[ROCKO][PATCH 15/27] binutls: Security fix for CVE-2017-15939

[Armin Kuster <akuster808@gmail.com>]

From: Armin Kuster <akuster@mvista.com>

affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |   1 +
 .../binutils/binutils/CVE-2017-15939.patch         | 113 +++++++++++++++++++++
 2 files changed, 114 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 1983d85..917f667 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -50,6 +50,7 @@ SRC_URI = "\
      file://CVE-2017-15024.patch \
      file://CVE-2017-15025.patch \
      file://CVE-2017-15225.patch \
+     file://CVE-2017-15939.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch
new file mode 100644
index 0000000..bccad76
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch
@@ -0,0 +1,113 @@
+From a54018b72d75abf2e74bf36016702da06399c1d9 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 26 Sep 2017 09:38:26 +0930
+Subject: [PATCH] PR22205, .debug_line file table NULL filename
+
+The PR22200 fuzzer testcase found one way to put NULLs into .debug_line
+file tables.  PR22205 finds another.  This patch gives up on trying to
+prevent NULL files in the file table and instead just copes with them.
+Arguably, this is better than giving up and showing no info from
+.debug_line.  I've also fixed a case where the fairly recent DWARF5
+support in handling broken DWARG could result in uninitialized memory
+reads, and made a small tidy.
+
+	PR 22205
+	* dwarf2.c (concat_filename): Return "<unknown>" on NULL filename.
+	(read_formatted_entries): Init "fe".
+	(decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15939
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  7 +++++++
+ bfd/dwarf2.c  | 35 +++++++++++++----------------------
+ 2 files changed, 20 insertions(+), 22 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -1597,6 +1597,8 @@ concat_filename (struct line_info_table
+     }
+ 
+   filename = table->files[file - 1].name;
++  if (filename == NULL)
++    return strdup ("<unknown>");
+ 
+   if (!IS_ABSOLUTE_PATH (filename))
+     {
+@@ -1956,6 +1958,7 @@ read_formatted_entries (struct comp_unit
+       bfd_byte *format = format_header_data;
+       struct fileinfo fe;
+ 
++      memset (&fe, 0, sizeof fe);
+       for (formati = 0; formati < format_count; formati++)
+ 	{
+ 	  bfd_vma content_type, form;
+@@ -2256,6 +2259,7 @@ decode_line_info (struct comp_unit *unit
+       unsigned int discriminator = 0;
+       int is_stmt = lh.default_is_stmt;
+       int end_sequence = 0;
++      unsigned int dir, xtime, size;
+       /* eraxxon@alumni.rice.edu: Against the DWARF2 specs, some
+ 	 compilers generate address sequences that are wildly out of
+ 	 order using DW_LNE_set_address (e.g. Intel C++ 6.0 compiler
+@@ -2330,31 +2334,18 @@ decode_line_info (struct comp_unit *unit
+ 		case DW_LNE_define_file:
+ 		  cur_file = read_string (abfd, line_ptr, line_end, &bytes_read);
+ 		  line_ptr += bytes_read;
+-		  if ((table->num_files % FILE_ALLOC_CHUNK) == 0)
+-		    {
+-		      struct fileinfo *tmp;
+-
+-		      amt = table->num_files + FILE_ALLOC_CHUNK;
+-		      amt *= sizeof (struct fileinfo);
+-		      tmp = (struct fileinfo *) bfd_realloc (table->files, amt);
+-		      if (tmp == NULL)
+-			goto line_fail;
+-		      table->files = tmp;
+-		    }
+-		  table->files[table->num_files].name = cur_file;
+-		  table->files[table->num_files].dir =
+-		    _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+-					   FALSE, line_end);
++		  dir = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
++					       FALSE, line_end);
+ 		  line_ptr += bytes_read;
+-		  table->files[table->num_files].time =
+-		    _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+-					   FALSE, line_end);
++		  xtime = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
++						 FALSE, line_end);
+ 		  line_ptr += bytes_read;
+-		  table->files[table->num_files].size =
+-		    _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+-					   FALSE, line_end);
++		  size = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
++						FALSE, line_end);
+ 		  line_ptr += bytes_read;
+-		  table->num_files++;
++		  if (!line_info_add_file_name (table, cur_file, dir,
++						xtime, size))
++		    goto line_fail;
+ 		  break;
+ 		case DW_LNE_set_discriminator:
+ 		  discriminator =
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-09-26  Alan Modra  <amodra@gmail.com>
++ 
++       PR 22205
++       * dwarf2.c (concat_filename): Return "<unknown>" on NULL filename.
++       (read_formatted_entries): Init "fe".
++       (decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name.
++
+ 2017-10-09  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22212
-- 
2.7.4