[pyro][PATCH 15/26] binutls: Security for fix CVE-2017-9746

[Armin Kuster <akuster808@gmail.com>]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9746.patch          | 91 ++++++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index d555d5f..235306b 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -57,6 +57,7 @@ SRC_URI = "\
      file://CVE-2017-9742.patch \
      file://CVE-2017-9744.patch \
      file://CVE-2017-9745.patch \
+     file://CVE-2017-9746.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch
new file mode 100644
index 0000000..bd4a40c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch
@@ -0,0 +1,91 @@
+From ae87f7e73eba29bd38b3a9684a10b948ed715612 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 16:50:03 +0100
+Subject: [PATCH] Fix address violation when disassembling a corrupt binary.
+
+	PR binutils/21580
+binutils * objdump.c (disassemble_bytes): Check for buffer overrun when
+	printing out rae insns.
+
+ld	* testsuite/ld-nds32/diff.d: Adjust expected output.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9746
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/objdump.c           | 27 +++++++++++++++------------
+ ld/ChangeLog                 |  5 +++++
+ ld/testsuite/ld-nds32/diff.d |  6 +++---
+ 3 files changed, 23 insertions(+), 15 deletions(-)
+
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -1855,20 +1855,23 @@ disassemble_bytes (struct disassemble_in
+ 
+ 	      for (j = addr_offset * opb; j < addr_offset * opb + pb; j += bpc)
+ 		{
+-		  int k;
+-
+-		  if (bpc > 1 && inf->display_endian == BFD_ENDIAN_LITTLE)
+-		    {
+-		      for (k = bpc - 1; k >= 0; k--)
+-			printf ("%02x", (unsigned) data[j + k]);
+-		      putchar (' ');
+-		    }
+-		  else
++		  /* PR 21580: Check for a buffer ending early.  */
++		  if (j + bpc <= stop_offset * opb)
+ 		    {
+-		      for (k = 0; k < bpc; k++)
+-			printf ("%02x", (unsigned) data[j + k]);
+-		      putchar (' ');
++		      int k;
++
++		      if (inf->display_endian == BFD_ENDIAN_LITTLE)
++			{
++			  for (k = bpc - 1; k >= 0; k--)
++			    printf ("%02x", (unsigned) data[j + k]);
++			}
++		      else
++			{
++			  for (k = 0; k < bpc; k++)
++			    printf ("%02x", (unsigned) data[j + k]);
++			}
+ 		    }
++		  putchar (' ');
+ 		}
+ 
+ 	      for (; pb < octets_per_line; pb += bpc)
+Index: git/ld/testsuite/ld-nds32/diff.d
+===================================================================
+--- git.orig/ld/testsuite/ld-nds32/diff.d
++++ git/ld/testsuite/ld-nds32/diff.d
+@@ -7,9 +7,9 @@
+ 
+ Disassembly of section .data:
+ 00008000 <WORD> (7e 00 00 00|00 00 00 7e).*
+-00008004 <HALF> (7e 00 7e fe|00 7e 7e fe).*
+-00008006 <BYTE> 7e fe 00 fe.*
+-00008007 <ULEB128> fe 00.*
++00008004 <HALF> (7e 00|00 7e).*
++00008006 <BYTE> 7e.*
++00008007 <ULEB128> fe.*
+ 	...
+ 00008009 <ULEB128_2> fe 00.*
+ .*
+Index: git/ld/ChangeLog
+===================================================================
+--- git.orig/ld/ChangeLog
++++ git/ld/ChangeLog
+@@ -1,3 +1,8 @@
++2017-06-14  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21580
++       * testsuite/ld-nds32/diff.d: Adjust expected output.
++
+ 2017-03-07  Alan Modra  <amodra@gmail.com>
+ 
+ 	* ldlang.c (open_input_bfds): Check that lang_assignment_statement
-- 
2.7.4