rpms/gdb/FC-3 gdb-6.1post-security-errata-oct2005.patch, NONE, 1.1 gdb.spec, 1.54, 1.55
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Oct 5 04:31:22 UTC 2005
Author: jjohnstn
Update of /cvs/dist/rpms/gdb/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv17909
Modified Files:
gdb.spec
Added Files:
gdb-6.1post-security-errata-oct2005.patch
Log Message:
* Tue Oct 04 2005 Jeff Johnston <jjohnstn at redhat.com> 1.200400607.43.1
- Security errata to handle untrusted .gdbinit and bfd integer overflow.
- Bugzilla 158683 and bugzilla 158686
gdb-6.1post-security-errata-oct2005.patch:
bfd/archive.c | 50 ++++--
bfd/bfd-in.h | 3
bfd/bfd-in2.h | 3
bfd/coff-rs6000.c | 10 -
bfd/coff64-rs6000.c | 10 -
bfd/coffcode.h | 2
bfd/ecoff.c | 12 -
bfd/elf.c | 246 +++++++++++++++++++++++-----------
bfd/elf32-s390.c | 12 +
bfd/elf32-sparc.c | 12 +
bfd/elf64-ppc.c | 9 -
bfd/elf64-s390.c | 12 +
bfd/elf64-sparc.c | 10 +
bfd/elf64-x86-64.c | 15 +-
bfd/elfcode.h | 75 +++++++++-
bfd/elfxx-ia64.c | 3
bfd/libbfd-in.h | 11 +
bfd/libbfd.c | 102 ++++++++++++++
bfd/libbfd.h | 11 +
bfd/opncls.c | 48 ++++++
bfd/peXXigen.c | 12 +
gdb/Makefile.in | 2
gdb/cli/cli-cmds.c | 31 +++-
gdb/main.c | 4
gdb/testsuite/gdb.base/gdbinit.exp | 98 +++++++++++++
gdb/testsuite/gdb.base/gdbinit.sample | 1
include/elf/external.h | 3
27 files changed, 664 insertions(+), 143 deletions(-)
--- NEW FILE gdb-6.1post-security-errata-oct2005.patch ---
2005-06-08 Daniel Jacobowitz <dan at codesourcery.com>
* Makefile.in (cli-cmds.o): Update.
* main.c (captured_main): Pass -1 to source_command when loading
gdbinit files.
* cli/cli-cmds.c: Include "gdb_stat.h" and <fcntl.h>.
(source_command): Update documentation. Check permissions if
FROM_TTY is -1.
2005-06-09 Jeff Johnston <jjohnstn at redhat.com>
* gdb.base/gdbinit.exp: New testcase.
* gdb.base/gdbinit.sample: Sample .gdbinit for gdbinit.exp.
bfd changes:
2005-06-21 Jakub Jelinek <jakub at redhat.com>
* libbfd-in.h (struct artdata): Add extended_names_size field.
* libbfd.h: Rebuilt.
* coff-rs600.c (_bfd_xcoff_archive_p): Don't clear fields in freshly
allocated object by bfd_zalloc.
* coff64-rs6000.c (xcoff64_archive_p): Likewise.
* ecoff.c (_bfd_ecoff_archive_p): Likewise.
* archive.c (_bfd_generic_mkarchive, bfd_generic_archive_p): Likewise.
(get_extended_arelt_filename): Fail if index is bigger or equal to
extended_names_size.
(_bfd_generic_read_ar_hdr_mag): Don't set bfd_error_malformed_archive,
get_extended_arelt_filename already did that.
(_bfd_slurp_extended_name_table): Initialize extended_names_size field.
Allocate one extra byte and clear it, in case extended names table
is not terminated.
2005-06-17 Jakub Jelinek <jakub at redhat.com>
bfd/
* elf.c (bfd_section_from_shdr): Kill bogus warning.
* elf.c (bfd_section_from_shdr): Fail if sh_entsize is bogus for
symbol, relocation, group or versym sections.
* coffcode.h (coff_slurp_reloc_table): Don't crash if native_relocs
is NULL.
* peXXigen.c (pe_print_idata): Don't crash if dll_name or start_address
doesn't point into the section.
include/
* elf/external.h (GRP_ENTRY_SIZE): Define.
binutils/
* readelf.c (CHECK_ENTSIZE_VALUES, CHECK_ENTSIZE): Define.
(process_section_headers): Use it.
(process_relocs): Don't crash if symsec is not SHT_SYMTAB
or SHT_DYNSYM.
(process_version_sections): Use sizeof (Elf_External_Versym)
instead of sh_entsize.
2005-06-15 Jakub Jelinek <jakub at redhat.com>
* libbfd-in.h (bfd_malloc2, bfd_realloc2, bfd_zmalloc2, bfd_alloc2,
bfd_zalloc2): New prototypes.
* bfd-in.h (HALF_BFD_SIZE_TYPE): Define.
* libbfd.c (bfd_malloc2, bfd_realloc2, bfd_zmalloc2): New functions.
* opncls.c (bfd_alloc2, bfd_zalloc2): New functions.
* elf.c (bfd_elf_get_elf_syms, setup_group, assign_section_numbers,
elf_map_symbols, map_sections_to_segments,
assign_file_positions_for_segments, copy_private_bfd_data,
swap_out_syms, _bfd_elf_slurp_version_tables): Use bfd_*alloc2
where appropriate.
* bfd-in2.h: Rebuilt.
* libbfd.h: Rebuilt.
* elf.c (_bfd_elf_print_private_bfd_data): Don't crash on bogus
verdef or verneed section.
(_bfd_elf_slurp_version_tables): Handle corrupt verdef and/or
verneed sections gracefully.
* elf32-sparc.c (elf32_sparc_info_to_howto): Don't crash on
bogus relocation values.
* elf64-sparc.c (sparc64_elf_info_to_howto): Likewise.
* elf64-ppc.c (ppc64_elf_info_to_howto): Likewise.
* elf64-s390.c (elf_s390_info_to_howto): Likewise.
* elf32-s390.c (elf_s390_info_to_howto): Likewise.
* elf64-x86-64.c (elf64_x86_64_info_to_howto): Likewise.
* elfxx-ia64.c (lookup_howto): Likewise.
2005-06-14 Jakub Jelinek <jakub at redhat.com>
* elf.c (bfd_elf_get_str_section): Allocate an extra byte after
the end of strtab and clear it.
(elf_read): Remove.
* elf.c (bfd_section_from_shdr): Fail if name is NULL.
Prevent endless recursion on broken objects.
* archive.c (do_slurp_coff_armap): Check for overflows.
2005-05-26 Jakub Jelinek <jakub at redhat.com>
* elfcode.h (elf_object_p): Fail if e_shoff != 0, e_shnum == 0 and
first shdr has sh_size == 0. Fail if e_shnum is large to cause
arithmetic overflow when allocating the i_shdr array.
Sanity check sh_link and sh_info fields. Fix e_shstrndx sanity check.
2005-05-18 H.J. Lu <hongjiu.lu at intel.com>
* elf.c (group_signature): Check if the symbol table section is
correct.
2005-05-17 Tavis Ormandy <taviso at gentoo.org>
* elf.c (bfd_section_from_shdr): Add sanity check when parsing
dynamic sections.
2005-05-09 Alan Modra <amodra at bigpond.net.au>
* elfcode.h (elf_object_p): Add more sanity checks on elf header.
--- gdb+dejagnu-20040607/gdb/cli/cli-cmds.c.fix 2005-10-04 18:26:13.000000000 -0400
+++ gdb+dejagnu-20040607/gdb/cli/cli-cmds.c 2005-10-04 18:33:55.000000000 -0400
@@ -37,6 +37,7 @@
#include "objfiles.h"
#include "source.h"
#include "disasm.h"
+#include "gdb_stat.h"
#include "ui-out.h"
@@ -54,6 +55,8 @@
#define GDBINIT_FILENAME ".gdbinit"
#endif
+#include <fcntl.h>
+
/* Prototypes for local command functions */
static void complete_command (char *, int);
@@ -423,6 +426,10 @@ cd_command (char *dir, int from_tty)
pwd_command ((char *) 0, 1);
}
�
+/* Load a GDB command file whose name is given in ARGS. FROM_TTY may
+ be -1, in which case we are loading a gdbinit file; in that case,
+ be paranoid about unsafe files. */
+
void
source_command (char *args, int from_tty)
{
@@ -431,9 +438,7 @@ source_command (char *args, int from_tty
char *file = args;
if (file == NULL)
- {
- error ("source command requires pathname of file to source.");
- }
+ error ("source command requires pathname of file to source.");
file = tilde_expand (file);
old_cleanups = make_cleanup (xfree, file);
@@ -441,12 +446,30 @@ source_command (char *args, int from_tty
stream = fopen (file, FOPEN_RT);
if (!stream)
{
- if (from_tty)
+ if (from_tty > 0)
perror_with_name (file);
else
return;
}
+ if (from_tty == -1)
+ {
+ struct stat statbuf;
+ int fd = fileno (stream);
+ if (fstat (fd, &statbuf) < 0)
+ {
+ perror_with_name (file);
+ fclose (stream);
+ return;
+ }
+ if (statbuf.st_uid != getuid () || (statbuf.st_mode & S_IWOTH))
+ {
+ warning ("not using untrusted file \"%s\"", file);
+ fclose (stream);
+ return;
+ }
+ }
+
script_from_file (stream, file);
do_cleanups (old_cleanups);
--- gdb+dejagnu-20040607/gdb/Makefile.in.fix 2005-10-04 18:25:36.000000000 -0400
+++ gdb+dejagnu-20040607/gdb/Makefile.in 2005-10-04 18:38:05.000000000 -0400
@@ -2566,7 +2566,7 @@ cli-cmds.o: $(srcdir)/cli/cli-cmds.c $(d
$(expression_h) $(frame_h) $(value_h) $(language_h) $(filenames_h) \
$(objfiles_h) $(source_h) $(disasm_h) $(ui_out_h) $(top_h) \
$(cli_decode_h) $(cli_script_h) $(cli_setshow_h) $(cli_cmds_h) \
- $(tui_h)
+ $(tui_h) $(gdb_stat_h)
$(CC) -c $(INTERNAL_CFLAGS) $(srcdir)/cli/cli-cmds.c
cli-decode.o: $(srcdir)/cli/cli-decode.c $(defs_h) $(symtab_h) \
$(gdb_regex_h) $(gdb_string_h) $(ui_out_h) $(cli_cmds_h) \
--- gdb+dejagnu-20040607/gdb/testsuite/gdb.base/gdbinit.exp.fix 2005-10-04 19:56:31.000000000 -0400
+++ gdb+dejagnu-20040607/gdb/testsuite/gdb.base/gdbinit.exp 2005-10-04 18:33:55.000000000 -0400
@@ -0,0 +1,98 @@
+# Copyright 2005
+# Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# Please email any bugs, comments, and/or additions to this file to:
+# bug-gdb at prep.ai.mit.edu
+
+# This file was written by Jeff Johnston <jjohnstn at redhat.com>.
+
+if $tracelevel then {
+ strace $tracelevel
+}
+
+set prms_id 0
+set bug_id 0
+
+# are we on a target board
+if [is_remote target] {
+ return
+}
+
+
+global verbose
+global GDB
+global GDBFLAGS
+global gdb_prompt
+global timeout
+global gdb_spawn_id;
+
+gdb_stop_suppressing_tests;
+
+verbose "Spawning $GDB -nw"
+
+if [info exists gdb_spawn_id] {
+ return 0;
+}
+
+if ![is_remote host] {
+ if { [which $GDB] == 0 } then {
+ perror "$GDB does not exist."
+ exit 1
+ }
+}
+
+set env(HOME) [pwd]
+remote_exec build "rm .gdbinit"
+remote_exec build "cp ${srcdir}/${subdir}/gdbinit.sample .gdbinit"
+remote_exec build "chmod 646 .gdbinit"
+
+set res [remote_spawn host "$GDB -nw [host_info gdb_opts]"];
+if { $res < 0 || $res == "" } {
+ perror "Spawning $GDB failed."
+ return 1;
+}
+gdb_expect 360 {
+ -re "warning: not using untrusted file.*\.gdbinit.*\[\r\n\]$gdb_prompt $" {
+ pass "untrusted .gdbinit caught."
+ }
+ -re "$gdb_prompt $" {
+ fail "untrusted .gdbinit caught."
+ }
+ timeout {
+ fail "(timeout) untrusted .gdbinit caught."
+ }
+}
+
+remote_exec build "chmod 644 .gdbinit"
+set res [remote_spawn host "$GDB -nw [host_info gdb_opts]"];
+if { $res < 0 || $res == "" } {
+ perror "Spawning $GDB failed."
+ return 1;
+}
+gdb_expect 360 {
+ -re "warning: not using untrusted file.*\.gdbinit.*\[\r\n\]$gdb_prompt $" {
+ fail "trusted .gdbinit allowed."
+ }
+ -re "in gdbinit.*$gdb_prompt $" {
+ pass "trusted .gdbinit allowed."
+ }
+ timeout {
+ fail "(timeout) trusted .gdbinit allowed."
+ }
+}
+
+remote_exec build "rm .gdbinit"
--- gdb+dejagnu-20040607/gdb/testsuite/gdb.base/gdbinit.sample.fix 2005-10-04 19:56:36.000000000 -0400
+++ gdb+dejagnu-20040607/gdb/testsuite/gdb.base/gdbinit.sample 2005-10-04 18:33:55.000000000 -0400
@@ -0,0 +1 @@
+echo "\nin gdbinit"
--- gdb+dejagnu-20040607/gdb/main.c.fix 2005-10-04 18:25:46.000000000 -0400
+++ gdb+dejagnu-20040607/gdb/main.c 2005-10-04 18:33:55.000000000 -0400
@@ -620,7 +620,7 @@ extern int gdbtk_test (char *);
if (!inhibit_gdbinit)
{
- catch_command_errors (source_command, homeinit, 0, RETURN_MASK_ALL);
+ catch_command_errors (source_command, homeinit, -1, RETURN_MASK_ALL);
}
/* Do stats; no need to do them elsewhere since we'll only
@@ -706,7 +706,7 @@ extern int gdbtk_test (char *);
|| memcmp ((char *) &homebuf, (char *) &cwdbuf, sizeof (struct stat)))
if (!inhibit_gdbinit)
{
- catch_command_errors (source_command, gdbinit, 0, RETURN_MASK_ALL);
+ catch_command_errors (source_command, gdbinit, -1, RETURN_MASK_ALL);
}
for (i = 0; i < ncmd; i++)
--- gdb+dejagnu-20040607/bfd/elf.c.fix 2005-10-04 18:27:10.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/elf.c 2005-10-04 19:54:00.000000000 -0400
@@ -206,28 +206,6 @@ bfd_elf_hash (const char *namearg)
return h & 0xffffffff;
}
-/* Read a specified number of bytes at a specified offset in an ELF
- file, into a newly allocated buffer, and return a pointer to the
- buffer. */
-
-static char *
-elf_read (bfd *abfd, file_ptr offset, bfd_size_type size)
-{
- char *buf;
-
- if ((buf = bfd_alloc (abfd, size)) == NULL)
- return NULL;
- if (bfd_seek (abfd, offset, SEEK_SET) != 0)
- return NULL;
- if (bfd_bread (buf, size, abfd) != size)
- {
- if (bfd_get_error () != bfd_error_system_call)
- bfd_set_error (bfd_error_file_truncated);
- return NULL;
- }
- return buf;
-}
-
bfd_boolean
bfd_elf_mkobject (bfd *abfd)
{
@@ -267,7 +245,21 @@ bfd_elf_get_str_section (bfd *abfd, unsi
/* No cached one, attempt to read, and cache what we read. */
offset = i_shdrp[shindex]->sh_offset;
shstrtabsize = i_shdrp[shindex]->sh_size;
- shstrtab = elf_read (abfd, offset, shstrtabsize);
+
+ /* Allocate and clear an extra byte at the end, to prevent crashes
+ in case the string table is not terminated. */
+ if (shstrtabsize + 1 == 0
+ || (shstrtab = bfd_alloc (abfd, shstrtabsize + 1)) == NULL
+ || bfd_seek (abfd, offset, SEEK_SET) != 0)
+ shstrtab = NULL;
+ else if (bfd_bread (shstrtab, shstrtabsize, abfd) != shstrtabsize)
+ {
+ if (bfd_get_error () != bfd_error_system_call)
+ bfd_set_error (bfd_error_file_truncated);
+ shstrtab = NULL;
+ }
+ else
+ shstrtab[shstrtabsize] = '\0';
i_shdrp[shindex]->contents = shstrtab;
}
return shstrtab;
@@ -348,7 +340,7 @@ bfd_elf_get_elf_syms (bfd *ibfd,
pos = symtab_hdr->sh_offset + symoffset * extsym_size;
if (extsym_buf == NULL)
{
- alloc_ext = bfd_malloc (amt);
+ alloc_ext = bfd_malloc2 (symcount, extsym_size);
extsym_buf = alloc_ext;
}
if (extsym_buf == NULL
@@ -367,7 +359,9 @@ bfd_elf_get_elf_syms (bfd *ibfd,
pos = shndx_hdr->sh_offset + symoffset * sizeof (Elf_External_Sym_Shndx);
if (extshndx_buf == NULL)
{
- alloc_extshndx = bfd_malloc (amt);
+ alloc_extshndx = (Elf_External_Sym_Shndx *)
+ bfd_malloc2 (symcount,
+ sizeof (Elf_External_Sym_Shndx));
extshndx_buf = alloc_extshndx;
}
if (extshndx_buf == NULL
@@ -381,8 +375,8 @@ bfd_elf_get_elf_syms (bfd *ibfd,
if (intsym_buf == NULL)
{
- bfd_size_type amt = symcount * sizeof (Elf_Internal_Sym);
- intsym_buf = bfd_malloc (amt);
+ intsym_buf = (Elf_Internal_Sym *)
+ bfd_malloc2 (symcount, sizeof (Elf_Internal_Sym));
if (intsym_buf == NULL)
goto out;
}
@@ -438,8 +432,11 @@ group_signature (bfd *abfd, Elf_Internal
Elf_External_Sym_Shndx eshndx;
Elf_Internal_Sym isym;
- /* First we need to ensure the symbol table is available. */
- if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
+ /* First we need to ensure the symbol table is available. Make sure
+ that it is a symbol table section. */
+ hdr = elf_elfsections (abfd) [ghdr->sh_link];
+ if (hdr->sh_type != SHT_SYMTAB
+ || ! bfd_section_from_shdr (abfd, ghdr->sh_link))
return NULL;
/* Go read the symbol. */
@@ -483,8 +480,9 @@ setup_group (bfd *abfd, Elf_Internal_Shd
{
/* We keep a list of elf section headers for group sections,
so we can find them quickly. */
- bfd_size_type amt = num_group * sizeof (Elf_Internal_Shdr *);
- elf_tdata (abfd)->group_sect_ptr = bfd_alloc (abfd, amt);
+ bfd_size_type amt;
+ elf_tdata (abfd)->group_sect_ptr
+ = bfd_alloc2 (abfd, num_group, sizeof (Elf_Internal_Shdr *));
if (elf_tdata (abfd)->group_sect_ptr == NULL)
return FALSE;
@@ -504,7 +502,8 @@ setup_group (bfd *abfd, Elf_Internal_Shd
/* Read the raw contents. */
BFD_ASSERT (sizeof (*dest) >= 4);
amt = shdr->sh_size * sizeof (*dest) / 4;
- shdr->contents = bfd_alloc (abfd, amt);
+ shdr->contents = bfd_alloc2 (abfd, shdr->sh_size,
+ sizeof (*dest) / 4);
if (shdr->contents == NULL
|| bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
|| (bfd_bread (shdr->contents, shdr->sh_size, abfd)
@@ -1160,8 +1159,9 @@ _bfd_elf_print_private_bfd_data (bfd *ab
for (t = elf_tdata (abfd)->verdef; t != NULL; t = t->vd_nextdef)
{
fprintf (f, "%d 0x%2.2x 0x%8.8lx %s\n", t->vd_ndx,
- t->vd_flags, t->vd_hash, t->vd_nodename);
- if (t->vd_auxptr->vda_nextptr != NULL)
+ t->vd_flags, t->vd_hash,
+ t->vd_nodename ? t->vd_nodename : "<corrupt>");
+ if (t->vd_auxptr != NULL && t->vd_auxptr->vda_nextptr != NULL)
{
Elf_Internal_Verdaux *a;
@@ -1169,7 +1169,8 @@ _bfd_elf_print_private_bfd_data (bfd *ab
for (a = t->vd_auxptr->vda_nextptr;
a != NULL;
a = a->vda_nextptr)
- fprintf (f, "%s ", a->vda_nodename);
+ fprintf (f, "%s ",
+ a->vda_nodename ? a->vda_nodename : "<corrupt>");
fprintf (f, "\n");
}
}
@@ -1184,10 +1185,12 @@ _bfd_elf_print_private_bfd_data (bfd *ab
{
Elf_Internal_Vernaux *a;
- fprintf (f, _(" required from %s:\n"), t->vn_filename);
+ fprintf (f, _(" required from %s:\n"),
+ t->vn_filename ? t->vn_filename : "<corrupt>");
for (a = t->vn_auxptr; a != NULL; a = a->vna_nextptr)
fprintf (f, " 0x%8.8lx 0x%2.2x %2.2d %s\n", a->vna_hash,
- a->vna_flags, a->vna_other, a->vna_nodename);
+ a->vna_flags, a->vna_other,
+ a->vna_nodename ? a->vna_nodename : "<corrupt>");
}
}
@@ -1683,6 +1686,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
const char *name;
name = elf_string_from_elf_strtab (abfd, hdr->sh_name);
+ if (name == NULL)
+ return FALSE;
switch (hdr->sh_type)
{
@@ -1702,6 +1707,9 @@ bfd_section_from_shdr (bfd *abfd, unsign
case SHT_DYNAMIC: /* Dynamic linking information. */
if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name))
return FALSE;
+ if (hdr->sh_link > elf_numsections (abfd)
+ || elf_elfsections (abfd)[hdr->sh_link] == NULL)
+ return FALSE;
if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
{
Elf_Internal_Shdr *dynsymhdr;
@@ -1736,7 +1744,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
if (elf_onesymtab (abfd) == shindex)
return TRUE;
- BFD_ASSERT (hdr->sh_entsize == bed->s->sizeof_sym);
+ if (hdr->sh_entsize != bed->s->sizeof_sym)
+ return FALSE;
BFD_ASSERT (elf_onesymtab (abfd) == 0);
elf_onesymtab (abfd) = shindex;
elf_tdata (abfd)->symtab_hdr = *hdr;
@@ -1760,7 +1769,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
if (elf_dynsymtab (abfd) == shindex)
return TRUE;
- BFD_ASSERT (hdr->sh_entsize == bed->s->sizeof_sym);
+ if (hdr->sh_entsize != bed->s->sizeof_sym)
+ return FALSE;
BFD_ASSERT (elf_dynsymtab (abfd) == 0);
elf_dynsymtab (abfd) = shindex;
elf_tdata (abfd)->dynsymtab_hdr = *hdr;
@@ -1803,6 +1813,9 @@ bfd_section_from_shdr (bfd *abfd, unsign
Elf_Internal_Shdr *hdr2 = elf_elfsections (abfd)[i];
if (hdr2->sh_link == shindex)
{
+ /* Prevent endless recursion on broken objects. */
+ if (i == shindex)
+ return FALSE;
if (! bfd_section_from_shdr (abfd, i))
return FALSE;
if (elf_onesymtab (abfd) == i)
@@ -1846,6 +1859,11 @@ bfd_section_from_shdr (bfd *abfd, unsign
Elf_Internal_Shdr *hdr2;
unsigned int num_sec = elf_numsections (abfd);
+ if (hdr->sh_entsize
+ != (bfd_size_type) (hdr->sh_type == SHT_REL
+ ? bed->s->sizeof_rel : bed->s->sizeof_rela))
+ return FALSE;
+
/* Check for a bogus link to avoid crashing. */
if ((hdr->sh_link >= SHN_LORESERVE && hdr->sh_link <= SHN_HIRESERVE)
|| hdr->sh_link >= num_sec)
@@ -1901,6 +1919,10 @@ bfd_section_from_shdr (bfd *abfd, unsign
if (hdr->sh_link != elf_onesymtab (abfd) || hdr->sh_info == SHN_UNDEF)
return _bfd_elf_make_section_from_shdr (abfd, hdr, name);
+ /* Prevent endless recursion on broken objects. */
+ if (elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
+ || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
+ return FALSE;
if (! bfd_section_from_shdr (abfd, hdr->sh_info))
return FALSE;
target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info);
@@ -1940,6 +1962,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
break;
case SHT_GNU_versym:
+ if (hdr->sh_entsize != sizeof (Elf_External_Versym))
+ return FALSE;
elf_dynversym (abfd) = shindex;
elf_tdata (abfd)->dynversym_hdr = *hdr;
return _bfd_elf_make_section_from_shdr (abfd, hdr, name);
@@ -1958,6 +1982,8 @@ bfd_section_from_shdr (bfd *abfd, unsign
/* We need a BFD section for objcopy and relocatable linking,
and it's handy to have the signature available as the section
name. */
+ if (hdr->sh_entsize != GRP_ENTRY_SIZE)
+ return FALSE;
name = group_signature (abfd, hdr);
if (name == NULL)
return FALSE;
@@ -2684,7 +2710,6 @@ assign_section_numbers (bfd *abfd)
asection *sec;
unsigned int section_number, secn;
Elf_Internal_Shdr **i_shdrp;
- bfd_size_type amt;
section_number = 1;
@@ -2758,13 +2783,13 @@ assign_section_numbers (bfd *abfd)
/* Set up the list of section header pointers, in agreement with the
indices. */
- amt = section_number * sizeof (Elf_Internal_Shdr *);
- i_shdrp = bfd_zalloc (abfd, amt);
+ i_shdrp = (Elf_Internal_Shdr **)
+ bfd_zalloc2 (abfd, section_number, sizeof (Elf_Internal_Shdr *));
if (i_shdrp == NULL)
return FALSE;
- amt = sizeof (Elf_Internal_Shdr);
- i_shdrp[0] = bfd_zalloc (abfd, amt);
+ i_shdrp[0] = (Elf_Internal_Shdr *)
+ bfd_zalloc (abfd, sizeof (Elf_Internal_Shdr));
if (i_shdrp[0] == NULL)
{
bfd_release (abfd, i_shdrp);
@@ -2934,7 +2959,6 @@ elf_map_symbols (bfd *abfd)
unsigned int idx;
asection *asect;
asymbol **new_syms;
- bfd_size_type amt;
#ifdef DEBUG
fprintf (stderr, "elf_map_symbols\n");
@@ -2948,8 +2972,7 @@ elf_map_symbols (bfd *abfd)
}
max_index++;
- amt = max_index * sizeof (asymbol *);
- sect_syms = bfd_zalloc (abfd, amt);
+ sect_syms = (asymbol **) bfd_zalloc2 (abfd, max_index, sizeof (asymbol *));
if (sect_syms == NULL)
return FALSE;
elf_section_syms (abfd) = sect_syms;
@@ -3022,8 +3045,8 @@ elf_map_symbols (bfd *abfd)
}
/* Now sort the symbols so the local symbols are first. */
- amt = (num_locals + num_globals) * sizeof (asymbol *);
- new_syms = bfd_alloc (abfd, amt);
+ new_syms = (asymbol **)
+ bfd_alloc2 (abfd, num_locals + num_globals, sizeof (asymbol *));
if (new_syms == NULL)
return FALSE;
@@ -3263,8 +3286,8 @@ map_sections_to_segments (bfd *abfd)
/* Select the allocated sections, and sort them. */
- amt = bfd_count_sections (abfd) * sizeof (asection *);
- sections = bfd_malloc (amt);
+ sections = (asection **)
+ bfd_malloc2 (bfd_count_sections (abfd), sizeof (asection *));
if (sections == NULL)
goto error_return;
@@ -3702,7 +3725,6 @@ assign_file_positions_for_segments (bfd
bfd_vma filehdr_vaddr, filehdr_paddr;
bfd_vma phdrs_vaddr, phdrs_paddr;
Elf_Internal_Phdr *p;
- bfd_size_type amt;
if (elf_tdata (abfd)->segment_map == NULL)
{
@@ -3774,8 +3796,8 @@ assign_file_positions_for_segments (bfd
if (alloc == 0)
alloc = count;
- amt = alloc * sizeof (Elf_Internal_Phdr);
- phdrs = bfd_alloc (abfd, amt);
+ phdrs = (Elf_Internal_Phdr *)
+ bfd_alloc2 (abfd, alloc, sizeof (Elf_Internal_Phdr));
if (phdrs == NULL)
return FALSE;
@@ -5003,8 +5025,7 @@ copy_private_bfd_data (bfd *ibfd, bfd *o
/* Gcc 2.96 miscompiles this code on mips. Don't do casting here
to work around this long long bug. */
- amt = section_count * sizeof (asection *);
- sections = bfd_malloc (amt);
+ sections = (asection **) bfd_malloc2 (section_count, sizeof (asection *));
if (sections == NULL)
return FALSE;
@@ -5446,8 +5467,7 @@ swap_out_syms (bfd *abfd,
symstrtab_hdr = &elf_tdata (abfd)->strtab_hdr;
symstrtab_hdr->sh_type = SHT_STRTAB;
- amt = (bfd_size_type) (1 + symcount) * bed->s->sizeof_sym;
- outbound_syms = bfd_alloc (abfd, amt);
+ outbound_syms = bfd_alloc2 (abfd, 1 + symcount, bed->s->sizeof_sym);
if (outbound_syms == NULL)
{
_bfd_stringtab_free (stt);
@@ -5460,7 +5480,8 @@ swap_out_syms (bfd *abfd,
if (symtab_shndx_hdr->sh_name != 0)
{
amt = (bfd_size_type) (1 + symcount) * sizeof (Elf_External_Sym_Shndx);
- outbound_shndx = bfd_zalloc (abfd, amt);
+ outbound_shndx = bfd_zalloc2 (abfd, 1 + symcount,
+ sizeof (Elf_External_Sym_Shndx));
if (outbound_shndx == NULL)
{
_bfd_stringtab_free (stt);
@@ -5872,7 +5893,6 @@ bfd_boolean
_bfd_elf_slurp_version_tables (bfd *abfd)
{
bfd_byte *contents = NULL;
- bfd_size_type amt;
if (elf_dynverdef (abfd) != 0)
{
@@ -5883,6 +5903,7 @@ _bfd_elf_slurp_version_tables (bfd *abfd
Elf_Internal_Verdef iverdefmem;
unsigned int i;
unsigned int maxidx;
+ bfd_byte *contents_end_def, *contents_end_aux;
hdr = &elf_tdata (abfd)->dynverdef_hdr;
@@ -5893,6 +5914,16 @@ _bfd_elf_slurp_version_tables (bfd *abfd
|| bfd_bread (contents, hdr->sh_size, abfd) != hdr->sh_size)
goto error_return;
+ if (hdr->sh_info && hdr->sh_size < sizeof (Elf_External_Verdef))
+ goto error_return;
+
+ BFD_ASSERT (sizeof (Elf_External_Verdef)
+ >= sizeof (Elf_External_Verdaux));
+ contents_end_def = contents + hdr->sh_size
+ - sizeof (Elf_External_Verdef);
+ contents_end_aux = contents + hdr->sh_size
+ - sizeof (Elf_External_Verdaux);
+
/* We know the number of entries in the section but not the maximum
index. Therefore we have to run through all entries and find
the maximum. */
@@ -5905,12 +5936,17 @@ _bfd_elf_slurp_version_tables (bfd *abfd
if ((iverdefmem.vd_ndx & ((unsigned) VERSYM_VERSION)) > maxidx)
maxidx = iverdefmem.vd_ndx & ((unsigned) VERSYM_VERSION);
+ if (iverdefmem.vd_next
+ > (size_t) (contents_end_def - (bfd_byte *) everdef))
+ goto error_return;
+
everdef = ((Elf_External_Verdef *)
((bfd_byte *) everdef + iverdefmem.vd_next));
}
- amt = (bfd_size_type) maxidx * sizeof (Elf_Internal_Verdef);
- elf_tdata (abfd)->verdef = bfd_zalloc (abfd, amt);
+ elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *)
+ bfd_zalloc2 (abfd, maxidx,
+ sizeof (Elf_Internal_Verdef));
if (elf_tdata (abfd)->verdef == NULL)
goto error_return;
@@ -5926,15 +5962,32 @@ _bfd_elf_slurp_version_tables (bfd *abfd
_bfd_elf_swap_verdef_in (abfd, everdef, &iverdefmem);
+ if ((iverdefmem.vd_ndx & VERSYM_VERSION) == 0)
+ {
+error_return_verdef:
+ elf_tdata (abfd)->verdef = NULL;
+ elf_tdata (abfd)->cverdefs = 0;
+ goto error_return;
+ }
+
iverdef = &iverdefarr[(iverdefmem.vd_ndx & VERSYM_VERSION) - 1];
memcpy (iverdef, &iverdefmem, sizeof (Elf_Internal_Verdef));
iverdef->vd_bfd = abfd;
- amt = (bfd_size_type) iverdef->vd_cnt * sizeof (Elf_Internal_Verdaux);
- iverdef->vd_auxptr = bfd_alloc (abfd, amt);
- if (iverdef->vd_auxptr == NULL)
- goto error_return;
+ if (iverdef->vd_cnt == 0)
+ iverdef->vd_auxptr = NULL;
+ else
+ {
+ iverdef->vd_auxptr = bfd_alloc2 (abfd, iverdef->vd_cnt,
+ sizeof (Elf_Internal_Verdaux));
+ if (iverdef->vd_auxptr == NULL)
+ goto error_return_verdef;
+ }
+
+ if (iverdef->vd_aux
+ > (size_t) (contents_end_aux - (bfd_byte *) everdef))
+ goto error_return_verdef;
everdaux = ((Elf_External_Verdaux *)
((bfd_byte *) everdef + iverdef->vd_aux));
@@ -5947,20 +6000,25 @@ _bfd_elf_slurp_version_tables (bfd *abfd
bfd_elf_string_from_elf_section (abfd, hdr->sh_link,
iverdaux->vda_name);
if (iverdaux->vda_nodename == NULL)
- goto error_return;
+ goto error_return_verdef;
if (j + 1 < iverdef->vd_cnt)
iverdaux->vda_nextptr = iverdaux + 1;
else
iverdaux->vda_nextptr = NULL;
+ if (iverdaux->vda_next
+ > (size_t) (contents_end_aux - (bfd_byte *) everdaux))
+ goto error_return_verdef;
+
everdaux = ((Elf_External_Verdaux *)
((bfd_byte *) everdaux + iverdaux->vda_next));
}
- iverdef->vd_nodename = iverdef->vd_auxptr->vda_nodename;
+ if (iverdef->vd_cnt)
+ iverdef->vd_nodename = iverdef->vd_auxptr->vda_nodename;
- if (i + 1 < hdr->sh_info)
+ if ((size_t) (iverdef - iverdefarr) + 1 < maxidx)
iverdef->vd_nextdef = iverdef + 1;
else
iverdef->vd_nextdef = NULL;
@@ -5979,11 +6037,13 @@ _bfd_elf_slurp_version_tables (bfd *abfd
Elf_External_Verneed *everneed;
Elf_Internal_Verneed *iverneed;
unsigned int i;
+ bfd_byte *contents_end;
hdr = &elf_tdata (abfd)->dynverref_hdr;
- amt = (bfd_size_type) hdr->sh_info * sizeof (Elf_Internal_Verneed);
- elf_tdata (abfd)->verref = bfd_zalloc (abfd, amt);
+ elf_tdata (abfd)->verref =
+ (Elf_Internal_Verneed *) bfd_zalloc2 (abfd, hdr->sh_info,
+ sizeof (Elf_Internal_Verneed));
if (elf_tdata (abfd)->verref == NULL)
goto error_return;
@@ -5991,10 +6051,22 @@ _bfd_elf_slurp_version_tables (bfd *abfd
contents = bfd_malloc (hdr->sh_size);
if (contents == NULL)
- goto error_return;
+ {
+error_return_verref:
+ elf_tdata (abfd)->verref = NULL;
+ elf_tdata (abfd)->cverrefs = 0;
+ goto error_return;
+ }
if (bfd_seek (abfd, hdr->sh_offset, SEEK_SET) != 0
|| bfd_bread (contents, hdr->sh_size, abfd) != hdr->sh_size)
- goto error_return;
+ goto error_return_verref;
+
+ if (hdr->sh_info && hdr->sh_size < sizeof (Elf_External_Verneed))
+ goto error_return_verref;
+
+ BFD_ASSERT (sizeof (Elf_External_Verneed)
+ == sizeof (Elf_External_Vernaux));
+ contents_end = contents + hdr->sh_size - sizeof (Elf_External_Verneed);
everneed = (Elf_External_Verneed *) contents;
iverneed = elf_tdata (abfd)->verref;
@@ -6012,11 +6084,21 @@ _bfd_elf_slurp_version_tables (bfd *abfd
bfd_elf_string_from_elf_section (abfd, hdr->sh_link,
iverneed->vn_file);
if (iverneed->vn_filename == NULL)
- goto error_return;
+ goto error_return_verref;
- amt = iverneed->vn_cnt;
- amt *= sizeof (Elf_Internal_Vernaux);
- iverneed->vn_auxptr = bfd_alloc (abfd, amt);
+ if (iverneed->vn_cnt == 0)
+ iverneed->vn_auxptr = NULL;
+ else
+ {
+ iverneed->vn_auxptr = bfd_alloc2 (abfd, iverneed->vn_cnt,
+ sizeof (Elf_Internal_Vernaux));
+ if (iverneed->vn_auxptr == NULL)
+ goto error_return_verref;
+ }
+
+ if (iverneed->vn_aux
+ > (size_t) (contents_end - (bfd_byte *) everneed))
+ goto error_return_verref;
evernaux = ((Elf_External_Vernaux *)
((bfd_byte *) everneed + iverneed->vn_aux));
@@ -6029,13 +6111,17 @@ _bfd_elf_slurp_version_tables (bfd *abfd
bfd_elf_string_from_elf_section (abfd, hdr->sh_link,
ivernaux->vna_name);
if (ivernaux->vna_nodename == NULL)
- goto error_return;
+ goto error_return_verref;
if (j + 1 < iverneed->vn_cnt)
ivernaux->vna_nextptr = ivernaux + 1;
else
ivernaux->vna_nextptr = NULL;
+ if (ivernaux->vna_next
+ > (size_t) (contents_end - (bfd_byte *) evernaux))
+ goto error_return_verref;
+
evernaux = ((Elf_External_Vernaux *)
((bfd_byte *) evernaux + ivernaux->vna_next));
}
@@ -6045,6 +6131,10 @@ _bfd_elf_slurp_version_tables (bfd *abfd
else
iverneed->vn_nextref = NULL;
+ if (iverneed->vn_next
+ > (size_t) (contents_end - (bfd_byte *) everneed))
+ goto error_return_verref;
+
everneed = ((Elf_External_Verneed *)
((bfd_byte *) everneed + iverneed->vn_next));
}
--- gdb+dejagnu-20040607/bfd/elfcode.h.fix 2005-10-04 18:27:17.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/elfcode.h 2005-10-04 18:33:55.000000000 -0400
@@ -33,7 +33,7 @@ Foundation, Inc., 59 Temple Place - Suit
/* Problems and other issues to resolve.
(1) BFD expects there to be some fixed number of "sections" in
- the object file. I.E. there is a "section_count" variable in the
+ the object file. I.E. there is a "section_count" variable in the
bfd structure which contains the number of sections. However, ELF
supports multiple "views" of a file. In particular, with current
implementations, executable files typically have two tables, a
@@ -613,8 +613,13 @@ elf_object_p (bfd *abfd)
if (i_ehdrp->e_shoff != 0)
{
+ bfd_signed_vma where = i_ehdrp->e_shoff;
+
+ if (where != (file_ptr) where)
+ goto got_wrong_format_error;
+
/* Seek to the section header table in the file. */
- if (bfd_seek (abfd, (file_ptr) i_ehdrp->e_shoff, SEEK_SET) != 0)
+ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
goto got_no_match;
/* Read the first section header at index 0, and convert to internal
@@ -626,11 +631,46 @@ elf_object_p (bfd *abfd)
/* If the section count is zero, the actual count is in the first
section header. */
if (i_ehdrp->e_shnum == SHN_UNDEF)
- i_ehdrp->e_shnum = i_shdr.sh_size;
+ {
+ i_ehdrp->e_shnum = i_shdr.sh_size;
+ if (i_ehdrp->e_shnum != i_shdr.sh_size
+ || i_ehdrp->e_shnum == 0)
+ goto got_wrong_format_error;
+ }
/* And similarly for the string table index. */
if (i_ehdrp->e_shstrndx == SHN_XINDEX)
- i_ehdrp->e_shstrndx = i_shdr.sh_link;
+ {
+ i_ehdrp->e_shstrndx = i_shdr.sh_link;
+ if (i_ehdrp->e_shstrndx != i_shdr.sh_link)
+ goto got_wrong_format_error;
+ }
+
+ /* Sanity check that we can read all of the section headers.
+ It ought to be good enough to just read the last one. */
+ if (i_ehdrp->e_shnum != 1)
+ {
+ /* Check that we don't have a totally silly number of sections. */
+ if (i_ehdrp->e_shnum > (unsigned int) -1 / sizeof (x_shdr)
+ || i_ehdrp->e_shnum > (unsigned int) -1 / sizeof (i_shdr))
+ goto got_wrong_format_error;
+
+ where += (i_ehdrp->e_shnum - 1) * sizeof (x_shdr);
+ if (where != (file_ptr) where)
+ goto got_wrong_format_error;
+ if ((bfd_size_type) where <= i_ehdrp->e_shoff)
+ goto got_wrong_format_error;
+
+ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
+ goto got_no_match;
+ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
+ goto got_no_match;
+
+ /* Back to where we were. */
+ where = i_ehdrp->e_shoff + sizeof (x_shdr);
+ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
+ goto got_no_match;
+ }
}
/* Allocate space for a copy of the section header table in
@@ -674,6 +714,20 @@ elf_object_p (bfd *abfd)
goto got_no_match;
elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
+ /* Sanity check sh_link and sh_info. */
+ if (i_shdrp[shindex].sh_link >= num_sec
+ || (i_shdrp[shindex].sh_link >= SHN_LORESERVE
+ && i_shdrp[shindex].sh_link <= SHN_HIRESERVE))
+ goto got_wrong_format_error;
+
+ if (((i_shdrp[shindex].sh_flags & SHF_INFO_LINK)
+ || i_shdrp[shindex].sh_type == SHT_RELA
+ || i_shdrp[shindex].sh_type == SHT_REL)
+ && (i_shdrp[shindex].sh_info >= num_sec
+ || (i_shdrp[shindex].sh_info >= SHN_LORESERVE
+ && i_shdrp[shindex].sh_info <= SHN_HIRESERVE)))
+ goto got_wrong_format_error;
+
/* If the section is loaded, but not page aligned, clear
D_PAGED. */
if (i_shdrp[shindex].sh_size != 0
@@ -692,6 +746,17 @@ elf_object_p (bfd *abfd)
goto got_no_match;
}
+ /* A further sanity check. */
+ if (i_ehdrp->e_shnum != 0)
+ {
+ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
+ || (i_ehdrp->e_shstrndx >= SHN_LORESERVE
+ && i_ehdrp->e_shstrndx <= SHN_HIRESERVE))
+ goto got_wrong_format_error;
+ }
+ else if (i_ehdrp->e_shstrndx != 0)
+ goto got_wrong_format_error;
+
/* Read in the program headers. */
if (i_ehdrp->e_phnum == 0)
elf_tdata (abfd)->phdr = NULL;
@@ -1055,7 +1120,7 @@ elf_slurp_symbol_table (bfd *abfd, asymb
symcount);
/* Slurp in the symbols without the version information,
- since that is more helpful than just quitting. */
+ since that is more helpful than just quitting. */
verhdr = NULL;
}
--- gdb+dejagnu-20040607/bfd/archive.c.fix 2005-10-04 18:27:22.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/archive.c 2005-10-04 18:42:12.000000000 -0400
@@ -170,11 +170,13 @@ _bfd_generic_mkarchive (bfd *abfd)
if (bfd_ardata (abfd) == NULL)
return FALSE;
- bfd_ardata (abfd)->cache = NULL;
- bfd_ardata (abfd)->archive_head = NULL;
- bfd_ardata (abfd)->symdefs = NULL;
- bfd_ardata (abfd)->extended_names = NULL;
- bfd_ardata (abfd)->tdata = NULL;
+ /* Already cleared by bfd_zalloc above.
+ bfd_ardata (abfd)->cache = NULL;
+ bfd_ardata (abfd)->archive_head = NULL;
+ bfd_ardata (abfd)->symdefs = NULL;
+ bfd_ardata (abfd)->extended_names = NULL;
+ bfd_ardata (abfd)->extended_names_size = 0;
+ bfd_ardata (abfd)->tdata = NULL; */
return TRUE;
}
@@ -302,7 +304,7 @@ get_extended_arelt_filename (bfd *arch,
errno = 0;
/* Skip first char, which is '/' in SVR4 or ' ' in some other variants. */
index = strtol (name + 1, NULL, 10);
- if (errno != 0)
+ if (errno != 0 || index >= bfd_ardata (arch)->extended_names_size)
{
bfd_set_error (bfd_error_malformed_archive);
return NULL;
@@ -372,10 +374,7 @@ _bfd_generic_read_ar_hdr_mag (bfd *abfd,
{
filename = get_extended_arelt_filename (abfd, hdr.ar_name);
if (filename == NULL)
- {
- bfd_set_error (bfd_error_malformed_archive);
- return NULL;
- }
+ return NULL;
}
/* BSD4.4-style long filename.
Only implemented for reading, so far! */
@@ -601,11 +600,13 @@ bfd_generic_archive_p (bfd *abfd)
}
bfd_ardata (abfd)->first_file_filepos = SARMAG;
- bfd_ardata (abfd)->cache = NULL;
- bfd_ardata (abfd)->archive_head = NULL;
- bfd_ardata (abfd)->symdefs = NULL;
- bfd_ardata (abfd)->extended_names = NULL;
- bfd_ardata (abfd)->tdata = NULL;
+ /* Cleared by bfd_zalloc above.
+ bfd_ardata (abfd)->cache = NULL;
+ bfd_ardata (abfd)->archive_head = NULL;
+ bfd_ardata (abfd)->symdefs = NULL;
+ bfd_ardata (abfd)->extended_names = NULL;
+ bfd_ardata (abfd)->extended_names_size = 0;
+ bfd_ardata (abfd)->tdata = NULL; */
if (!BFD_SEND (abfd, _bfd_slurp_armap, (abfd))
|| !BFD_SEND (abfd, _bfd_slurp_extended_name_table, (abfd)))
@@ -804,9 +805,15 @@ do_slurp_coff_armap (bfd *abfd)
/* The coff armap must be read sequentially. So we construct a
bsd-style one in core all at once, for simplicity. */
+ if (nsymz > ~ (bfd_size_type) 0 / sizeof (carsym))
+ return FALSE;
+
carsym_size = (nsymz * sizeof (carsym));
ptrsize = (4 * nsymz);
+ if (carsym_size + stringsize + 1 <= carsym_size)
+ return FALSE;
+
ardata->symdefs = bfd_zalloc (abfd, carsym_size + stringsize + 1);
if (ardata->symdefs == NULL)
return FALSE;
@@ -1043,6 +1050,7 @@ _bfd_slurp_extended_name_table (bfd *abf
strncmp (nextname, "// ", 16) != 0)
{
bfd_ardata (abfd)->extended_names = NULL;
+ bfd_ardata (abfd)->extended_names_size = 0;
return TRUE;
}
@@ -1051,7 +1059,11 @@ _bfd_slurp_extended_name_table (bfd *abf
return FALSE;
amt = namedata->parsed_size;
- bfd_ardata (abfd)->extended_names = bfd_zalloc (abfd, amt);
+ if (amt + 1 == 0)
+ goto byebye;
+
+ bfd_ardata (abfd)->extended_names_size = amt;
+ bfd_ardata (abfd)->extended_names = bfd_zalloc (abfd, amt + 1);
if (bfd_ardata (abfd)->extended_names == NULL)
{
byebye:
@@ -1074,15 +1086,17 @@ _bfd_slurp_extended_name_table (bfd *abf
trailing '/'. DOS/NT created archive often have \ in them
We'll fix all problems here.. */
{
- char *temp = bfd_ardata (abfd)->extended_names;
+ char *ext_names = bfd_ardata (abfd)->extended_names;
+ char *temp = ext_names;
char *limit = temp + namedata->parsed_size;
for (; temp < limit; ++temp)
{
if (*temp == '\012')
- temp[temp[-1] == '/' ? -1 : 0] = '\0';
+ temp[temp > ext_names && temp[-1] == '/' ? -1 : 0] = '\0';
if (*temp == '\\')
*temp = '/';
}
+ *limit = '\0';
}
/* Pad to an even boundary if you have to. */
--- gdb+dejagnu-20040607/bfd/libbfd-in.h.fix 2005-10-04 18:27:33.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/libbfd-in.h 2005-10-04 18:47:13.000000000 -0400
@@ -61,6 +61,7 @@ struct artdata {
carsym *symdefs; /* the symdef entries */
symindex symdef_count; /* how many there are */
char *extended_names; /* clever intel extension */
+ bfd_size_type extended_names_size; /* Size of extended names */
/* when more compilers are standard C, this can be a time_t */
long armap_timestamp; /* Timestamp value written into armap.
This is used for BSD archives to check
@@ -90,6 +91,12 @@ extern void *bfd_realloc
(void *, bfd_size_type);
extern void *bfd_zmalloc
(bfd_size_type);
+extern PTR bfd_malloc2
+ (bfd_size_type, bfd_size_type);
+extern PTR bfd_realloc2
+ (PTR , bfd_size_type, bfd_size_type);
+extern PTR bfd_zmalloc2
+ (bfd_size_type, bfd_size_type);
extern bfd_error_handler_type _bfd_error_handler;
@@ -99,6 +106,10 @@ extern void *bfd_alloc
(bfd *, bfd_size_type);
extern void *bfd_zalloc
(bfd *, bfd_size_type);
+extern PTR bfd_alloc2
+ (bfd *, bfd_size_type, bfd_size_type);
+extern PTR bfd_zalloc2
+ (bfd *, bfd_size_type, bfd_size_type);
extern void bfd_release
(bfd *, void *);
--- gdb+dejagnu-20040607/bfd/bfd-in.h.fix 2005-10-04 18:27:42.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/bfd-in.h 2005-10-04 18:49:37.000000000 -0400
@@ -144,6 +144,9 @@ typedef unsigned long bfd_size_type;
#endif /* not BFD64 */
+#define HALF_BFD_SIZE_TYPE \
+ (((bfd_size_type) 1) << (8 * sizeof (bfd_size_type) / 2))
+
#ifndef BFD_HOST_64_BIT
/* Fall back on a 32 bit type. The idea is to make these types always
available for function return types, but in the case that
--- gdb+dejagnu-20040607/bfd/libbfd.c.fix 2005-10-04 18:27:51.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/libbfd.c 2005-10-04 18:33:55.000000000 -0400
@@ -156,6 +156,36 @@ bfd_malloc (bfd_size_type size)
return ptr;
}
+/* Allocate memory using malloc, nmemb * size with overflow checking. */
+
+void *
+bfd_malloc2 (bfd_size_type nmemb, bfd_size_type size)
+{
+ void *ptr;
+
+ if ((nmemb | size) >= HALF_BFD_SIZE_TYPE
+ && size != 0
+ && nmemb > ~(bfd_size_type) 0 / size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return NULL;
+ }
+
+ size *= nmemb;
+
+ if (size != (size_t) size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return NULL;
+ }
+
+ ptr = malloc ((size_t) size);
+ if (ptr == NULL && (size_t) size != 0)
+ bfd_set_error (bfd_error_no_memory);
+
+ return ptr;
+}
+
/* Reallocate memory using realloc. */
void *
@@ -180,6 +210,40 @@ bfd_realloc (void *ptr, bfd_size_type si
return ret;
}
+/* Reallocate memory using realloc, nmemb * size with overflow checking. */
+
+void *
+bfd_realloc2 (void *ptr, bfd_size_type nmemb, bfd_size_type size)
+{
+ void *ret;
+
+ if ((nmemb | size) >= HALF_BFD_SIZE_TYPE
+ && size != 0
+ && nmemb > ~(bfd_size_type) 0 / size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return NULL;
+ }
+
+ size *= nmemb;
+
+ if (size != (size_t) size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return NULL;
+ }
+
+ if (ptr == NULL)
+ ret = malloc ((size_t) size);
+ else
+ ret = realloc (ptr, (size_t) size);
+
+ if (ret == NULL && (size_t) size != 0)
+ bfd_set_error (bfd_error_no_memory);
+
+ return ret;
+}
+
/* Allocate memory using malloc and clear it. */
void *
@@ -205,6 +269,44 @@ bfd_zmalloc (bfd_size_type size)
return ptr;
}
+
+/* Allocate memory using malloc (nmemb * size) with overflow checking
+ and clear it. */
+
+void *
+bfd_zmalloc2 (bfd_size_type nmemb, bfd_size_type size)
+{
+ void *ptr;
+
+ if ((nmemb | size) >= HALF_BFD_SIZE_TYPE
+ && size != 0
+ && nmemb > ~(bfd_size_type) 0 / size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return NULL;
+ }
+
+ size *= nmemb;
+
+ if (size != (size_t) size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return NULL;
+ }
+
+ ptr = malloc ((size_t) size);
+
+ if ((size_t) size != 0)
+ {
+ if (ptr == NULL)
+ bfd_set_error (bfd_error_no_memory);
+ else
+ memset (ptr, 0, (size_t) size);
+ }
+
+ return ptr;
+}
+
/*
INTERNAL_FUNCTION
bfd_write_bigendian_4byte_int
--- gdb+dejagnu-20040607/bfd/opncls.c.fix 2005-10-04 18:27:56.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/opncls.c 2005-10-04 18:33:55.000000000 -0400
@@ -849,6 +849,54 @@ bfd_zalloc (bfd *abfd, bfd_size_type siz
return res;
}
+void *
+bfd_alloc2 (bfd *abfd, bfd_size_type nmemb, bfd_size_type size)
+{
+ void *ret;
+
+ if ((nmemb | size) >= HALF_BFD_SIZE_TYPE
+ && size != 0
+ && nmemb > ~(bfd_size_type) 0 / size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return NULL;
+ }
+
+ size *= nmemb;
+
+ if (size != (unsigned long) size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return NULL;
+ }
+
+ ret = objalloc_alloc (abfd->memory, (unsigned long) size);
+ if (ret == NULL)
+ bfd_set_error (bfd_error_no_memory);
+ return ret;
+}
+
+void *
+bfd_zalloc2 (bfd *abfd, bfd_size_type nmemb, bfd_size_type size)
+{
+ void *res;
+
+ if ((nmemb | size) >= HALF_BFD_SIZE_TYPE
+ && size != 0
+ && nmemb > ~(bfd_size_type) 0 / size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return NULL;
+ }
+
+ size *= nmemb;
+
+ res = bfd_alloc (abfd, size);
+ if (res)
+ memset (res, 0, (size_t) size);
+ return res;
+}
+
/* Free a block allocated for a BFD.
Note: Also frees all more recently allocated blocks! */
--- gdb+dejagnu-20040607/bfd/bfd-in2.h.fix 2005-10-04 18:28:05.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/bfd-in2.h 2005-10-04 18:50:40.000000000 -0400
@@ -151,6 +151,9 @@ typedef unsigned long bfd_size_type;
#endif /* not BFD64 */
+#define HALF_BFD_SIZE_TYPE \
+ (((bfd_size_type) 1) << (8 * sizeof (bfd_size_type) / 2))
+
#ifndef BFD_HOST_64_BIT
/* Fall back on a 32 bit type. The idea is to make these types always
available for function return types, but in the case that
--- gdb+dejagnu-20040607/bfd/elf64-ppc.c.fix 2005-10-04 18:28:19.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/elf64-ppc.c 2005-10-04 18:33:56.000000000 -0400
@@ -2104,8 +2104,13 @@ ppc64_elf_info_to_howto (bfd *abfd ATTRI
ppc_howto_init ();
type = ELF64_R_TYPE (dst->r_info);
- BFD_ASSERT (type < (sizeof (ppc64_elf_howto_table)
- / sizeof (ppc64_elf_howto_table[0])));
+ if (type >= (sizeof (ppc64_elf_howto_table)
+ / sizeof (ppc64_elf_howto_table[0])))
+ {
+ (*_bfd_error_handler) (_("%B: invalid relocation type %d"),
+ abfd, (int) type);
+ type = R_PPC64_NONE;
+ }
cache_ptr->howto = ppc64_elf_howto_table[type];
}
--- gdb+dejagnu-20040607/bfd/libbfd.h.fix 2005-10-04 18:28:29.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/libbfd.h 2005-10-04 18:45:17.000000000 -0400
@@ -66,6 +66,7 @@ struct artdata {
carsym *symdefs; /* the symdef entries */
symindex symdef_count; /* how many there are */
char *extended_names; /* clever intel extension */
+ bfd_size_type extended_names_size; /* Size of extended names */
/* when more compilers are standard C, this can be a time_t */
long armap_timestamp; /* Timestamp value written into armap.
This is used for BSD archives to check
@@ -95,6 +96,12 @@ extern void *bfd_realloc
(void *, bfd_size_type);
extern void *bfd_zmalloc
(bfd_size_type);
+extern PTR bfd_malloc2
+ (bfd_size_type, bfd_size_type);
+extern PTR bfd_realloc2
+ (PTR , bfd_size_type, bfd_size_type);
+extern PTR bfd_zmalloc2
+ (bfd_size_type, bfd_size_type);
extern bfd_error_handler_type _bfd_error_handler;
@@ -104,6 +111,10 @@ extern void *bfd_alloc
(bfd *, bfd_size_type);
extern void *bfd_zalloc
(bfd *, bfd_size_type);
+extern PTR bfd_alloc2
+ (bfd *, bfd_size_type, bfd_size_type);
+extern PTR bfd_zalloc2
+ (bfd *, bfd_size_type, bfd_size_type);
extern void bfd_release
(bfd *, void *);
--- gdb+dejagnu-20040607/bfd/ecoff.c.fix 2005-10-04 18:28:36.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/ecoff.c 2005-10-04 18:33:56.000000000 -0400
@@ -3332,11 +3332,13 @@ _bfd_ecoff_archive_p (abfd)
}
bfd_ardata (abfd)->first_file_filepos = SARMAG;
- bfd_ardata (abfd)->cache = NULL;
- bfd_ardata (abfd)->archive_head = NULL;
- bfd_ardata (abfd)->symdefs = NULL;
- bfd_ardata (abfd)->extended_names = NULL;
- bfd_ardata (abfd)->tdata = NULL;
+ /* Already cleared by bfd_zalloc above.
+ bfd_ardata (abfd)->cache = NULL;
+ bfd_ardata (abfd)->archive_head = NULL;
+ bfd_ardata (abfd)->symdefs = NULL;
+ bfd_ardata (abfd)->extended_names = NULL;
+ bfd_ardata (abfd)->extended_names_size = 0;
+ bfd_ardata (abfd)->tdata = NULL; */
if (! _bfd_ecoff_slurp_armap (abfd)
|| ! _bfd_ecoff_slurp_extended_name_table (abfd))
--- gdb+dejagnu-20040607/bfd/elf64-x86-64.c.fix 2005-10-04 18:28:46.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/elf64-x86-64.c 2005-10-04 18:33:56.000000000 -0400
@@ -176,16 +176,19 @@ elf64_x86_64_info_to_howto (bfd *abfd AT
unsigned r_type, i;
r_type = ELF64_R_TYPE (dst->r_info);
- if (r_type < (unsigned int) R_X86_64_GNU_VTINHERIT)
+ if (r_type < (unsigned int) R_X86_64_GNU_VTINHERIT
+ || r_type >= (unsigned int) R_X86_64_max)
{
- BFD_ASSERT (r_type <= (unsigned int) R_X86_64_TPOFF32);
+ if (r_type > (unsigned int) R_X86_64_TPOFF32)
+ {
+ (*_bfd_error_handler) (_("%B: invalid relocation type %d"),
+ abfd, (int) r_type);
+ r_type = R_X86_64_NONE;
+ }
i = r_type;
}
else
- {
- BFD_ASSERT (r_type < (unsigned int) R_X86_64_max);
- i = r_type - ((unsigned int) R_X86_64_GNU_VTINHERIT - R_X86_64_TPOFF32 - 1);
- }
+ i = r_type - ((unsigned int) R_X86_64_GNU_VTINHERIT - R_X86_64_TPOFF32 - 1);
cache_ptr->howto = &x86_64_elf_howto_table[i];
BFD_ASSERT (r_type == cache_ptr->howto->type);
}
--- gdb+dejagnu-20040607/bfd/elf32-sparc.c.fix 2005-10-04 18:28:58.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/elf32-sparc.c 2005-10-04 18:33:55.000000000 -0400
@@ -313,7 +313,8 @@ elf32_sparc_info_to_howto (abfd, cache_p
arelent *cache_ptr;
Elf_Internal_Rela *dst;
{
- switch (ELF32_R_TYPE(dst->r_info))
+ unsigned int r_type = ELF32_R_TYPE(dst->r_info);
+ switch (r_type)
{
case R_SPARC_GNU_VTINHERIT:
cache_ptr->howto = &elf32_sparc_vtinherit_howto;
@@ -328,8 +329,13 @@ elf32_sparc_info_to_howto (abfd, cache_p
break;
default:
- BFD_ASSERT (ELF32_R_TYPE(dst->r_info) < (unsigned int) R_SPARC_max_std);
- cache_ptr->howto = &_bfd_sparc_elf_howto_table[ELF32_R_TYPE(dst->r_info)];
+ if (r_type >= (unsigned int) R_SPARC_max_std)
+ {
+ (*_bfd_error_handler) (_("invalid relocation type %d"),
+ (int) r_type);
+ r_type = R_SPARC_NONE;
+ }
+ cache_ptr->howto = &_bfd_sparc_elf_howto_table[r_type];
}
}
�
--- gdb+dejagnu-20040607/bfd/elf64-sparc.c.fix 2005-10-04 18:29:09.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/elf64-sparc.c 2005-10-04 18:33:55.000000000 -0400
@@ -310,8 +310,14 @@ sparc64_elf_info_to_howto (abfd, cache_p
arelent *cache_ptr;
Elf_Internal_Rela *dst;
{
- BFD_ASSERT (ELF64_R_TYPE_ID (dst->r_info) < (unsigned int) R_SPARC_max_std);
- cache_ptr->howto = &sparc64_elf_howto_table[ELF64_R_TYPE_ID (dst->r_info)];
+ unsigned int r_type = ELF64_R_TYPE_ID (dst->r_info);
+ if (r_type >= (unsigned int) R_SPARC_max_std)
+ {
+ (*_bfd_error_handler) (_("invalid relocation type %d"),
+ (int) r_type);
+ r_type = R_SPARC_NONE;
+ }
+ cache_ptr->howto = &sparc64_elf_howto_table[r_type];
}
�
struct sparc64_elf_section_data
--- gdb+dejagnu-20040607/bfd/elf32-s390.c.fix 2005-10-04 18:29:23.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/elf32-s390.c 2005-10-04 18:33:55.000000000 -0400
@@ -350,7 +350,8 @@ elf_s390_info_to_howto (abfd, cache_ptr,
arelent *cache_ptr;
Elf_Internal_Rela *dst;
{
- switch (ELF32_R_TYPE(dst->r_info))
+ unsigned int r_type = ELF32_R_TYPE(dst->r_info);
+ switch (r_type)
{
case R_390_GNU_VTINHERIT:
cache_ptr->howto = &elf32_s390_vtinherit_howto;
@@ -361,8 +362,13 @@ elf_s390_info_to_howto (abfd, cache_ptr,
break;
default:
- BFD_ASSERT (ELF32_R_TYPE(dst->r_info) < (unsigned int) R_390_max);
- cache_ptr->howto = &elf_howto_table[ELF32_R_TYPE(dst->r_info)];
+ if (r_type >= sizeof (elf_howto_table) / sizeof (elf_howto_table[0]))
+ {
+ (*_bfd_error_handler) (_("%B: invalid relocation type %d"),
+ abfd, (int) r_type);
+ r_type = R_390_NONE;
+ }
+ cache_ptr->howto = &elf_howto_table[r_type];
}
}
--- gdb+dejagnu-20040607/bfd/elf64-s390.c.fix 2005-10-04 18:29:35.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/elf64-s390.c 2005-10-04 18:33:56.000000000 -0400
@@ -372,7 +372,8 @@ elf_s390_info_to_howto (abfd, cache_ptr,
arelent *cache_ptr;
Elf_Internal_Rela *dst;
{
- switch (ELF64_R_TYPE(dst->r_info))
+ unsigned int r_type = ELF64_R_TYPE(dst->r_info);
+ switch (r_type)
{
case R_390_GNU_VTINHERIT:
cache_ptr->howto = &elf64_s390_vtinherit_howto;
@@ -383,8 +384,13 @@ elf_s390_info_to_howto (abfd, cache_ptr,
break;
default:
- BFD_ASSERT (ELF64_R_TYPE(dst->r_info) < (unsigned int) R_390_max);
- cache_ptr->howto = &elf_howto_table[ELF64_R_TYPE(dst->r_info)];
+ if (r_type >= sizeof (elf_howto_table) / sizeof (elf_howto_table[0]))
+ {
+ (*_bfd_error_handler) (_("%B: invalid relocation type %d"),
+ abfd, (int) r_type);
+ r_type = R_390_NONE;
+ }
+ cache_ptr->howto = &elf_howto_table[r_type];
}
}
--- gdb+dejagnu-20040607/bfd/elfxx-ia64.c.fix 2005-10-04 18:29:42.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/elfxx-ia64.c 2005-10-04 18:33:56.000000000 -0400
@@ -479,7 +479,8 @@ lookup_howto (rtype)
elf_code_to_howto_index[ia64_howto_table[i].type] = i;
}
- BFD_ASSERT (rtype <= R_IA64_MAX_RELOC_CODE);
+ if (rtype > R_IA64_MAX_RELOC_CODE)
+ return 0;
i = elf_code_to_howto_index[rtype];
if (i >= NELEMS (ia64_howto_table))
return 0;
--- gdb+dejagnu-20040607/bfd/coffcode.h.fix 2005-10-04 18:29:48.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/coffcode.h 2005-10-04 18:33:56.000000000 -0400
@@ -5052,7 +5052,7 @@ coff_slurp_reloc_table (abfd, asect, sym
amt = (bfd_size_type) asect->reloc_count * sizeof (arelent);
reloc_cache = (arelent *) bfd_alloc (abfd, amt);
- if (reloc_cache == NULL)
+ if (reloc_cache == NULL || native_relocs == NULL)
return FALSE;
for (idx = 0; idx < asect->reloc_count; idx++)
--- gdb+dejagnu-20040607/bfd/peXXigen.c.fix 2005-10-04 18:29:59.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/peXXigen.c 2005-10-04 18:33:56.000000000 -0400
@@ -1169,7 +1169,7 @@ pe_print_idata (abfd, vfile)
bfd_vma toc_address;
bfd_vma start_address;
bfd_byte *data = 0;
- int offset;
+ bfd_vma offset;
amt = bfd_section_size (abfd, rel_section);
data = (bfd_byte *) bfd_malloc (amt);
@@ -1181,6 +1181,13 @@ pe_print_idata (abfd, vfile)
offset = abfd->start_address - rel_section->vma;
+ if (offset >= amt || offset + 8 > amt)
+ {
+ if (data != NULL)
+ free (data);
+ return FALSE;
+ }
+
start_address = bfd_get_32 (abfd, data + offset);
loadable_toc_address = bfd_get_32 (abfd, data + offset + 4);
toc_address = loadable_toc_address - 32768;
@@ -1253,6 +1260,9 @@ pe_print_idata (abfd, vfile)
if (hint_addr == 0 && first_thunk == 0)
break;
+ if (dll_name - adj >= amt)
+ break;
+
dll = (char *) data + dll_name - adj;
fprintf (file, _("\n\tDLL Name: %s\n"), dll);
--- gdb+dejagnu-20040607/bfd/coff-rs6000.c.fix 2005-10-04 18:30:14.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/coff-rs6000.c 2005-10-04 18:33:56.000000000 -0400
@@ -1294,10 +1294,12 @@ _bfd_xcoff_archive_p (abfd)
if (bfd_ardata (abfd) == (struct artdata *) NULL)
goto error_ret_restore;
- bfd_ardata (abfd)->cache = NULL;
- bfd_ardata (abfd)->archive_head = NULL;
- bfd_ardata (abfd)->symdefs = NULL;
- bfd_ardata (abfd)->extended_names = NULL;
+ /* Cleared by bfd_zalloc above.
+ bfd_ardata (abfd)->cache = NULL;
+ bfd_ardata (abfd)->archive_head = NULL;
+ bfd_ardata (abfd)->symdefs = NULL;
+ bfd_ardata (abfd)->extended_names = NULL;
+ bfd_ardata (abfd)->extended_names_size = 0; */
/* Now handle the two formats. */
if (magic[1] != 'b')
--- gdb+dejagnu-20040607/bfd/coff64-rs6000.c.fix 2005-10-04 18:30:23.000000000 -0400
+++ gdb+dejagnu-20040607/bfd/coff64-rs6000.c 2005-10-04 18:33:56.000000000 -0400
@@ -1984,10 +1984,12 @@ xcoff64_archive_p (abfd)
if (bfd_ardata (abfd) == (struct artdata *) NULL)
goto error_ret_restore;
- bfd_ardata (abfd)->cache = NULL;
- bfd_ardata (abfd)->archive_head = NULL;
- bfd_ardata (abfd)->symdefs = NULL;
- bfd_ardata (abfd)->extended_names = NULL;
+ /* Already cleared by bfd_zalloc above.
+ bfd_ardata (abfd)->cache = NULL;
+ bfd_ardata (abfd)->archive_head = NULL;
+ bfd_ardata (abfd)->symdefs = NULL;
+ bfd_ardata (abfd)->extended_names = NULL;
+ bfd_ardata (abfd)->extended_names_size = 0; */
bfd_ardata (abfd)->first_file_filepos = bfd_scan_vma (hdr.firstmemoff,
(const char **) NULL,
10);
--- gdb+dejagnu-20040607/include/elf/external.h.fix 2005-10-04 18:30:59.000000000 -0400
+++ gdb+dejagnu-20040607/include/elf/external.h 2005-10-04 18:33:56.000000000 -0400
@@ -272,5 +272,8 @@ typedef struct
unsigned char a_val[8];
} Elf64_External_Auxv;
+/* Size of SHT_GROUP section entry. */
+
+#define GRP_ENTRY_SIZE 4
#endif /* _ELF_EXTERNAL_H */
Index: gdb.spec
===================================================================
RCS file: /cvs/dist/rpms/gdb/FC-3/gdb.spec,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- gdb.spec 27 Oct 2004 04:37:05 -0000 1.54
+++ gdb.spec 5 Oct 2005 04:31:07 -0000 1.55
@@ -6,7 +6,7 @@
Name: gdb
# Daily snapshot of gdb taken from FSF mainline cvs, after the 6.1 branchpoint.
Version: 6.1post
-Release: 1.%{cvsdate}.43
+Release: 1.%{cvsdate}.43.1
License: GPL
Group: Development/Debuggers
Source: ftp://sources.redhat.com/pub/gdb/snapshots/current/gdb+dejagnu-20040607.tar.bz2
@@ -102,6 +102,9 @@
# Fix panic when stepping an solib call
Patch80: gdb-6.1post-infcall-step-jul2004.patch
+# Security errata for untrusted gdbinit and bfd integer overflow.
+Patch81: gdb-6.1post-security-errata-oct2005.patch
+
%ifarch ia64
BuildRequires: ncurses-devel glibc-devel gcc make gzip texinfo dejagnu libunwind >= 0.96-3
%else
@@ -172,6 +175,7 @@
%patch76 -p1
%patch77 -p1
%patch80 -p1
+%patch81 -p1
# Change the version that gets printed at GDB startup, so it is RedHat
# specific.
@@ -348,6 +352,10 @@
# don't include the files in include, they are part of binutils
%changelog
+* Tue Oct 04 2005 Jeff Johnston <jjohnstn at redhat.com> 1.200400607.43.1
+- Security errata to handle untrusted .gdbinit and bfd integer overflow.
+- Bugzilla 158683 and bugzilla 158686
+
* Tue Oct 26 2004 Andrew Cagney <cagney at redhat.com> 1.200400607.43
- Hack around broken PT_FPSCR defined in headers.
- Import latest s390 fixes.
More information about the fedora-cvs-commits
mailing list