Fix stack buffer overflows when parsing corrupt ihex files.
PR binutils/18750 * ihex.c (ihex_scan): Fixes incorrect escape sequence in error message and stack overflow when char is signed and \200-\376 was in place of hex digit; also fixes \377 was handled as EOF instead of "incorrect character". (ihex_read_section): Changed for consistency. (ihex_bad_byte): Prevent (now impossible to trigger) stack overflow and incorrect escape sequence handling. * srec.c (srec_bad_byte): Likewise. * readelf.c (process_mips_specific): Fix incorrect escape sequence handling.
This commit is contained in:
Yuriy M. Kaminskiy
Nick Clifton
parent
4e13f8fb05
commit
7e27a9d5f2
|
|
@ -1,3 +1,15 @@
|
|||
2015-08-04 Yuriy M. Kaminskiy" <yumkam@gmail.com>
|
||||
Tyler Hicks <tyhicks@canonical.com>
|
||||
|
||||
PR binutils/18750
|
||||
* ihex.c (ihex_scan): Fixes incorrect escape sequence in error message
|
||||
and stack overflow when char is signed and \200-\376 was in place of hex
|
||||
digit; also fixes \377 was handled as EOF instead of "incorrect character".
|
||||
(ihex_read_section): Changed for consistency.
|
||||
(ihex_bad_byte): Prevent (now impossible to trigger) stack
|
||||
overflow and incorrect escape sequence handling.
|
||||
* srec.c (srec_bad_byte): Likewise.
|
||||
|
||||
2015-08-03 Hans-Peter Nilsson <hp@axis.com>
|
||||
|
||||
* elf32-cris.c (cris_elf_relocate_section)
|
||||
|
|
|
|||
|
|
@ -219,7 +219,7 @@ ihex_bad_byte (bfd *abfd, unsigned int lineno, int c, bfd_boolean error)
|
|||
char buf[10];
|
||||
|
||||
if (! ISPRINT (c))
|
||||
sprintf (buf, "\\%03o", (unsigned int) c);
|
||||
sprintf (buf, "\\%03o", (unsigned int) c & 0xff);
|
||||
else
|
||||
{
|
||||
buf[0] = c;
|
||||
|
|
@ -276,7 +276,7 @@ ihex_scan (bfd *abfd)
|
|||
else
|
||||
{
|
||||
file_ptr pos;
|
||||
char hdr[8];
|
||||
unsigned char hdr[8];
|
||||
unsigned int i;
|
||||
unsigned int len;
|
||||
bfd_vma addr;
|
||||
|
|
@ -553,7 +553,7 @@ ihex_read_section (bfd *abfd, asection *section, bfd_byte *contents)
|
|||
error = FALSE;
|
||||
while ((c = ihex_get_byte (abfd, &error)) != EOF)
|
||||
{
|
||||
char hdr[8];
|
||||
unsigned char hdr[8];
|
||||
unsigned int len;
|
||||
unsigned int type;
|
||||
unsigned int i;
|
||||
|
|
|
|||
|
|
@ -249,7 +249,7 @@ srec_bad_byte (bfd *abfd,
|
|||
char buf[40];
|
||||
|
||||
if (! ISPRINT (c))
|
||||
sprintf (buf, "\\%03o", (unsigned int) c);
|
||||
sprintf (buf, "\\%03o", (unsigned int) c & 0xff);
|
||||
else
|
||||
{
|
||||
buf[0] = c;
|
||||
|
|
|
|||
|
|
@ -1,3 +1,14 @@
|
|||
2015-08-04 Yuriy M. Kaminskiy" <yumkam@gmail.com>
|
||||
Tyler Hicks <tyhicks@canonical.com>
|
||||
|
||||
PR binutils/18750
|
||||
* readelf.c (process_mips_specific): Fix incorrect escape
|
||||
sequence handling.
|
||||
|
||||
2015-08-04 Nick Clifton <nickc@redhat.com>
|
||||
|
||||
* ar.c (extract_file): Free cbuf if the path is invalid.
|
||||
|
||||
2015-07-27 H.J. Lu <hongjiu.lu@intel.com>
|
||||
|
||||
* configure: Regenerated.
|
||||
|
|
|
|||
|
|
@ -14467,7 +14467,7 @@ process_mips_specific (FILE * file)
|
|||
len = sizeof (* eopt);
|
||||
while (len < option->size)
|
||||
{
|
||||
char datum = * ((char *) eopt + offset + len);
|
||||
unsigned char datum = * ((unsigned char *) eopt + offset + len);
|
||||
|
||||
if (ISPRINT (datum))
|
||||
printf ("%c", datum);
|
||||
|
|
|
|||
Loading…
Reference in New Issue