[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/gdb/devel gdb-6.3-security-errata-20050610.patch, 1.1, 1.2 gdb.spec, 1.148, 1.149



Author: jjohnstn

Update of /cvs/dist/rpms/gdb/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv5532

Modified Files:
	gdb-6.3-security-errata-20050610.patch gdb.spec 
Log Message:

* Fri Jul 08 2005 Jeff Johnston <jjohnstn redhat com>   6.3.0.0-1.34
- Bump up release number.

* Thu Jul 07 2005 Jeff Johnston <jjohnstn redhat com>   6.3.0.0-1.31
- Modify security errata to include additional bfd robustness updates
- Bugzilla 158680




gdb-6.3-security-errata-20050610.patch:
 bfd/archive.c                         |   50 ++-
 bfd/bfd-in.h                          |    3 
 bfd/bfd-in2.h                         |    3 
 bfd/coff-rs6000.c                     |   10 
 bfd/coff64-rs6000.c                   |   10 
 bfd/coffcode.h                        |    2 
 bfd/ecoff.c                           |   12 
 bfd/elf.c                             |  236 ++++++++++-----
 bfd/elf32-s390.c                      |   12 
 bfd/elf32-sparc.c                     |   12 
 bfd/elf64-ppc.c                       |    9 
 bfd/elf64-s390.c                      |   12 
 bfd/elf64-sparc.c                     |   10 
 bfd/elf64-x86-64.c                    |   15 -
 bfd/elfcode.h                         |   77 ++++-
 bfd/elfxx-ia64.c                      |    3 
 bfd/libbfd-in.h                       |   11 
 bfd/libbfd.c                          |  102 ++++++
 bfd/libbfd.h                          |   11 
 bfd/opncls.c                          |   48 +++
 bfd/peXXigen.c                        |   12 
 gdb/Makefile.in                       |    2 
 gdb/cli/cli-cmds.c                    |   25 +
 gdb/config.in                         |    3 
 gdb/configure                         |  505 ++++++++++++++++++----------------
 gdb/configure.in                      |    1 
 gdb/main.c                            |    4 
 gdb/testsuite/gdb.base/gdbinit.exp    |   98 ++++++
 gdb/testsuite/gdb.base/gdbinit.sample |    1 
 include/elf/external.h                |    3 
 30 files changed, 936 insertions(+), 366 deletions(-)

Index: gdb-6.3-security-errata-20050610.patch
===================================================================
RCS file: /cvs/dist/rpms/gdb/devel/gdb-6.3-security-errata-20050610.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- gdb-6.3-security-errata-20050610.patch	10 Jun 2005 20:50:21 -0000	1.1
+++ gdb-6.3-security-errata-20050610.patch	8 Jul 2005 18:42:25 -0000	1.2
@@ -16,6 +16,8 @@
         (source_command): Update documentation.  Check permissions if
         FROM_TTY is -1.
 
+bfd changes:
+
 2005-05-17  H.J. Lu  <hongjiu lu intel com>
 
         * elf.c (group_signature): Check if the symbol table section is
@@ -32,8 +34,96 @@
 
         * elfcode.h (elf_object_p): Add more sanity checks on elf header.
 
---- gdb-6.3/gdb/cli/cli-cmds.c.fix	2005-06-10 15:36:27.000000000 -0400
-+++ gdb-6.3/gdb/cli/cli-cmds.c	2005-06-10 15:40:20.000000000 -0400
+2005-06-21  Jakub Jelinek  <jakub redhat com>
+
+	* libbfd-in.h (struct artdata): Add extended_names_size field.
+	* libbfd.h: Rebuilt.
+	* coff-rs600.c (_bfd_xcoff_archive_p): Don't clear fields in freshly
+	allocated object by bfd_zalloc.
+	* coff64-rs6000.c (xcoff64_archive_p): Likewise.
+	* ecoff.c (_bfd_ecoff_archive_p): Likewise.
+	* archive.c (_bfd_generic_mkarchive, bfd_generic_archive_p): Likewise.
+	(get_extended_arelt_filename): Fail if index is bigger or equal to
+	extended_names_size.
+	(_bfd_generic_read_ar_hdr_mag): Don't set bfd_error_malformed_archive,
+	get_extended_arelt_filename already did that.
+	(_bfd_slurp_extended_name_table): Initialize extended_names_size field.
+	Allocate one extra byte and clear it, in case extended names table
+	is not terminated.
+
+2005-06-15  Jakub Jelinek  <jakub redhat com>
+
+	* libbfd-in.h (bfd_malloc2, bfd_realloc2, bfd_zmalloc2, bfd_alloc2,
+	bfd_zalloc2): New prototypes.
+	* bfd-in.h (HALF_BFD_SIZE_TYPE): Define.
+	* libbfd.c (bfd_malloc2, bfd_realloc2, bfd_zmalloc2): New functions.
+	* opncls.c (bfd_alloc2, bfd_zalloc2): New functions.
+	* elf.c (bfd_elf_get_elf_syms, setup_group, assign_section_numbers,
+	elf_map_symbols, map_sections_to_segments,
+	assign_file_positions_for_segments, copy_private_bfd_data,
+	swap_out_syms, _bfd_elf_slurp_version_tables): Use bfd_*alloc2
+	where appropriate.
+	* bfd-in2.h: Rebuilt.
+	* libbfd.h: Rebuilt.
+
+	* elf.c (_bfd_elf_print_private_bfd_data): Don't crash on bogus
+	verdef or verneed section.
+	(_bfd_elf_slurp_version_tables): Handle corrupt verdef and/or
+	verneed sections gracefully.
+	* elf32-sparc.c (elf32_sparc_info_to_howto): Don't crash on
+	bogus relocation values.
+	* elf64-sparc.c (sparc64_elf_info_to_howto): Likewise.
+	* elf64-ppc.c (ppc64_elf_info_to_howto): Likewise.
+	* elf64-s390.c (elf_s390_info_to_howto): Likewise.
+	* elf32-s390.c (elf_s390_info_to_howto): Likewise.
+	* elf64-x86-64.c (elf64_x86_64_info_to_howto): Likewise.
+	* elfxx-ia64.c (lookup_howto): Likewise.
+
+2005-06-14  Jakub Jelinek  <jakub redhat com>
+
+	* elf.c (bfd_elf_get_str_section): Allocate an extra byte after
+	the end of strtab and clear it.
+	(elf_read): Remove.
+
+	* elf.c (bfd_section_from_shdr): Fail if name is NULL.
+	Prevent endless recursion on broken objects.
+
+	* archive.c (do_slurp_coff_armap): Check for overflows.
+
+2005-05-26  Jakub Jelinek  <jakub redhat com>
+
+	* elfcode.h (elf_object_p): Fail if e_shoff != 0, e_shnum == 0 and
+	first shdr has sh_size == 0.  Fail if e_shnum is large to cause
+	arithmetic overflow when allocating the i_shdr array.
+	Sanity check sh_link and sh_info fields.  Fix e_shstrndx sanity check.
+
+2005-05-18  H.J. Lu  <hongjiu lu intel com>
+
+	* elf.c (group_signature): Check if the symbol table section is
+	correct.
+
+2005-05-17  Tavis Ormandy <taviso gentoo org>
+
+	* elf.c (bfd_section_from_shdr): Add sanity check when parsing
+	dynamic sections.
+
+2005-05-09  Alan Modra  <amodra bigpond net au>
+
+	* elfcode.h (elf_object_p): Add more sanity checks on elf header.
+
+--- gdb-6.3/include/elf/external.h.fix	2005-07-07 19:14:08.000000000 -0400
++++ gdb-6.3/include/elf/external.h	2005-07-07 19:18:27.000000000 -0400
+@@ -272,5 +272,8 @@ typedef struct
+   unsigned char		a_val[8];
+ } Elf64_External_Auxv;
+ 
++/* Size of SHT_GROUP section entry.  */
++
++#define GRP_ENTRY_SIZE		4
+ 
+ #endif /* _ELF_EXTERNAL_H */
+--- gdb-6.3/gdb/cli/cli-cmds.c.fix	2005-07-07 19:16:17.000000000 -0400
++++ gdb-6.3/gdb/cli/cli-cmds.c	2005-07-07 19:18:27.000000000 -0400
 @@ -38,6 +38,7 @@
  #include "objfiles.h"
  #include "source.h"
@@ -85,8 +175,8 @@
    script_from_file (stream, file);
  
    do_cleanups (old_cleanups);
---- gdb-6.3/gdb/testsuite/gdb.base/gdbinit.exp.fix	2005-06-10 15:42:54.000000000 -0400
-+++ gdb-6.3/gdb/testsuite/gdb.base/gdbinit.exp	2005-06-10 15:40:20.000000000 -0400
+--- gdb-6.3/gdb/testsuite/gdb.base/gdbinit.exp.fix	2005-07-07 19:19:30.000000000 -0400
++++ gdb-6.3/gdb/testsuite/gdb.base/gdbinit.exp	2005-07-07 19:18:27.000000000 -0400
 @@ -0,0 +1,98 @@
 +#   Copyright 2005
 +#   Free Software Foundation, Inc.
@@ -186,12 +276,32 @@
 +}
 +
 +remote_exec build "rm .gdbinit"
---- gdb-6.3/gdb/testsuite/gdb.base/gdbinit.sample.fix	2005-06-10 15:43:01.000000000 -0400
-+++ gdb-6.3/gdb/testsuite/gdb.base/gdbinit.sample	2005-06-10 15:40:20.000000000 -0400
+--- gdb-6.3/gdb/testsuite/gdb.base/gdbinit.sample.fix	2005-07-07 19:19:34.000000000 -0400
++++ gdb-6.3/gdb/testsuite/gdb.base/gdbinit.sample	2005-07-07 19:18:27.000000000 -0400
 @@ -0,0 +1 @@
 +echo "\nin gdbinit"
---- gdb-6.3/gdb/configure.fix	2005-06-10 15:35:47.000000000 -0400
-+++ gdb-6.3/gdb/configure	2005-06-10 15:41:44.000000000 -0400
+--- gdb-6.3/gdb/main.c.fix	2005-07-07 19:14:26.000000000 -0400
++++ gdb-6.3/gdb/main.c	2005-07-07 19:18:55.000000000 -0400
+@@ -609,7 +609,7 @@ extern int gdbtk_test (char *);
+ 
+       if (!inhibit_gdbinit)
+ 	{
+-	  catch_command_errors (source_command, homeinit, 0, RETURN_MASK_ALL);
++	  catch_command_errors (source_command, homeinit, -1, RETURN_MASK_ALL);
+ 	}
+ 
+       /* Do stats; no need to do them elsewhere since we'll only
+@@ -695,7 +695,7 @@ extern int gdbtk_test (char *);
+       || memcmp ((char *) &homebuf, (char *) &cwdbuf, sizeof (struct stat)))
+     if (!inhibit_gdbinit)
+       {
+-	catch_command_errors (source_command, gdbinit, 0, RETURN_MASK_ALL);
++	catch_command_errors (source_command, gdbinit, -1, RETURN_MASK_ALL);
+       }
+ 
+   for (i = 0; i < ncmd; i++)
+--- gdb-6.3/gdb/configure.fix	2005-07-07 19:15:29.000000000 -0400
++++ gdb-6.3/gdb/configure	2005-07-07 19:20:08.000000000 -0400
 @@ -6640,7 +6640,7 @@ else
  fi
  done
@@ -2087,8 +2197,29 @@
    rm -rf conftest*
    am_cv_proto_iconv_arg1=""
  else
---- gdb-6.3/gdb/config.in.fix	2005-06-10 15:35:33.000000000 -0400
-+++ gdb-6.3/gdb/config.in	2005-06-10 15:40:20.000000000 -0400
+--- gdb-6.3/gdb/configure.in.fix	2005-07-07 19:15:34.000000000 -0400
++++ gdb-6.3/gdb/configure.in	2005-07-07 19:18:27.000000000 -0400
+@@ -440,6 +440,7 @@ AC_FUNC_ALLOCA
+ AC_FUNC_MMAP
+ AC_FUNC_VFORK
+ AC_CHECK_FUNCS(canonicalize_file_name realpath)
++AC_CHECK_FUNCS(getuid)
+ AC_CHECK_FUNCS(poll)
+ AC_CHECK_FUNCS(pread64)
+ AC_CHECK_FUNCS(sbrk)
+--- gdb-6.3/gdb/Makefile.in.fix	2005-07-07 19:16:06.000000000 -0400
++++ gdb-6.3/gdb/Makefile.in	2005-07-07 19:18:27.000000000 -0400
+@@ -2751,7 +2751,7 @@ cli-cmds.o: $(srcdir)/cli/cli-cmds.c $(d
+ 	$(expression_h) $(frame_h) $(value_h) $(language_h) $(filenames_h) \
+ 	$(objfiles_h) $(source_h) $(disasm_h) $(ui_out_h) $(top_h) \
+ 	$(cli_decode_h) $(cli_script_h) $(cli_setshow_h) $(cli_cmds_h) \
+-	$(tui_h)
++	$(tui_h) $(gdb_stat_h)
+ 	$(CC) -c $(INTERNAL_CFLAGS) $(srcdir)/cli/cli-cmds.c
+ cli-decode.o: $(srcdir)/cli/cli-decode.c $(defs_h) $(symtab_h) \
+ 	$(gdb_regex_h) $(gdb_string_h) $(ui_out_h) $(cli_cmds_h) \
+--- gdb-6.3/gdb/config.in.fix	2005-07-07 19:16:09.000000000 -0400
++++ gdb-6.3/gdb/config.in	2005-07-07 19:18:55.000000000 -0400
 @@ -203,6 +203,9 @@
  /* Define if you have the getpagesize function.  */
  #undef HAVE_GETPAGESIZE
@@ -2099,50 +2230,90 @@
  /* Define if you have the monstartup function.  */
  #undef HAVE_MONSTARTUP
  
---- gdb-6.3/gdb/main.c.fix	2005-06-10 15:35:51.000000000 -0400
-+++ gdb-6.3/gdb/main.c	2005-06-10 15:40:20.000000000 -0400
-@@ -609,7 +609,7 @@ extern int gdbtk_test (char *);
+--- gdb-6.3/bfd/elf.c.fix	2005-07-07 19:09:17.000000000 -0400
++++ gdb-6.3/bfd/elf.c	2005-07-07 19:18:55.000000000 -0400
+@@ -206,28 +206,6 @@ bfd_elf_hash (const char *namearg)
+   return h & 0xffffffff;
+ }
  
-       if (!inhibit_gdbinit)
+-/* Read a specified number of bytes at a specified offset in an ELF
+-   file, into a newly allocated buffer, and return a pointer to the
+-   buffer.  */
+-
+-static char *
+-elf_read (bfd *abfd, file_ptr offset, bfd_size_type size)
+-{
+-  char *buf;
+-
+-  if ((buf = bfd_alloc (abfd, size)) == NULL)
+-    return NULL;
+-  if (bfd_seek (abfd, offset, SEEK_SET) != 0)
+-    return NULL;
+-  if (bfd_bread (buf, size, abfd) != size)
+-    {
+-      if (bfd_get_error () != bfd_error_system_call)
+-	bfd_set_error (bfd_error_file_truncated);
+-      return NULL;
+-    }
+-  return buf;
+-}
+-
+ bfd_boolean
+ bfd_elf_mkobject (bfd *abfd)
+ {
+@@ -267,7 +245,21 @@ bfd_elf_get_str_section (bfd *abfd, unsi
+       /* No cached one, attempt to read, and cache what we read.  */
+       offset = i_shdrp[shindex]->sh_offset;
+       shstrtabsize = i_shdrp[shindex]->sh_size;
+-      shstrtab = elf_read (abfd, offset, shstrtabsize);
++
++      /* Allocate and clear an extra byte at the end, to prevent crashes
++	 in case the string table is not terminated.  */
++      if (shstrtabsize + 1 == 0
++	  || (shstrtab = bfd_alloc (abfd, shstrtabsize + 1)) == NULL
++	  || bfd_seek (abfd, offset, SEEK_SET) != 0)
++	shstrtab = NULL;
++      else if (bfd_bread (shstrtab, shstrtabsize, abfd) != shstrtabsize)
++	{
++	  if (bfd_get_error () != bfd_error_system_call)
++	    bfd_set_error (bfd_error_file_truncated);
++	  shstrtab = NULL;
++	}
++      else
++	shstrtab[shstrtabsize] = '\0';
+       i_shdrp[shindex]->contents = shstrtab;
+     }
+   return shstrtab;
+@@ -348,7 +340,7 @@ bfd_elf_get_elf_syms (bfd *ibfd,
+   pos = symtab_hdr->sh_offset + symoffset * extsym_size;
+   if (extsym_buf == NULL)
+     {
+-      alloc_ext = bfd_malloc (amt);
++      alloc_ext = bfd_malloc2 (symcount, extsym_size);
+       extsym_buf = alloc_ext;
+     }
+   if (extsym_buf == NULL
+@@ -367,7 +359,8 @@ bfd_elf_get_elf_syms (bfd *ibfd,
+       pos = shndx_hdr->sh_offset + symoffset * sizeof (Elf_External_Sym_Shndx);
+       if (extshndx_buf == NULL)
  	{
--	  catch_command_errors (source_command, homeinit, 0, RETURN_MASK_ALL);
-+	  catch_command_errors (source_command, homeinit, -1, RETURN_MASK_ALL);
+-	  alloc_extshndx = bfd_malloc (amt);
++	  alloc_extshndx = bfd_malloc2 (symcount,
++					sizeof (Elf_External_Sym_Shndx));
+ 	  extshndx_buf = alloc_extshndx;
  	}
+       if (extshndx_buf == NULL
+@@ -381,8 +374,7 @@ bfd_elf_get_elf_syms (bfd *ibfd,
  
-       /* Do stats; no need to do them elsewhere since we'll only
-@@ -695,7 +695,7 @@ extern int gdbtk_test (char *);
-       || memcmp ((char *) &homebuf, (char *) &cwdbuf, sizeof (struct stat)))
-     if (!inhibit_gdbinit)
-       {
--	catch_command_errors (source_command, gdbinit, 0, RETURN_MASK_ALL);
-+	catch_command_errors (source_command, gdbinit, -1, RETURN_MASK_ALL);
-       }
- 
-   for (i = 0; i < ncmd; i++)
---- gdb-6.3/gdb/Makefile.in.fix	2005-06-10 15:36:01.000000000 -0400
-+++ gdb-6.3/gdb/Makefile.in	2005-06-10 15:40:20.000000000 -0400
-@@ -2751,7 +2751,7 @@ cli-cmds.o: $(srcdir)/cli/cli-cmds.c $(d
- 	$(expression_h) $(frame_h) $(value_h) $(language_h) $(filenames_h) \
- 	$(objfiles_h) $(source_h) $(disasm_h) $(ui_out_h) $(top_h) \
- 	$(cli_decode_h) $(cli_script_h) $(cli_setshow_h) $(cli_cmds_h) \
--	$(tui_h)
-+	$(tui_h) $(gdb_stat_h)
- 	$(CC) -c $(INTERNAL_CFLAGS) $(srcdir)/cli/cli-cmds.c
- cli-decode.o: $(srcdir)/cli/cli-decode.c $(defs_h) $(symtab_h) \
- 	$(gdb_regex_h) $(gdb_string_h) $(ui_out_h) $(cli_cmds_h) \
---- gdb-6.3/gdb/configure.in.fix	2005-06-10 15:38:44.000000000 -0400
-+++ gdb-6.3/gdb/configure.in	2005-06-10 15:40:20.000000000 -0400
-@@ -440,6 +440,7 @@ AC_FUNC_ALLOCA
- AC_FUNC_MMAP
- AC_FUNC_VFORK
- AC_CHECK_FUNCS(canonicalize_file_name realpath)
-+AC_CHECK_FUNCS(getuid)
- AC_CHECK_FUNCS(poll)
- AC_CHECK_FUNCS(pread64)
- AC_CHECK_FUNCS(sbrk)
---- gdb-6.3/bfd/elf.c.fix	2005-06-10 15:37:08.000000000 -0400
-+++ gdb-6.3/bfd/elf.c	2005-06-10 15:40:31.000000000 -0400
-@@ -438,8 +438,11 @@ group_signature (bfd *abfd, Elf_Internal
+   if (intsym_buf == NULL)
+     {
+-      bfd_size_type amt = symcount * sizeof (Elf_Internal_Sym);
+-      intsym_buf = bfd_malloc (amt);
++      intsym_buf = bfd_malloc2 (symcount, sizeof (Elf_Internal_Sym));
+       if (intsym_buf == NULL)
+ 	goto out;
+     }
+@@ -438,8 +430,11 @@ group_signature (bfd *abfd, Elf_Internal
    Elf_External_Sym_Shndx eshndx;
    Elf_Internal_Sym isym;
  
@@ -2156,8 +2327,490 @@
      return NULL;
  
    /* Go read the symbol.  */
---- gdb-6.3/bfd/elfcode.h.fix	2005-06-10 15:37:17.000000000 -0400
-+++ gdb-6.3/bfd/elfcode.h	2005-06-10 15:40:31.000000000 -0400
+@@ -483,8 +478,9 @@ setup_group (bfd *abfd, Elf_Internal_Shd
+ 	{
+ 	  /* We keep a list of elf section headers for group sections,
+ 	     so we can find them quickly.  */
+-	  bfd_size_type amt = num_group * sizeof (Elf_Internal_Shdr *);
+-	  elf_tdata (abfd)->group_sect_ptr = bfd_alloc (abfd, amt);
++	  bfd_size_type amt;
++	  elf_tdata (abfd)->group_sect_ptr
++	    = bfd_alloc2 (abfd, num_group, sizeof (Elf_Internal_Shdr *));
+ 	  if (elf_tdata (abfd)->group_sect_ptr == NULL)
+ 	    return FALSE;
+ 
+@@ -504,7 +500,8 @@ setup_group (bfd *abfd, Elf_Internal_Shd
+ 		  /* Read the raw contents.  */
+ 		  BFD_ASSERT (sizeof (*dest) >= 4);
+ 		  amt = shdr->sh_size * sizeof (*dest) / 4;
+-		  shdr->contents = bfd_alloc (abfd, amt);
++		  shdr->contents = bfd_alloc2 (abfd, shdr->sh_size,
++					       sizeof (*dest) / 4);
+ 		  if (shdr->contents == NULL
+ 		      || bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
+ 		      || (bfd_bread (shdr->contents, shdr->sh_size, abfd)
+@@ -1204,8 +1201,9 @@ _bfd_elf_print_private_bfd_data (bfd *ab
+       for (t = elf_tdata (abfd)->verdef; t != NULL; t = t->vd_nextdef)
+ 	{
+ 	  fprintf (f, "%d 0x%2.2x 0x%8.8lx %s\n", t->vd_ndx,
+-		   t->vd_flags, t->vd_hash, t->vd_nodename);
+-	  if (t->vd_auxptr->vda_nextptr != NULL)
++		   t->vd_flags, t->vd_hash,
++		   t->vd_nodename ? t->vd_nodename : "<corrupt>");
++	  if (t->vd_auxptr != NULL && t->vd_auxptr->vda_nextptr != NULL)
+ 	    {
+ 	      Elf_Internal_Verdaux *a;
+ 
+@@ -1213,7 +1211,8 @@ _bfd_elf_print_private_bfd_data (bfd *ab
+ 	      for (a = t->vd_auxptr->vda_nextptr;
+ 		   a != NULL;
+ 		   a = a->vda_nextptr)
+-		fprintf (f, "%s ", a->vda_nodename);
++		fprintf (f, "%s ",
++			 a->vda_nodename ? a->vda_nodename : "<corrupt>");
+ 	      fprintf (f, "\n");
+ 	    }
+ 	}
+@@ -1228,10 +1227,12 @@ _bfd_elf_print_private_bfd_data (bfd *ab
+ 	{
+ 	  Elf_Internal_Vernaux *a;
+ 
+-	  fprintf (f, _("  required from %s:\n"), t->vn_filename);
++	  fprintf (f, _("  required from %s:\n"),
++		   t->vn_filename ? t->vn_filename : "<corrupt>");
+ 	  for (a = t->vn_auxptr; a != NULL; a = a->vna_nextptr)
+ 	    fprintf (f, "    0x%8.8lx 0x%2.2x %2.2d %s\n", a->vna_hash,
+-		     a->vna_flags, a->vna_other, a->vna_nodename);
++		     a->vna_flags, a->vna_other,
++		     a->vna_nodename ? a->vna_nodename : "<corrupt>");
+ 	}
+     }
+ 
+@@ -1725,6 +1726,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
+   const char *name;
+ 
+   name = elf_string_from_elf_strtab (abfd, hdr->sh_name);
++  if (name == NULL)
++    return FALSE;
+ 
+   switch (hdr->sh_type)
+     {
+@@ -1745,6 +1748,9 @@ bfd_section_from_shdr (bfd *abfd, unsign
+     case SHT_DYNAMIC:	/* Dynamic linking information.  */
+       if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name))
+ 	return FALSE;
++      if (hdr->sh_link > elf_numsections (abfd)
++	  || elf_elfsections (abfd)[hdr->sh_link] == NULL)
++	return FALSE;
+       if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
+ 	{
+ 	  Elf_Internal_Shdr *dynsymhdr;
+@@ -1779,7 +1785,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
+       if (elf_onesymtab (abfd) == shindex)
+ 	return TRUE;
+ 
+-      BFD_ASSERT (hdr->sh_entsize == bed->s->sizeof_sym);
++      if (hdr->sh_entsize != bed->s->sizeof_sym)
++	return FALSE;
+       BFD_ASSERT (elf_onesymtab (abfd) == 0);
+       elf_onesymtab (abfd) = shindex;
+       elf_tdata (abfd)->symtab_hdr = *hdr;
+@@ -1803,7 +1810,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
+       if (elf_dynsymtab (abfd) == shindex)
+ 	return TRUE;
+ 
+-      BFD_ASSERT (hdr->sh_entsize == bed->s->sizeof_sym);
++      if (hdr->sh_entsize != bed->s->sizeof_sym)
++	return FALSE;
+       BFD_ASSERT (elf_dynsymtab (abfd) == 0);
+       elf_dynsymtab (abfd) = shindex;
+       elf_tdata (abfd)->dynsymtab_hdr = *hdr;
+@@ -1846,6 +1854,9 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	    Elf_Internal_Shdr *hdr2 = elf_elfsections (abfd)[i];
+ 	    if (hdr2->sh_link == shindex)
+ 	      {
++		/* Prevent endless recursion on broken objects.  */
++		if (i == shindex)
++		  return FALSE;
+ 		if (! bfd_section_from_shdr (abfd, i))
+ 		  return FALSE;
+ 		if (elf_onesymtab (abfd) == i)
+@@ -1889,6 +1900,11 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	Elf_Internal_Shdr *hdr2;
+ 	unsigned int num_sec = elf_numsections (abfd);
+ 
++	if (hdr->sh_entsize
++	    != (bfd_size_type) (hdr->sh_type == SHT_REL
++				? bed->s->sizeof_rel : bed->s->sizeof_rela))
++	  return FALSE;
++
+ 	/* Check for a bogus link to avoid crashing.  */
+ 	if ((hdr->sh_link >= SHN_LORESERVE && hdr->sh_link <= SHN_HIRESERVE)
+ 	    || hdr->sh_link >= num_sec)
+@@ -1944,6 +1960,10 @@ bfd_section_from_shdr (bfd *abfd, unsign
+ 	if (hdr->sh_link != elf_onesymtab (abfd) || hdr->sh_info == SHN_UNDEF)
+ 	  return _bfd_elf_make_section_from_shdr (abfd, hdr, name);
+ 
++	/* Prevent endless recursion on broken objects.  */
++	if (elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
++	    || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
++	  return FALSE;
+ 	if (! bfd_section_from_shdr (abfd, hdr->sh_info))
+ 	  return FALSE;
+ 	target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info);
+@@ -1983,6 +2003,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
+       break;
+ 
+     case SHT_GNU_versym:
++      if (hdr->sh_entsize != sizeof (Elf_External_Versym))
++	return FALSE;
+       elf_dynversym (abfd) = shindex;
+       elf_tdata (abfd)->dynversym_hdr = *hdr;
+       return _bfd_elf_make_section_from_shdr (abfd, hdr, name);
+@@ -2001,6 +2023,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
+       /* We need a BFD section for objcopy and relocatable linking,
+ 	 and it's handy to have the signature available as the section
+ 	 name.  */
++      if (hdr->sh_entsize != GRP_ENTRY_SIZE)
++	return FALSE;
+       name = group_signature (abfd, hdr);
+       if (name == NULL)
+ 	return FALSE;
+@@ -2724,7 +2748,6 @@ assign_section_numbers (bfd *abfd)
+   asection *sec;
+   unsigned int section_number, secn;
+   Elf_Internal_Shdr **i_shdrp;
+-  bfd_size_type amt;
+ 
+   section_number = 1;
+ 
+@@ -2798,13 +2821,11 @@ assign_section_numbers (bfd *abfd)
+ 
+   /* Set up the list of section header pointers, in agreement with the
+      indices.  */
+-  amt = section_number * sizeof (Elf_Internal_Shdr *);
+-  i_shdrp = bfd_zalloc (abfd, amt);
++  i_shdrp = bfd_zalloc2 (abfd, section_number, sizeof (Elf_Internal_Shdr *));
+   if (i_shdrp == NULL)
+     return FALSE;
+ 
+-  amt = sizeof (Elf_Internal_Shdr);
+-  i_shdrp[0] = bfd_zalloc (abfd, amt);
++  i_shdrp[0] = bfd_zalloc (abfd, sizeof (Elf_Internal_Shdr));
+   if (i_shdrp[0] == NULL)
+     {
+       bfd_release (abfd, i_shdrp);
+@@ -3036,7 +3057,6 @@ elf_map_symbols (bfd *abfd)
+   unsigned int idx;
+   asection *asect;
+   asymbol **new_syms;
+-  bfd_size_type amt;
+ 
+ #ifdef DEBUG
+   fprintf (stderr, "elf_map_symbols\n");
+@@ -3050,8 +3070,7 @@ elf_map_symbols (bfd *abfd)
+     }
+ 
+   max_index++;
+-  amt = max_index * sizeof (asymbol *);
+-  sect_syms = bfd_zalloc (abfd, amt);
++  sect_syms = bfd_zalloc2 (abfd, max_index, sizeof (asymbol *));
+   if (sect_syms == NULL)
+     return FALSE;
+   elf_section_syms (abfd) = sect_syms;
+@@ -3124,8 +3143,7 @@ elf_map_symbols (bfd *abfd)
+     }
+ 
+   /* Now sort the symbols so the local symbols are first.  */
+-  amt = (num_locals + num_globals) * sizeof (asymbol *);
+-  new_syms = bfd_alloc (abfd, amt);
++  new_syms = bfd_alloc2 (abfd, num_locals + num_globals, sizeof (asymbol *));
+ 
+   if (new_syms == NULL)
+     return FALSE;
+@@ -3384,8 +3402,7 @@ map_sections_to_segments (bfd *abfd)
+ 
+   /* Select the allocated sections, and sort them.  */
+ 
+-  amt = bfd_count_sections (abfd) * sizeof (asection *);
+-  sections = bfd_malloc (amt);
++  sections = bfd_malloc2 (bfd_count_sections (abfd), sizeof (asection *));
+   if (sections == NULL)
+     goto error_return;
+ 
+@@ -3817,7 +3834,6 @@ assign_file_positions_for_segments (bfd 
+   bfd_vma filehdr_vaddr, filehdr_paddr;
+   bfd_vma phdrs_vaddr, phdrs_paddr;
+   Elf_Internal_Phdr *p;
+-  bfd_size_type amt;
+ 
+   if (elf_tdata (abfd)->segment_map == NULL)
+     {
+@@ -3889,8 +3905,7 @@ assign_file_positions_for_segments (bfd 
+   if (alloc == 0)
+     alloc = count;
+ 
+-  amt = alloc * sizeof (Elf_Internal_Phdr);
+-  phdrs = bfd_alloc (abfd, amt);
++  phdrs = bfd_alloc2 (abfd, alloc, sizeof (Elf_Internal_Phdr));
+   if (phdrs == NULL)
+     return FALSE;
+ 
+@@ -5158,8 +5173,7 @@ copy_private_bfd_data (bfd *ibfd, bfd *o
+ 
+       /* Gcc 2.96 miscompiles this code on mips. Don't do casting here
+ 	 to work around this long long bug.  */
+-      amt = section_count * sizeof (asection *);
+-      sections = bfd_malloc (amt);
++      sections = bfd_malloc2 (section_count, sizeof (asection *));
+       if (sections == NULL)
+ 	return FALSE;
+ 
+@@ -5601,8 +5615,7 @@ swap_out_syms (bfd *abfd,
+   symstrtab_hdr = &elf_tdata (abfd)->strtab_hdr;
+   symstrtab_hdr->sh_type = SHT_STRTAB;
+ 
+-  amt = (bfd_size_type) (1 + symcount) * bed->s->sizeof_sym;
+-  outbound_syms = bfd_alloc (abfd, amt);
++  outbound_syms = bfd_alloc2 (abfd, 1 + symcount, bed->s->sizeof_sym);
+   if (outbound_syms == NULL)
+     {
+       _bfd_stringtab_free (stt);
+@@ -5615,7 +5628,8 @@ swap_out_syms (bfd *abfd,
+   if (symtab_shndx_hdr->sh_name != 0)
+     {
+       amt = (bfd_size_type) (1 + symcount) * sizeof (Elf_External_Sym_Shndx);
+-      outbound_shndx = bfd_zalloc (abfd, amt);
++      outbound_shndx = bfd_zalloc2 (abfd, 1 + symcount,
++				    sizeof (Elf_External_Sym_Shndx));
+       if (outbound_shndx == NULL)
+ 	{
+ 	  _bfd_stringtab_free (stt);
+@@ -6028,7 +6042,6 @@ bfd_boolean
+ _bfd_elf_slurp_version_tables (bfd *abfd)
+ {
+   bfd_byte *contents = NULL;
+-  bfd_size_type amt;
+ 
+   if (elf_dynverdef (abfd) != 0)
+     {
+@@ -6039,6 +6052,7 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+       Elf_Internal_Verdef iverdefmem;
+       unsigned int i;
+       unsigned int maxidx;
++      bfd_byte *contents_end_def, *contents_end_aux;
+ 
+       hdr = &elf_tdata (abfd)->dynverdef_hdr;
+ 
+@@ -6049,6 +6063,16 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+ 	  || bfd_bread (contents, hdr->sh_size, abfd) != hdr->sh_size)
+ 	goto error_return;
+ 
++      if (hdr->sh_info && hdr->sh_size < sizeof (Elf_External_Verdef))
++	goto error_return;
++
++      BFD_ASSERT (sizeof (Elf_External_Verdef)
++		  >= sizeof (Elf_External_Verdaux));
++      contents_end_def = contents + hdr->sh_size
++			 - sizeof (Elf_External_Verdef);
++      contents_end_aux = contents + hdr->sh_size
++			 - sizeof (Elf_External_Verdaux);
++
+       /* We know the number of entries in the section but not the maximum
+ 	 index.  Therefore we have to run through all entries and find
+ 	 the maximum.  */
+@@ -6061,12 +6085,16 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+ 	  if ((iverdefmem.vd_ndx & ((unsigned) VERSYM_VERSION)) > maxidx)
+ 	    maxidx = iverdefmem.vd_ndx & ((unsigned) VERSYM_VERSION);
+ 
++	  if (iverdefmem.vd_next
++	      > (size_t) (contents_end_def - (bfd_byte *) everdef))
++	    goto error_return;
++
+ 	  everdef = ((Elf_External_Verdef *)
+ 		     ((bfd_byte *) everdef + iverdefmem.vd_next));
+ 	}
+ 
+-      amt = (bfd_size_type) maxidx * sizeof (Elf_Internal_Verdef);
+-      elf_tdata (abfd)->verdef = bfd_zalloc (abfd, amt);
++      elf_tdata (abfd)->verdef = bfd_zalloc2 (abfd, maxidx,
++					      sizeof (Elf_Internal_Verdef));
+       if (elf_tdata (abfd)->verdef == NULL)
+ 	goto error_return;
+ 
+@@ -6082,15 +6110,32 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+ 
+ 	  _bfd_elf_swap_verdef_in (abfd, everdef, &iverdefmem);
+ 
++	  if ((iverdefmem.vd_ndx & VERSYM_VERSION) == 0)
++	    {
++error_return_verdef:
++	      elf_tdata (abfd)->verdef = NULL;
++	      elf_tdata (abfd)->cverdefs = 0;
++	      goto error_return;
++	    }
++
+ 	  iverdef = &iverdefarr[(iverdefmem.vd_ndx & VERSYM_VERSION) - 1];
+ 	  memcpy (iverdef, &iverdefmem, sizeof (Elf_Internal_Verdef));
+ 
+ 	  iverdef->vd_bfd = abfd;
+ 
+-	  amt = (bfd_size_type) iverdef->vd_cnt * sizeof (Elf_Internal_Verdaux);
+-	  iverdef->vd_auxptr = bfd_alloc (abfd, amt);
+-	  if (iverdef->vd_auxptr == NULL)
+-	    goto error_return;
++	  if (iverdef->vd_cnt == 0)
++	    iverdef->vd_auxptr = NULL;
++	  else
++	    {
++	      iverdef->vd_auxptr = bfd_alloc2 (abfd, iverdef->vd_cnt,
++					       sizeof (Elf_Internal_Verdaux));
++	      if (iverdef->vd_auxptr == NULL)
++		goto error_return_verdef;
++	    }
++
++	  if (iverdef->vd_aux
++	      > (size_t) (contents_end_aux - (bfd_byte *) everdef))
++	    goto error_return_verdef;
+ 
+ 	  everdaux = ((Elf_External_Verdaux *)
+ 		      ((bfd_byte *) everdef + iverdef->vd_aux));
+@@ -6103,20 +6148,25 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+ 		bfd_elf_string_from_elf_section (abfd, hdr->sh_link,
+ 						 iverdaux->vda_name);
+ 	      if (iverdaux->vda_nodename == NULL)
+-		goto error_return;
++		goto error_return_verdef;
+ 
+ 	      if (j + 1 < iverdef->vd_cnt)
+ 		iverdaux->vda_nextptr = iverdaux + 1;
+ 	      else
+ 		iverdaux->vda_nextptr = NULL;
+ 
++	      if (iverdaux->vda_next
++		  > (size_t) (contents_end_aux - (bfd_byte *) everdaux))
++		goto error_return_verdef;
++
+ 	      everdaux = ((Elf_External_Verdaux *)
+ 			  ((bfd_byte *) everdaux + iverdaux->vda_next));
+ 	    }
+ 
+-	  iverdef->vd_nodename = iverdef->vd_auxptr->vda_nodename;
++	  if (iverdef->vd_cnt)
++	    iverdef->vd_nodename = iverdef->vd_auxptr->vda_nodename;
+ 
+-	  if (i + 1 < hdr->sh_info)
++	  if ((size_t) (iverdef - iverdefarr) + 1 < maxidx)
+ 	    iverdef->vd_nextdef = iverdef + 1;
+ 	  else
+ 	    iverdef->vd_nextdef = NULL;
+@@ -6135,11 +6185,12 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+       Elf_External_Verneed *everneed;
+       Elf_Internal_Verneed *iverneed;
+       unsigned int i;
++      bfd_byte *contents_end;
+ 
+       hdr = &elf_tdata (abfd)->dynverref_hdr;
+ 
+-      amt = (bfd_size_type) hdr->sh_info * sizeof (Elf_Internal_Verneed);
+-      elf_tdata (abfd)->verref = bfd_zalloc (abfd, amt);
++      elf_tdata (abfd)->verref = bfd_zalloc2 (abfd, hdr->sh_info,
++					      sizeof (Elf_Internal_Verneed));
+       if (elf_tdata (abfd)->verref == NULL)
+ 	goto error_return;
+ 
+@@ -6147,11 +6198,22 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+ 
+       contents = bfd_malloc (hdr->sh_size);
+       if (contents == NULL)
+-	goto error_return;
++	{
++error_return_verref:
++	  elf_tdata (abfd)->verref = NULL;
++	  elf_tdata (abfd)->cverrefs = 0;
++	  goto error_return;
++	}
+       if (bfd_seek (abfd, hdr->sh_offset, SEEK_SET) != 0
+ 	  || bfd_bread (contents, hdr->sh_size, abfd) != hdr->sh_size)
+-	goto error_return;
++	goto error_return_verref;
+ 
++      if (hdr->sh_info && hdr->sh_size < sizeof (Elf_External_Verneed))
++	goto error_return_verref;
++
++      BFD_ASSERT (sizeof (Elf_External_Verneed)
++		  == sizeof (Elf_External_Vernaux));
++      contents_end = contents + hdr->sh_size - sizeof (Elf_External_Verneed);
+       everneed = (Elf_External_Verneed *) contents;
+       iverneed = elf_tdata (abfd)->verref;
+       for (i = 0; i < hdr->sh_info; i++, iverneed++)
+@@ -6168,11 +6230,21 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+ 	    bfd_elf_string_from_elf_section (abfd, hdr->sh_link,
+ 					     iverneed->vn_file);
+ 	  if (iverneed->vn_filename == NULL)
+-	    goto error_return;
++	    goto error_return_verref;
+ 
+-	  amt = iverneed->vn_cnt;
+-	  amt *= sizeof (Elf_Internal_Vernaux);
+-	  iverneed->vn_auxptr = bfd_alloc (abfd, amt);
++	  if (iverneed->vn_cnt == 0)
++	    iverneed->vn_auxptr = NULL;
++	  else
++	    {
++	      iverneed->vn_auxptr = bfd_alloc2 (abfd, iverneed->vn_cnt,
++						sizeof (Elf_Internal_Vernaux));
++	      if (iverneed->vn_auxptr == NULL)
++		goto error_return_verref;
++	    }
++
++	  if (iverneed->vn_aux
++	      > (size_t) (contents_end - (bfd_byte *) everneed))
++	    goto error_return_verref;
+ 
+ 	  evernaux = ((Elf_External_Vernaux *)
+ 		      ((bfd_byte *) everneed + iverneed->vn_aux));
+@@ -6185,13 +6257,17 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+ 		bfd_elf_string_from_elf_section (abfd, hdr->sh_link,
+ 						 ivernaux->vna_name);
+ 	      if (ivernaux->vna_nodename == NULL)
+-		goto error_return;
++		goto error_return_verref;
+ 
+ 	      if (j + 1 < iverneed->vn_cnt)
+ 		ivernaux->vna_nextptr = ivernaux + 1;
+ 	      else
+ 		ivernaux->vna_nextptr = NULL;
+ 
++	      if (ivernaux->vna_next
++		  > (size_t) (contents_end - (bfd_byte *) evernaux))
++		goto error_return_verref;
++
+ 	      evernaux = ((Elf_External_Vernaux *)
+ 			  ((bfd_byte *) evernaux + ivernaux->vna_next));
+ 	    }
+@@ -6201,6 +6277,10 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+ 	  else
+ 	    iverneed->vn_nextref = NULL;
+ 
++	  if (iverneed->vn_next
++	      > (size_t) (contents_end - (bfd_byte *) everneed))
++	    goto error_return_verref;
++
+ 	  everneed = ((Elf_External_Verneed *)
+ 		      ((bfd_byte *) everneed + iverneed->vn_next));
+ 	}
+--- gdb-6.3/bfd/elfcode.h.fix	2005-07-07 19:09:22.000000000 -0400
++++ gdb-6.3/bfd/elfcode.h	2005-07-07 19:18:55.000000000 -0400
+@@ -33,7 +33,7 @@ Foundation, Inc., 59 Temple Place - Suit
+ /* Problems and other issues to resolve.
+ 
+    (1)	BFD expects there to be some fixed number of "sections" in
+-        the object file.  I.E. there is a "section_count" variable in the
++	the object file.  I.E. there is a "section_count" variable in the
+ 	bfd structure which contains the number of sections.  However, ELF
+ 	supports multiple "views" of a file.  In particular, with current
+ 	implementations, executable files typically have two tables, a
 @@ -613,8 +613,13 @@ elf_object_p (bfd *abfd)
  
    if (i_ehdrp->e_shoff != 0)
@@ -2261,3 +2914,679 @@
    /* Read in the program headers.  */
    if (i_ehdrp->e_phnum == 0)
      elf_tdata (abfd)->phdr = NULL;
+@@ -1059,7 +1124,7 @@ elf_slurp_symbol_table (bfd *abfd, asymb
+ 	     symcount);
+ 
+ 	  /* Slurp in the symbols without the version information,
+-             since that is more helpful than just quitting.  */
++	     since that is more helpful than just quitting.  */
+ 	  verhdr = NULL;
+ 	}
+ 
+@@ -1126,7 +1191,7 @@ elf_slurp_symbol_table (bfd *abfd, asymb
+ 	    sym->symbol.section = bfd_abs_section_ptr;
+ 
+ 	  /* If this is a relocatable file, then the symbol value is
+-             already section relative.  */
++	     already section relative.  */
+ 	  if ((abfd->flags & (EXEC_P | DYNAMIC)) != 0)
+ 	    sym->symbol.value -= sym->symbol.section->vma;
+ 
+--- gdb-6.3/bfd/archive.c.fix	2005-07-07 19:09:29.000000000 -0400
++++ gdb-6.3/bfd/archive.c	2005-07-07 19:18:55.000000000 -0400
+@@ -170,11 +170,13 @@ _bfd_generic_mkarchive (bfd *abfd)
+   if (bfd_ardata (abfd) == NULL)
+     return FALSE;
+ 
+-  bfd_ardata (abfd)->cache = NULL;
+-  bfd_ardata (abfd)->archive_head = NULL;
+-  bfd_ardata (abfd)->symdefs = NULL;
+-  bfd_ardata (abfd)->extended_names = NULL;
+-  bfd_ardata (abfd)->tdata = NULL;
++  /* Already cleared by bfd_zalloc above.
++     bfd_ardata (abfd)->cache = NULL;
++     bfd_ardata (abfd)->archive_head = NULL;
++     bfd_ardata (abfd)->symdefs = NULL;
++     bfd_ardata (abfd)->extended_names = NULL;
++     bfd_ardata (abfd)->extended_names_size = 0;
++     bfd_ardata (abfd)->tdata = NULL;  */
+ 
+   return TRUE;
+ }
+@@ -302,7 +304,7 @@ get_extended_arelt_filename (bfd *arch, 
+   errno = 0;
+   /* Skip first char, which is '/' in SVR4 or ' ' in some other variants.  */
+   index = strtol (name + 1, NULL, 10);
+-  if (errno != 0)
++  if (errno != 0 || index >= bfd_ardata (arch)->extended_names_size)
+     {
+       bfd_set_error (bfd_error_malformed_archive);
+       return NULL;
+@@ -372,10 +374,7 @@ _bfd_generic_read_ar_hdr_mag (bfd *abfd,
+     {
+       filename = get_extended_arelt_filename (abfd, hdr.ar_name);
+       if (filename == NULL)
+-	{
+-	  bfd_set_error (bfd_error_malformed_archive);
+-	  return NULL;
+-	}
++	return NULL;
+     }
+   /* BSD4.4-style long filename.
+      Only implemented for reading, so far!  */
+@@ -601,11 +600,13 @@ bfd_generic_archive_p (bfd *abfd)
+     }
+ 
+   bfd_ardata (abfd)->first_file_filepos = SARMAG;
+-  bfd_ardata (abfd)->cache = NULL;
+-  bfd_ardata (abfd)->archive_head = NULL;
+-  bfd_ardata (abfd)->symdefs = NULL;
+-  bfd_ardata (abfd)->extended_names = NULL;
+-  bfd_ardata (abfd)->tdata = NULL;
++  /* Cleared by bfd_zalloc above.
++     bfd_ardata (abfd)->cache = NULL;
++     bfd_ardata (abfd)->archive_head = NULL;
++     bfd_ardata (abfd)->symdefs = NULL;
++     bfd_ardata (abfd)->extended_names = NULL;
++     bfd_ardata (abfd)->extended_names_size = 0;
++     bfd_ardata (abfd)->tdata = NULL;  */
+ 
+   if (!BFD_SEND (abfd, _bfd_slurp_armap, (abfd))
+       || !BFD_SEND (abfd, _bfd_slurp_extended_name_table, (abfd)))
+@@ -804,9 +805,15 @@ do_slurp_coff_armap (bfd *abfd)
+   /* The coff armap must be read sequentially.  So we construct a
+      bsd-style one in core all at once, for simplicity.  */
+ 
++  if (nsymz > ~ (bfd_size_type) 0 / sizeof (carsym))
++    return FALSE;
++
+   carsym_size = (nsymz * sizeof (carsym));
+   ptrsize = (4 * nsymz);
+ 
++  if (carsym_size + stringsize + 1 <= carsym_size)
++    return FALSE;
++
+   ardata->symdefs = bfd_zalloc (abfd, carsym_size + stringsize + 1);
+   if (ardata->symdefs == NULL)
+     return FALSE;
+@@ -1043,6 +1050,7 @@ _bfd_slurp_extended_name_table (bfd *abf
+ 	  strncmp (nextname, "//              ", 16) != 0)
+ 	{
+ 	  bfd_ardata (abfd)->extended_names = NULL;
++	  bfd_ardata (abfd)->extended_names_size = 0;
+ 	  return TRUE;
+ 	}
+ 
+@@ -1051,7 +1059,11 @@ _bfd_slurp_extended_name_table (bfd *abf
+ 	return FALSE;
+ 
+       amt = namedata->parsed_size;
+-      bfd_ardata (abfd)->extended_names = bfd_zalloc (abfd, amt);
++      if (amt + 1 == 0)
++        goto byebye;
++
++      bfd_ardata (abfd)->extended_names_size = amt;
++      bfd_ardata (abfd)->extended_names = bfd_zalloc (abfd, amt + 1);
+       if (bfd_ardata (abfd)->extended_names == NULL)
+ 	{
+ 	byebye:
+@@ -1074,15 +1086,17 @@ _bfd_slurp_extended_name_table (bfd *abf
+ 	 trailing '/'.  DOS/NT created archive often have \ in them
+ 	 We'll fix all problems here..  */
+       {
+-	char *temp = bfd_ardata (abfd)->extended_names;
++        char *ext_names = bfd_ardata (abfd)->extended_names;
++	char *temp = ext_names;
+ 	char *limit = temp + namedata->parsed_size;
+ 	for (; temp < limit; ++temp)
+ 	  {
+ 	    if (*temp == '\012')
+-	      temp[temp[-1] == '/' ? -1 : 0] = '\0';
++	      temp[temp > ext_names && temp[-1] == '/' ? -1 : 0] = '\0';
+ 	    if (*temp == '\\')
+ 	      *temp = '/';
+ 	  }
++	*limit = '\0';
+       }
+ 
+       /* Pad to an even boundary if you have to.  */
+--- gdb-6.3/bfd/libbfd-in.h.fix	2005-07-07 19:09:39.000000000 -0400
++++ gdb-6.3/bfd/libbfd-in.h	2005-07-07 19:18:55.000000000 -0400
+@@ -61,6 +61,7 @@ struct artdata {
+   carsym *symdefs;		/* the symdef entries */
+   symindex symdef_count;	/* how many there are */
+   char *extended_names;		/* clever intel extension */
++  bfd_size_type extended_names_size; /* Size of extended names */
+   /* when more compilers are standard C, this can be a time_t */
+   long  armap_timestamp;	/* Timestamp value written into armap.
+ 				   This is used for BSD archives to check
+@@ -90,6 +91,12 @@ extern void *bfd_realloc
+   (void *, bfd_size_type);
+ extern void *bfd_zmalloc
+   (bfd_size_type);
++extern void *bfd_malloc2
++  (bfd_size_type, bfd_size_type);
++extern void *bfd_realloc2
++  (void *, bfd_size_type, bfd_size_type);
++extern void *bfd_zmalloc2
++  (bfd_size_type, bfd_size_type);
+ 
+ extern void _bfd_default_error_handler (const char *s, ...);
+ extern bfd_error_handler_type _bfd_error_handler;
+@@ -100,6 +107,10 @@ extern void *bfd_alloc
+   (bfd *, bfd_size_type);
+ extern void *bfd_zalloc
+   (bfd *, bfd_size_type);
++extern void *bfd_alloc2
++  (bfd *, bfd_size_type, bfd_size_type);
++extern void *bfd_zalloc2
++  (bfd *, bfd_size_type, bfd_size_type);
+ extern void bfd_release
+   (bfd *, void *);
+ 
+--- gdb-6.3/bfd/bfd-in.h.fix	2005-07-07 19:09:45.000000000 -0400
++++ gdb-6.3/bfd/bfd-in.h	2005-07-07 19:18:55.000000000 -0400
+@@ -144,6 +144,9 @@ typedef unsigned long bfd_size_type;
+ 
+ #endif /* not BFD64  */
+ 
++#define HALF_BFD_SIZE_TYPE \
++  (((bfd_size_type) 1) << (8 * sizeof (bfd_size_type) / 2))
++
+ #ifndef BFD_HOST_64_BIT
+ /* Fall back on a 32 bit type.  The idea is to make these types always
+    available for function return types, but in the case that
+--- gdb-6.3/bfd/libbfd.c.fix	2005-07-07 19:09:51.000000000 -0400
++++ gdb-6.3/bfd/libbfd.c	2005-07-07 19:18:55.000000000 -0400
+@@ -156,6 +156,36 @@ bfd_malloc (bfd_size_type size)
+   return ptr;
+ }
+ 
++/* Allocate memory using malloc, nmemb * size with overflow checking.  */
++
++void *
++bfd_malloc2 (bfd_size_type nmemb, bfd_size_type size)
++{
++  void *ptr;
++
++  if ((nmemb | size) >= HALF_BFD_SIZE_TYPE
++      && size != 0
++      && nmemb > ~(bfd_size_type) 0 / size)
++    {
++      bfd_set_error (bfd_error_no_memory);
++      return NULL;
++    }
++
++  size *= nmemb;
++
++  if (size != (size_t) size)
++    {
++      bfd_set_error (bfd_error_no_memory);
++      return NULL;
++    }
++
++  ptr = malloc ((size_t) size);
++  if (ptr == NULL && (size_t) size != 0)
++    bfd_set_error (bfd_error_no_memory);
++
++  return ptr;
++}
++
+ /* Reallocate memory using realloc.  */
+ 
+ void *
+@@ -180,6 +210,40 @@ bfd_realloc (void *ptr, bfd_size_type si
+   return ret;
+ }
+ 
++/* Reallocate memory using realloc, nmemb * size with overflow checking.  */
++
++void *
++bfd_realloc2 (void *ptr, bfd_size_type nmemb, bfd_size_type size)
++{
++  void *ret;
++
++  if ((nmemb | size) >= HALF_BFD_SIZE_TYPE
++      && size != 0
++      && nmemb > ~(bfd_size_type) 0 / size)
++    {
++      bfd_set_error (bfd_error_no_memory);
++      return NULL;
++    }
++
++  size *= nmemb;
++
++  if (size != (size_t) size)
++    {
++      bfd_set_error (bfd_error_no_memory);
++      return NULL;
++    }
++
++  if (ptr == NULL)
++    ret = malloc ((size_t) size);
++  else
++    ret = realloc (ptr, (size_t) size);
++
++  if (ret == NULL && (size_t) size != 0)
++    bfd_set_error (bfd_error_no_memory);
++
++  return ret;
++}
++
+ /* Allocate memory using malloc and clear it.  */
+ 
+ void *
+@@ -205,6 +269,44 @@ bfd_zmalloc (bfd_size_type size)
+ 
+   return ptr;
+ }
++
++/* Allocate memory using malloc (nmemb * size) with overflow checking
++   and clear it.  */
++
++void *
++bfd_zmalloc2 (bfd_size_type nmemb, bfd_size_type size)
++{
++  void *ptr;
++
++  if ((nmemb | size) >= HALF_BFD_SIZE_TYPE
++      && size != 0
++      && nmemb > ~(bfd_size_type) 0 / size)
++    {
++      bfd_set_error (bfd_error_no_memory);
++      return NULL;
++    }
++
++  size *= nmemb;
++
++  if (size != (size_t) size)
++    {
++      bfd_set_error (bfd_error_no_memory);
++      return NULL;
++    }
++
++  ptr = malloc ((size_t) size);
++
++  if ((size_t) size != 0)
++    {
++      if (ptr == NULL)
++	bfd_set_error (bfd_error_no_memory);
++      else
++	memset (ptr, 0, (size_t) size);
++    }
++
++  return ptr;
++}
++
+ /*
+ INTERNAL_FUNCTION
+ 	bfd_write_bigendian_4byte_int
+--- gdb-6.3/bfd/opncls.c.fix	2005-07-07 19:09:59.000000000 -0400
++++ gdb-6.3/bfd/opncls.c	2005-07-07 19:18:55.000000000 -0400
+@@ -849,6 +849,54 @@ bfd_zalloc (bfd *abfd, bfd_size_type siz
+   return res;
+ }
+ 
++void *
++bfd_alloc2 (bfd *abfd, bfd_size_type nmemb, bfd_size_type size)
++{
++  void *ret;
++
++  if ((nmemb | size) >= HALF_BFD_SIZE_TYPE
++      && size != 0
++      && nmemb > ~(bfd_size_type) 0 / size)
++    {
++      bfd_set_error (bfd_error_no_memory);
++      return NULL;
++    }
++
++  size *= nmemb;
++
++  if (size != (unsigned long) size)
++    {
++      bfd_set_error (bfd_error_no_memory);
++      return NULL;
++    }
++
++  ret = objalloc_alloc (abfd->memory, (unsigned long) size);
++  if (ret == NULL)
++    bfd_set_error (bfd_error_no_memory);
++  return ret;
++}
++
++void *
++bfd_zalloc2 (bfd *abfd, bfd_size_type nmemb, bfd_size_type size)
++{
++  void *res;
++
++  if ((nmemb | size) >= HALF_BFD_SIZE_TYPE
++      && size != 0
++      && nmemb > ~(bfd_size_type) 0 / size)
++    {
++      bfd_set_error (bfd_error_no_memory);
++      return NULL;
++    }
++
++  size *= nmemb;
++
++  res = bfd_alloc (abfd, size);
++  if (res)
++    memset (res, 0, (size_t) size);
++  return res;
++}
++
+ /* Free a block allocated for a BFD.
+    Note:  Also frees all more recently allocated blocks!  */
+ 
+--- gdb-6.3/bfd/bfd-in2.h.fix	2005-07-07 19:10:08.000000000 -0400
++++ gdb-6.3/bfd/bfd-in2.h	2005-07-07 19:18:55.000000000 -0400
+@@ -151,6 +151,9 @@ typedef unsigned long bfd_size_type;
+ 
+ #endif /* not BFD64  */
+ 
++#define HALF_BFD_SIZE_TYPE \
++  (((bfd_size_type) 1) << (8 * sizeof (bfd_size_type) / 2))
++
+ #ifndef BFD_HOST_64_BIT
+ /* Fall back on a 32 bit type.  The idea is to make these types always
+    available for function return types, but in the case that
+--- gdb-6.3/bfd/libbfd.h.fix	2005-07-07 19:10:13.000000000 -0400
++++ gdb-6.3/bfd/libbfd.h	2005-07-07 19:18:55.000000000 -0400
+@@ -66,6 +66,7 @@ struct artdata {
+   carsym *symdefs;		/* the symdef entries */
+   symindex symdef_count;	/* how many there are */
+   char *extended_names;		/* clever intel extension */
++  bfd_size_type extended_names_size; /* Size of extended names */
+   /* when more compilers are standard C, this can be a time_t */
+   long  armap_timestamp;	/* Timestamp value written into armap.
+ 				   This is used for BSD archives to check
+@@ -95,6 +96,12 @@ extern void *bfd_realloc
+   (void *, bfd_size_type);
+ extern void *bfd_zmalloc
+   (bfd_size_type);
++extern void *bfd_malloc2
++  (bfd_size_type, bfd_size_type);
++extern void *bfd_realloc2
++  (void *, bfd_size_type, bfd_size_type);
++extern void *bfd_zmalloc2
++  (bfd_size_type, bfd_size_type);
+ 
+ extern void _bfd_default_error_handler (const char *s, ...);
+ extern bfd_error_handler_type _bfd_error_handler;
+@@ -105,6 +112,10 @@ extern void *bfd_alloc
+   (bfd *, bfd_size_type);
+ extern void *bfd_zalloc
+   (bfd *, bfd_size_type);
++extern void *bfd_alloc2
++  (bfd *, bfd_size_type, bfd_size_type);
++extern void *bfd_zalloc2
++  (bfd *, bfd_size_type, bfd_size_type);
+ extern void bfd_release
+   (bfd *, void *);
+ 
+--- gdb-6.3/bfd/elf32-sparc.c.fix	2005-07-07 19:10:19.000000000 -0400
++++ gdb-6.3/bfd/elf32-sparc.c	2005-07-07 19:18:55.000000000 -0400
+@@ -313,7 +313,8 @@ elf32_sparc_info_to_howto (abfd, cache_p
+      arelent *cache_ptr;
+      Elf_Internal_Rela *dst;
+ {
+-  switch (ELF32_R_TYPE(dst->r_info))
++  unsigned int r_type = ELF32_R_TYPE(dst->r_info);
++  switch (r_type)
+     {
+     case R_SPARC_GNU_VTINHERIT:
+       cache_ptr->howto = &elf32_sparc_vtinherit_howto;
+@@ -328,8 +329,13 @@ elf32_sparc_info_to_howto (abfd, cache_p
+       break;
+ 
+     default:
+-      BFD_ASSERT (ELF32_R_TYPE(dst->r_info) < (unsigned int) R_SPARC_max_std);
+-      cache_ptr->howto = &_bfd_sparc_elf_howto_table[ELF32_R_TYPE(dst->r_info)];
++      if (r_type >= (unsigned int) R_SPARC_max_std)
++	{
++	  (*_bfd_error_handler) (_("invalid relocation type %d"),
++				 (int) r_type);
++	  r_type = R_SPARC_NONE;
++	}
++      cache_ptr->howto = &_bfd_sparc_elf_howto_table[r_type];
+     }
+ }
+ 
+--- gdb-6.3/bfd/elf64-ppc.c.fix	2005-07-07 19:10:27.000000000 -0400
++++ gdb-6.3/bfd/elf64-ppc.c	2005-07-07 19:18:55.000000000 -0400
+@@ -2118,8 +2118,13 @@ ppc64_elf_info_to_howto (bfd *abfd ATTRI
+     ppc_howto_init ();
+ 
+   type = ELF64_R_TYPE (dst->r_info);
+-  BFD_ASSERT (type < (sizeof (ppc64_elf_howto_table)
+-		      / sizeof (ppc64_elf_howto_table[0])));
++  if (type >= (sizeof (ppc64_elf_howto_table)
++	       / sizeof (ppc64_elf_howto_table[0])))
++    {
++      (*_bfd_error_handler) (_("%B: invalid relocation type %d"),
++			     abfd, (int) type);
++      type = R_PPC64_NONE;
++    }
+   cache_ptr->howto = ppc64_elf_howto_table[type];
+ }
+ 
+--- gdb-6.3/bfd/elf64-sparc.c.fix	2005-07-07 19:10:35.000000000 -0400
++++ gdb-6.3/bfd/elf64-sparc.c	2005-07-07 19:18:55.000000000 -0400
+@@ -310,8 +310,14 @@ sparc64_elf_info_to_howto (abfd, cache_p
+      arelent *cache_ptr;
+      Elf_Internal_Rela *dst;
+ {
+-  BFD_ASSERT (ELF64_R_TYPE_ID (dst->r_info) < (unsigned int) R_SPARC_max_std);
+-  cache_ptr->howto = &sparc64_elf_howto_table[ELF64_R_TYPE_ID (dst->r_info)];
++  unsigned int r_type = ELF64_R_TYPE_ID (dst->r_info);
++  if (r_type >= (unsigned int) R_SPARC_max_std)
++    {
++      (*_bfd_error_handler) (_("invalid relocation type %d"),
++			     (int) r_type);
++      r_type = R_SPARC_NONE;
++    }
++  cache_ptr->howto = &sparc64_elf_howto_table[r_type];
+ }
+ 
+ struct sparc64_elf_section_data
+--- gdb-6.3/bfd/elf32-s390.c.fix	2005-07-07 19:10:58.000000000 -0400
++++ gdb-6.3/bfd/elf32-s390.c	2005-07-07 19:18:55.000000000 -0400
+@@ -350,7 +350,8 @@ elf_s390_info_to_howto (abfd, cache_ptr,
+      arelent *cache_ptr;
+      Elf_Internal_Rela *dst;
+ {
+-  switch (ELF32_R_TYPE(dst->r_info))
++  unsigned int r_type = ELF32_R_TYPE(dst->r_info);
++  switch (r_type)
+     {
+     case R_390_GNU_VTINHERIT:
+       cache_ptr->howto = &elf32_s390_vtinherit_howto;
+@@ -361,8 +362,13 @@ elf_s390_info_to_howto (abfd, cache_ptr,
+       break;
+ 
+     default:
+-      BFD_ASSERT (ELF32_R_TYPE(dst->r_info) < (unsigned int) R_390_max);
+-      cache_ptr->howto = &elf_howto_table[ELF32_R_TYPE(dst->r_info)];
++      if (r_type >= sizeof (elf_howto_table) / sizeof (elf_howto_table[0]))
++	{
++	  (*_bfd_error_handler) (_("%B: invalid relocation type %d"),
++				 abfd, (int) r_type);
++	  r_type = R_390_NONE;
++	}
++      cache_ptr->howto = &elf_howto_table[r_type];
+     }
+ }
+ 
+--- gdb-6.3/bfd/elf64-s390.c.fix	2005-07-07 19:11:09.000000000 -0400
++++ gdb-6.3/bfd/elf64-s390.c	2005-07-07 19:18:55.000000000 -0400
+@@ -372,7 +372,8 @@ elf_s390_info_to_howto (abfd, cache_ptr,
+      arelent *cache_ptr;
+      Elf_Internal_Rela *dst;
+ {
+-  switch (ELF64_R_TYPE(dst->r_info))
++  unsigned int r_type = ELF64_R_TYPE(dst->r_info);
++  switch (r_type)
+     {
+     case R_390_GNU_VTINHERIT:
+       cache_ptr->howto = &elf64_s390_vtinherit_howto;
+@@ -383,8 +384,13 @@ elf_s390_info_to_howto (abfd, cache_ptr,
+       break;
+ 
+     default:
+-      BFD_ASSERT (ELF64_R_TYPE(dst->r_info) < (unsigned int) R_390_max);
+-      cache_ptr->howto = &elf_howto_table[ELF64_R_TYPE(dst->r_info)];
++      if (r_type >= sizeof (elf_howto_table) / sizeof (elf_howto_table[0]))
++	{
++	  (*_bfd_error_handler) (_("%B: invalid relocation type %d"),
++				 abfd, (int) r_type);
++	  r_type = R_390_NONE;
++	}
++      cache_ptr->howto = &elf_howto_table[r_type];
+     }
+ }
+ 
+--- gdb-6.3/bfd/elfxx-ia64.c.fix	2005-07-07 19:11:16.000000000 -0400
++++ gdb-6.3/bfd/elfxx-ia64.c	2005-07-07 19:18:55.000000000 -0400
+@@ -479,7 +479,8 @@ lookup_howto (rtype)
+ 	elf_code_to_howto_index[ia64_howto_table[i].type] = i;
+     }
+ 
+-  BFD_ASSERT (rtype <= R_IA64_MAX_RELOC_CODE);
++  if (rtype > R_IA64_MAX_RELOC_CODE)
++    return 0;
+   i = elf_code_to_howto_index[rtype];
+   if (i >= NELEMS (ia64_howto_table))
+     return 0;
+--- gdb-6.3/bfd/coffcode.h.fix	2005-07-07 19:11:23.000000000 -0400
++++ gdb-6.3/bfd/coffcode.h	2005-07-07 19:18:55.000000000 -0400
+@@ -5060,7 +5060,7 @@ coff_slurp_reloc_table (abfd, asect, sym
+   amt = (bfd_size_type) asect->reloc_count * sizeof (arelent);
+   reloc_cache = (arelent *) bfd_alloc (abfd, amt);
+ 
+-  if (reloc_cache == NULL)
++  if (reloc_cache == NULL || native_relocs == NULL)
+     return FALSE;
+ 
+   for (idx = 0; idx < asect->reloc_count; idx++)
+--- gdb-6.3/bfd/peXXigen.c.fix	2005-07-07 19:11:29.000000000 -0400
++++ gdb-6.3/bfd/peXXigen.c	2005-07-07 19:18:55.000000000 -0400
+@@ -1167,7 +1167,7 @@ pe_print_idata (abfd, vfile)
+       bfd_vma toc_address;
+       bfd_vma start_address;
+       bfd_byte *data;
+-      int offset;
++      bfd_vma offset;
+ 
+       if (!bfd_malloc_and_get_section (abfd, rel_section, &data))
+ 	{
+@@ -1178,6 +1178,13 @@ pe_print_idata (abfd, vfile)
+ 
+       offset = abfd->start_address - rel_section->vma;
+ 
++      if (offset >= rel_section->size || offset + 8 > rel_section->size)
++        {
++          if (data != NULL)
++            free (data);
++          return FALSE;
++        }
++
+       start_address = bfd_get_32 (abfd, data + offset);
+       loadable_toc_address = bfd_get_32 (abfd, data + offset + 4);
+       toc_address = loadable_toc_address - 32768;
+@@ -1251,6 +1258,9 @@ pe_print_idata (abfd, vfile)
+       if (hint_addr == 0 && first_thunk == 0)
+ 	break;
+ 
++      if (dll_name - adj >= section->size)
++        break;
++
+       dll = (char *) data + dll_name - adj;
+       fprintf (file, _("\n\tDLL Name: %s\n"), dll);
+ 
+--- gdb-6.3/bfd/coff-rs6000.c.fix	2005-07-07 19:11:38.000000000 -0400
++++ gdb-6.3/bfd/coff-rs6000.c	2005-07-07 19:18:55.000000000 -0400
+@@ -1294,10 +1294,12 @@ _bfd_xcoff_archive_p (abfd)
+   if (bfd_ardata (abfd) == (struct artdata *) NULL)
+     goto error_ret_restore;
+ 
+-  bfd_ardata (abfd)->cache = NULL;
+-  bfd_ardata (abfd)->archive_head = NULL;
+-  bfd_ardata (abfd)->symdefs = NULL;
+-  bfd_ardata (abfd)->extended_names = NULL;
++  /* Cleared by bfd_zalloc above.
++     bfd_ardata (abfd)->cache = NULL;
++     bfd_ardata (abfd)->archive_head = NULL;
++     bfd_ardata (abfd)->symdefs = NULL;
++     bfd_ardata (abfd)->extended_names = NULL;
++     bfd_ardata (abfd)->extended_names_size = 0;  */
+ 
+   /* Now handle the two formats.  */
+   if (magic[1] != 'b')
+--- gdb-6.3/bfd/coff64-rs6000.c.fix	2005-07-07 19:11:46.000000000 -0400
++++ gdb-6.3/bfd/coff64-rs6000.c	2005-07-07 19:18:55.000000000 -0400
+@@ -1983,10 +1983,12 @@ xcoff64_archive_p (abfd)
+   if (bfd_ardata (abfd) == (struct artdata *) NULL)
+     goto error_ret_restore;
+ 
+-  bfd_ardata (abfd)->cache = NULL;
+-  bfd_ardata (abfd)->archive_head = NULL;
+-  bfd_ardata (abfd)->symdefs = NULL;
+-  bfd_ardata (abfd)->extended_names = NULL;
++  /* Already cleared by bfd_zalloc above.
++     bfd_ardata (abfd)->cache = NULL;
++     bfd_ardata (abfd)->archive_head = NULL;
++     bfd_ardata (abfd)->symdefs = NULL;
++     bfd_ardata (abfd)->extended_names = NULL;
++     bfd_ardata (abfd)->extended_names_size = 0;  */
+   bfd_ardata (abfd)->first_file_filepos = bfd_scan_vma (hdr.firstmemoff,
+ 							(const char **) NULL,
+ 							10);
+--- gdb-6.3/bfd/ecoff.c.fix	2005-07-07 19:11:51.000000000 -0400
++++ gdb-6.3/bfd/ecoff.c	2005-07-07 19:18:55.000000000 -0400
+@@ -3329,11 +3329,13 @@ _bfd_ecoff_archive_p (abfd)
+     }
+ 
+   bfd_ardata (abfd)->first_file_filepos = SARMAG;
+-  bfd_ardata (abfd)->cache = NULL;
+-  bfd_ardata (abfd)->archive_head = NULL;
+-  bfd_ardata (abfd)->symdefs = NULL;
+-  bfd_ardata (abfd)->extended_names = NULL;
+-  bfd_ardata (abfd)->tdata = NULL;
++  /* Already cleared by bfd_zalloc above.
++     bfd_ardata (abfd)->cache = NULL;
++     bfd_ardata (abfd)->archive_head = NULL;
++     bfd_ardata (abfd)->symdefs = NULL;
++     bfd_ardata (abfd)->extended_names = NULL;
++     bfd_ardata (abfd)->extended_names_size = 0;
++     bfd_ardata (abfd)->tdata = NULL;  */
+ 
+   if (! _bfd_ecoff_slurp_armap (abfd)
+       || ! _bfd_ecoff_slurp_extended_name_table (abfd))
+--- gdb-6.3/bfd/elf64-x86-64.c.fix	2005-07-07 19:17:31.000000000 -0400
++++ gdb-6.3/bfd/elf64-x86-64.c	2005-07-07 19:18:55.000000000 -0400
+@@ -176,16 +176,19 @@ elf64_x86_64_info_to_howto (bfd *abfd AT
+   unsigned r_type, i;
+ 
+   r_type = ELF64_R_TYPE (dst->r_info);
+-  if (r_type < (unsigned int) R_X86_64_GNU_VTINHERIT)
++  if (r_type < (unsigned int) R_X86_64_GNU_VTINHERIT
++      || r_type >= (unsigned int) R_X86_64_max)
+     {
+-      BFD_ASSERT (r_type <= (unsigned int) R_X86_64_TPOFF32);
++      if (r_type > (unsigned int) R_X86_64_TPOFF32)
++	{
++	  (*_bfd_error_handler) (_("%B: invalid relocation type %d"),
++				 abfd, (int) r_type);
++	  r_type = R_X86_64_NONE;
++	}
+       i = r_type;
+     }
+   else
+-    {
+-      BFD_ASSERT (r_type < (unsigned int) R_X86_64_max);
+-      i = r_type - ((unsigned int) R_X86_64_GNU_VTINHERIT - R_X86_64_TPOFF32 - 1);
+-    }
++    i = r_type - ((unsigned int) R_X86_64_GNU_VTINHERIT - R_X86_64_TPOFF32 - 1);
+   cache_ptr->howto = &x86_64_elf_howto_table[i];
+   BFD_ASSERT (r_type == cache_ptr->howto->type);
+ }


Index: gdb.spec
===================================================================
RCS file: /cvs/dist/rpms/gdb/devel/gdb.spec,v
retrieving revision 1.148
retrieving revision 1.149
diff -u -r1.148 -r1.149
--- gdb.spec	10 Jun 2005 20:50:21 -0000	1.148
+++ gdb.spec	8 Jul 2005 18:42:25 -0000	1.149
@@ -11,7 +11,7 @@
 Version: 6.3.0.0
 
 # The release always contains a leading reserved number, start it at 0.
-Release: 1.30
+Release: 1.34
 
 License: GPL
 Group: Development/Debuggers
@@ -479,6 +479,13 @@
 # don't include the files in include, they are part of binutils
 
 %changelog
+* Fri Jul 08 2005 Jeff Johnston <jjohnstn redhat com>   6.3.0.0-1.34
+- Bump up release number.
+
+* Thu Jul 07 2005 Jeff Johnston <jjohnstn redhat com>   6.3.0.0-1.31
+- Modify security errata to include additional bfd robustness updates
+- Bugzilla 158680
+
 * Fri Jun 10 2005 Jeff Johnston <jjohnstn redhat com>   6.3.0.0-1.30
 - Bump up release number.
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]