[Bug binutils/17512] segfault in PE parser / _bfd_pei_swap_aouthdr_in

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17512

--- Comment #110 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot 
gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  0a9d414aa114b7b7e609cbcbc285f79031bbe608 (commit)
      from  5974eba65b82912621ac68f2c0ff844efbd02b25 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0a9d414aa114b7b7e609cbcbc285f79031bbe608

commit 0a9d414aa114b7b7e609cbcbc285f79031bbe608
Author: Nick Clifton <address@hidden>
Date:   Fri Nov 21 21:44:04 2014 +0000

    Fixes for memory access violations exposed by fuzzinf various binaries.

        PR binutils/17512
        * dwarf.c (get_encoded_value): Check for an encoded size of 0.
        (display_debug_lines_raw): Check for an invalid line range value.
        (display_debug_frames): Check for corrupt augmentation data.

        * coffgen.c (coff_get_normalized_symtab): Check for an excessive
        number of auxillary entries.
        * ieee.c (next_byte): Convert to a function.  Return FALSE if the
        next byte is beyond the end of the buffer.
        (parse_int): Test the return value of next_byte.
        (parse_expression): Convert to boolean.  Return FALSE if the
        parsing failed.  Test the return value of next_byte.
        (ieee_seek): Convert to a function.  Return FALSE if the seek goes
        beyond the end of the buffer.
        (ieee_slurp_external_symbols): Test the return value of ieee_seek
        and next_byte.
        (ieee_slurp_sections): Convert to boolean.  Return FALSE if the
        operation failed.  Test the return value of ieee_seek and
        next_byte.
        (ieee_archive_p): Test the return value of ieee_seek and
        next_byte.
        (do_one): Likewise.
        (ieee_slurp_section_data): Likewise.
        (ieee_object_p): Likewise.  Store the size of the buffer in the
        total_amt field in the header.
        * libieee.h (common_header_type): Add amt field.
        * mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the
        reloc's value is within range.
        (bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the
        operation fails.
        * pei-x86_64.c (pex64_xdata_print_uwd_codes): Replace abort with
        an error message.
        (pex64_dump_xdata): Check for buffer overflows.
        * versados.c (process_otr): Check that the section exists before
        taking its size.
        (versados_object_p): Make sure that enough data was read for the
        header to be checked.
        * vms-alpha.c (vms_get_remaining_object_record): Change
        read_so_far parameter to an unsigned int.  Check that the amount
        read is in range.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |   39 ++++++++
 bfd/coffgen.c      |   17 +++-
 bfd/ieee.c         |  261 +++++++++++++++++++++++++++++++++++-----------------
 bfd/libieee.h      |    1 +
 bfd/mach-o.c       |   22 +++--
 bfd/pei-x86_64.c   |   37 ++++++--
 bfd/versados.c     |   21 ++++-
 bfd/vms-alpha.c    |   15 ++-
 binutils/ChangeLog |    7 ++
 binutils/dwarf.c   |   24 +++++
 10 files changed, 333 insertions(+), 111 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.