != (unsigned) elf_tdata (abfd)->num_group) -+ { -+ elf_tdata (abfd)->num_group = num_group; -+ -+ /* If all groups are invalid then fail. */ -+ if (num_group == 0) -+ { -+ elf_tdata (abfd)->group_sect_ptr = NULL; -+ elf_tdata (abfd)->num_group = num_group = -1; -+ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd); -+ bfd_set_error (bfd_error_bad_value); -+ } -+ } - } - } - -*************** setup_group (bfd *abfd, Elf_Internal_Shd -*** 716,721 **** ---- 741,747 ---- - { - (*_bfd_error_handler) (_("%B: no group info for section %A"), - abfd, newsect); -+ return FALSE; - } - return TRUE; - } diff --git a/binutils-2.24-corrupt-srec.patch b/binutils-2.24-corrupt-srec.patch deleted file mode 100644 index 59eafbd..0000000 --- a/binutils-2.24-corrupt-srec.patch +++ /dev/null @@ -1,41 +0,0 @@ -*** ../binutils-2.24.orig/bfd/srec.c 2014-10-24 15:34:34.156138230 +0100 ---- bfd/srec.c 2014-10-24 15:42:41.462592601 +0100 -*************** srec_scan (bfd *abfd) -*** 455,461 **** - { - file_ptr pos; - char hdr[3]; -! unsigned int bytes; - bfd_vma address; - bfd_byte *data; - unsigned char check_sum; ---- 455,461 ---- - { - file_ptr pos; - char hdr[3]; -! unsigned int bytes, min_bytes; - bfd_vma address; - bfd_byte *data; - unsigned char check_sum; -*************** srec_scan (bfd *abfd) -*** 478,483 **** ---- 478,496 ---- - } - - check_sum = bytes = HEX (hdr + 1); -+ min_bytes = 3; -+ if (hdr[0] == '2' || hdr[0] == '8') -+ min_bytes = 4; -+ else if (hdr[0] == '3' || hdr[0] == '7') -+ min_bytes = 5; -+ if (bytes < min_bytes) -+ { -+ (*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"), -+ abfd, lineno, bytes); -+ bfd_set_error (bfd_error_bad_value); -+ goto error_return; -+ } -+ - if (bytes * 2 > bufsize) - { - if (buf != NULL) diff --git a/binutils-2.24-strings-default-all.patch b/binutils-2.24-strings-default-all.patch new file mode 100644 index 0000000..97b9f8e --- /dev/null +++ b/binutils-2.24-strings-default-all.patch @@ -0,0 +1,310 @@ +diff -cpr ../binutils-2.24.orig/binutils/config.in binutils/config.in +*** ../binutils-2.24.orig/binutils/config.in 2014-10-31 11:50:20.455222877 +0000 +--- binutils/config.in 2014-10-31 11:59:05.021241036 +0000 +*************** +*** 18,23 **** +--- 18,26 ---- + /* Should ar and ranlib use -D behavior by default? */ + #undef DEFAULT_AR_DETERMINISTIC + ++ /* Should strings use -a behavior by default? */ ++ #undef DEFAULT_STRINGS_ALL ++ + /* Define to 1 if translation of program messages to the user's native + language is requested. */ + #undef ENABLE_NLS +diff -cpr ../binutils-2.24.orig/binutils/configure binutils/configure +*** ../binutils-2.24.orig/binutils/configure 2014-10-31 11:50:20.590223736 +0000 +--- binutils/configure 2014-10-31 12:01:46.570102643 +0000 +*************** with_gnu_ld +*** 772,777 **** +--- 772,778 ---- + enable_libtool_lock + enable_targets + enable_deterministic_archives ++ enable_default_strings_all + enable_werror + enable_build_warnings + enable_nls +*************** Optional Features: +*** 1421,1426 **** +--- 1422,1429 ---- + --enable-targets alternative target configurations + --enable-deterministic-archives + ar and ranlib default to -D behavior ++ --disable-default-strings-all ++ strings defaults to --data behavior + --enable-werror treat compile warnings as errors + --enable-build-warnings enable build-time compiler warnings + --disable-nls do not use Native Language Support +*************** cat >>confdefs.h <<_ACEOF +*** 11615,11620 **** +--- 11594,11618 ---- + _ACEOF + + ++ # Check whether --enable-default-strings-all was given. ++ if test "${enable_default_strings_all+set}" = set; then : ++ enableval=$enable_default_strings_all; ++ if test "${enableval}" = no; then ++ default_strings_all=0 ++ else ++ default_strings_all=1 ++ fi ++ else ++ default_strings_all=1 ++ fi ++ ++ ++ ++ cat >>confdefs.h <<_ACEOF ++ #define DEFAULT_STRINGS_ALL $default_strings_all ++ _ACEOF ++ ++ + + GCC_WARN_CFLAGS="-W -Wall -Wstrict-prototypes -Wmissing-prototypes" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +diff -cpr ../binutils-2.24.orig/binutils/configure.in binutils/configure.in +*** ../binutils-2.24.orig/binutils/configure.in 2014-10-31 11:50:20.430222717 +0000 +--- binutils/configure.in 2014-10-31 12:00:48.092790946 +0000 +*************** fi], [default_ar_deterministic=0]) +*** 57,62 **** +--- 57,74 ---- + AC_DEFINE_UNQUOTED(DEFAULT_AR_DETERMINISTIC, $default_ar_deterministic, + [Should ar and ranlib use -D behavior by default?]) + ++ AC_ARG_ENABLE(default-strings-all, ++ [AS_HELP_STRING([--disable-default-strings-all], ++ [strings defaults to --data behavior])], [ ++ if test "${enableval}" = no; then ++ default_strings_all=0 ++ else ++ default_strings_all=1 ++ fi], [default_strings_all=1]) ++ ++ AC_DEFINE_UNQUOTED(DEFAULT_STRINGS_ALL, $default_strings_all, ++ [Should strings use -a behavior by default?]) ++ + AM_BINUTILS_WARNINGS + + AC_CONFIG_HEADERS(config.h:config.in) +diff -cpr ../binutils-2.24.orig/binutils/doc/binutils.texi binutils/doc/binutils.texi +*** ../binutils-2.24.orig/binutils/doc/binutils.texi 2014-10-31 11:50:20.579223666 +0000 +--- binutils/doc/binutils.texi 2014-10-31 11:59:23.052339164 +0000 +*************** strings [@option{-afovV}] [@option{-}@va +*** 2653,2667 **** + + @c man begin DESCRIPTION strings + +! For each @var{file} given, @sc{gnu} @command{strings} prints the printable +! character sequences that are at least 4 characters long (or the number +! given with the options below) and are followed by an unprintable +! character. By default, it only prints the strings from the initialized +! and loaded sections of object files; for other types of files, it prints +! the strings from the whole file. + +! @command{strings} is mainly useful for determining the contents of non-text +! files. + + @c man end + +--- 2653,2676 ---- + + @c man begin DESCRIPTION strings + +! For each @var{file} given, @sc{gnu} @command{strings} prints the +! printable character sequences that are at least 4 characters long (or +! the number given with the options below) and are followed by an +! unprintable character. +! +! Depending upon how the strings program was configured it will default +! to either displaying all the printable sequences that it can find in +! each file, or only those sequences that are in loadable, initialized +! data sections. If the file type in unrecognizable, or if strings is +! reading from stdin then it will always display all of the printable +! sequences that it can find. +! +! For backwards compatibility any file that occurs after a command line +! option of just @option{-} will also be scanned in full, regardless of +! the presence of any @option{-d} option. + +! @command{strings} is mainly useful for determining the contents of +! non-text files. + + @c man end + +*************** files. +*** 2671,2678 **** + @item -a + @itemx --all + @itemx - +! Do not scan only the initialized and loaded sections of object files; +! scan the whole files. + + @item -f + @itemx --print-file-name +--- 2680,2704 ---- + @item -a + @itemx --all + @itemx - +! Scan the whole file, regardless of what sections it contains or +! whether those sections are loaded or initialized. Normally this is +! the default behaviour, but strings can be configured so that the +! @option{-d} is the default instead. +! +! The @option{-} option is position dependent and forces strings to +! perform full scans of any file that is mentioned after the @option{-} +! on the command line, even if the @option{-d} option has been +! specified. +! +! @item -d +! @itemx --data +! Only print strings from initialized, loaded data sections in the +! file. This may reduce the amount of garbage in the output, but it +! also exposes the strings program to any security flaws that may be +! present in the BFD library used to scan and load sections. Strings +! can be configured so that this option is the default behaviour. In +! such cases the @option{-a} option can be used to avoid using the BFD +! library and instead just print all of the strings found in the file. + + @item -f + @itemx --print-file-name +diff -cpr ../binutils-2.24.orig/binutils/NEWS binutils/NEWS +*** ../binutils-2.24.orig/binutils/NEWS 2014-10-31 11:50:20.338222131 +0000 +--- binutils/NEWS 2014-10-31 11:59:52.315493579 +0000 +*************** +*** 1,5 **** +--- 1,10 ---- + -*- text -*- + ++ * Add --data option to strings to only print strings in loadable, initialized ++ data sections. Change the default behaviour to be --all, but add a new ++ configure time option of --disable-default-strings-all to restore the old ++ default behaviour. ++ + Changes in 2.24: + + * Objcopy now supports wildcard characters in command line options that take +diff -cpr ../binutils-2.24.orig/binutils/strings.c binutils/strings.c +*** ../binutils-2.24.orig/binutils/strings.c 2014-10-31 11:50:20.464222934 +0000 +--- binutils/strings.c 2014-10-31 12:01:33.901035485 +0000 +*************** +*** 23,29 **** + Options: + --all + -a +! - Do not scan only the initialized data section of object files. + + --print-file-name + -f Print the name of the file before each string. +--- 23,32 ---- + Options: + --all + -a +! - Scan each file in its entirety. +! +! --data +! -d Scan only the initialized data section(s) of object files. + + --print-file-name + -f Print the name of the file before each string. +*************** static int encoding_bytes; +*** 107,112 **** +--- 110,116 ---- + static struct option long_options[] = + { + {"all", no_argument, NULL, 'a'}, ++ {"data", no_argument, NULL, 'd'}, + {"print-file-name", no_argument, NULL, 'f'}, + {"bytes", required_argument, NULL, 'n'}, + {"radix", required_argument, NULL, 't'}, +*************** typedef struct +*** 128,134 **** + + static void strings_a_section (bfd *, asection *, void *); + static bfd_boolean strings_object_file (const char *); +! static bfd_boolean strings_file (char *file); + static void print_strings (const char *, FILE *, file_ptr, int, int, char *); + static void usage (FILE *, int); + static long get_char (FILE *, file_ptr *, int *, char **); +--- 132,138 ---- + + static void strings_a_section (bfd *, asection *, void *); + static bfd_boolean strings_object_file (const char *); +! static bfd_boolean strings_file (char *); + static void print_strings (const char *, FILE *, file_ptr, int, int, char *); + static void usage (FILE *, int); + static long get_char (FILE *, file_ptr *, int *, char **); +*************** main (int argc, char **argv) +*** 158,168 **** + string_min = 4; + print_addresses = FALSE; + print_filenames = FALSE; +! datasection_only = TRUE; + target = NULL; + encoding = 's'; + +! while ((optc = getopt_long (argc, argv, "afhHn:ot:e:T:Vv0123456789", + long_options, (int *) 0)) != EOF) + { + switch (optc) +--- 162,175 ---- + string_min = 4; + print_addresses = FALSE; + print_filenames = FALSE; +! if (DEFAULT_STRINGS_ALL) +! datasection_only = FALSE; +! else +! datasection_only = TRUE; + target = NULL; + encoding = 's'; + +! while ((optc = getopt_long (argc, argv, "adfhHn:ot:e:T:Vv0123456789", + long_options, (int *) 0)) != EOF) + { + switch (optc) +*************** main (int argc, char **argv) +*** 171,176 **** +--- 178,187 ---- + datasection_only = FALSE; + break; + ++ case 'd': ++ datasection_only = TRUE; ++ break; ++ + case 'f': + print_filenames = TRUE; + break; +*************** usage (FILE *stream, int status) +*** 635,642 **** + { + fprintf (stream, _("Usage: %s [option(s)] [file(s)]\n"), program_name); + fprintf (stream, _(" Display printable strings in [file(s)] (stdin by default)\n")); +! fprintf (stream, _(" The options are:\n\ + -a - --all Scan the entire file, not just the data section\n\ + -f --print-file-name Print the name of the file before each string\n\ + -n --bytes=[number] Locate & print any NUL-terminated sequence of at\n\ + - least [number] characters (default 4).\n\ +--- 646,663 ---- + { + fprintf (stream, _("Usage: %s [option(s)] [file(s)]\n"), program_name); + fprintf (stream, _(" Display printable strings in [file(s)] (stdin by default)\n")); +! fprintf (stream, _(" The options are:\n")); +! +! if (DEFAULT_STRINGS_ALL) +! fprintf (stream, _("\ +! -a - --all Scan the entire file, not just the data section [default]\n\ +! -d --data Only scan the data sections in the file\n")); +! else +! fprintf (stream, _("\ + -a - --all Scan the entire file, not just the data section\n\ ++ -d --data Only scan the data sections in the file [default]\n")); ++ ++ fprintf (stream, _("\ + -f --print-file-name Print the name of the file before each string\n\ + -n --bytes=[number] Locate & print any NUL-terminated sequence of at\n\ + - least [number] characters (default 4).\n\ + +Only in binutils: strings.c.rej diff --git a/binutils.spec b/binutils.spec index 4a1ac4f..3f168ad 100644 --- a/binutils.spec +++ b/binutils.spec @@ -17,7 +17,7 @@ Summary: A GNU collection of binary utilities Name: %{?cross}binutils%{?_with_debug:-debug} Version: 2.24 -Release: 26%{?dist} +Release: 27%{?dist} License: GPLv3+ Group: Development/Tools URL: http://sources.redhat.com/binutils @@ -70,10 +70,8 @@ Patch27: binutils-2.24-aarch64-fix-gotplt-offset-ifunc.patch Patch28: binutils-2.24-aarch64-fix-static-ifunc.patch Patch29: binutils-2.24-aarch64-fix-ie-relax.patch Patch30: binutils-HEAD-change-ld-notice-interface.patch -Patch31: binutils-2.24-corrupt-srec.patch -Patch32: binutils-2.24-corrupt-groups.patch -Patch33: binutils-2.24-corrupt-elf.patch -Patch34: binutils-2.24-corrupt-elf.2.patch +Patch31: binutils-2.24-corrupt-binaries.patch +Patch32: binutils-2.24-strings-default-all.patch Provides: bundled(libiberty) @@ -208,10 +206,8 @@ using libelf instead of BFD. %patch28 -p1 -b .aa64-2~ %patch29 -p1 -b .aa64-3~ %patch30 -p1 -b .ldplugin~ -%patch31 -p0 -b .corrupt-srec~ -%patch32 -p0 -b .corrupt-groups~ -%patch33 -p0 -b .corrupt-elf~ -%patch34 -p0 -b .corrupt-elf2~ +%patch31 -p0 -b .corrupt-binaries~ +%patch32 -p0 -b .strings-all~ # We cannot run autotools as there is an exact requirement of autoconf-2.59. @@ -523,6 +519,12 @@ exit 0 %endif # %{isnative} %changelog +* Fri Oct 31 2014 Nick Clifton - 2.24-27 +- Fix buffer overrun in ihex parser. +- Fix memory corruption in previous patch. +- Consoldiate corrupt handling patches into just one patch. +- Default strings command to using -a. + * Wed Oct 29 2014 Nick Clifton - 2.24-26 - Fix memory corruption bug introduced by the previous patch.