[pyro][PATCH 01/26] binutils: Security fix CVE-2017-7223

[pyro][PATCH 01/26] binutils: Security fix CVE-2017-7223

[Armin Kuster]

Affects <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-7223.patch          | 52 ++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-7223.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 40b518b..f09bcdc 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -43,6 +43,7 @@ SRC_URI = "\
      file://CVE-2017-6969_2.patch \
      file://CVE-2017-7209.patch \
      file://CVE-2017-7210.patch \
+     file://CVE-2017-7223.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7223.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7223.patch
new file mode 100644
index 0000000..c78c8bf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7223.patch
@@ -0,0 +1,52 @@
+From 69ace2200106348a1b00d509a6a234337c104c17 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 1 Dec 2016 15:20:19 +0000
+Subject: [PATCH] Fix seg fault attempting to unget an EOF character.
+
+	PR gas/20898
+	* app.c (do_scrub_chars): Do not attempt to unget EOF.
+
+Affects: <= 2.28
+Upstream-Status: Backport
+CVE: CVE-2017-7223
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ gas/ChangeLog | 3 +++
+ gas/app.c     | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+Index: git/gas/ChangeLog
+===================================================================
+--- git.orig/gas/ChangeLog
++++ git/gas/ChangeLog
+@@ -1,3 +1,8 @@
++2016-12-01  Nick Clifton  <nickc@redhat.com>
++ 
++       PR gas/20898
++       * app.c (do_scrub_chars): Do not attempt to unget EOF.
++
+ 2017-03-02  Tristan Gingold  <gingold@adacore.com>
+ 
+ 	* configure: Regenerate.
+@@ -198,7 +203,6 @@
+ 	* config/tc-pru.c (md_number_to_chars): Fix parameter to be
+ 	valueT, as declared in tc.h.
+ 	(md_apply_fix): Fix to work on 32-bit hosts.
+->>>>>>> 0115611... RISC-V/GAS: Correct branch relaxation for weak symbols.
+ 
+ 2017-01-02  Alan Modra  <amodra@gmail.com>
+ 
+Index: git/gas/app.c
+===================================================================
+--- git.orig/gas/app.c
++++ git/gas/app.c
+@@ -1350,7 +1350,7 @@ do_scrub_chars (size_t (*get) (char *, s
+ 		  PUT (ch);
+ 		  break;
+ 		}
+-	      else
++	      else if (ch2 != EOF)
+ 		{
+ 		  state = 9;
+ 		  if (ch == EOF || !IS_SYMBOL_COMPONENT (ch))
-- 
2.7.4

[pyro][PATCH 02/26] binutils: Security Fix CVE-2017-7614

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |   1 +
 .../binutils/binutils/CVE-2017-7614.patch          | 103 +++++++++++++++++++++
 2 files changed, 104 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-7614.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index f09bcdc..6ae091c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -44,6 +44,7 @@ SRC_URI = "\
      file://CVE-2017-7209.patch \
      file://CVE-2017-7210.patch \
      file://CVE-2017-7223.patch \
+     file://CVE-2017-7614.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7614.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7614.patch
new file mode 100644
index 0000000..be8631a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7614.patch
@@ -0,0 +1,103 @@
+From ad32986fdf9da1c8748e47b8b45100398223dba8 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 4 Apr 2017 11:23:36 +0100
+Subject: [PATCH] Fix null pointer dereferences when using a link built with
+ clang.
+
+	PR binutils/21342
+	* elflink.c (_bfd_elf_define_linkage_sym): Prevent null pointer
+	dereference.
+	(bfd_elf_final_link): Only initialize the extended symbol index
+	section if there are extended symbol tables to list.
+
+Upstream-Status: Backport
+CVE: CVE-2017-7614
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  8 ++++++++
+ bfd/elflink.c | 35 +++++++++++++++++++++--------------
+ 2 files changed, 29 insertions(+), 14 deletions(-)
+
+Index: git/bfd/elflink.c
+===================================================================
+--- git.orig/bfd/elflink.c
++++ git/bfd/elflink.c
+@@ -119,15 +119,18 @@ _bfd_elf_define_linkage_sym (bfd *abfd,
+ 	 defined in shared libraries can't be overridden, because we
+ 	 lose the link to the bfd which is via the symbol section.  */
+       h->root.type = bfd_link_hash_new;
++      bh = &h->root;
+     }
++  else
++    bh = NULL;
+ 
+-  bh = &h->root;
+   bed = get_elf_backend_data (abfd);
+   if (!_bfd_generic_link_add_one_symbol (info, abfd, name, BSF_GLOBAL,
+ 					 sec, 0, NULL, FALSE, bed->collect,
+ 					 &bh))
+     return NULL;
+   h = (struct elf_link_hash_entry *) bh;
++  BFD_ASSERT (h != NULL);
+   h->def_regular = 1;
+   h->non_elf = 0;
+   h->root.linker_def = 1;
+@@ -11973,24 +11976,28 @@ bfd_elf_final_link (bfd *abfd, struct bf
+     {
+       /* Finish up and write out the symbol string table (.strtab)
+ 	 section.  */
+-      Elf_Internal_Shdr *symstrtab_hdr;
++      Elf_Internal_Shdr *symstrtab_hdr = NULL;
+       file_ptr off = symtab_hdr->sh_offset + symtab_hdr->sh_size;
+ 
+-      symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr;
+-      if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0)
++      if (elf_symtab_shndx_list (abfd))
+ 	{
+-	  symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX;
+-	  symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx);
+-	  symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx);
+-	  amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx);
+-	  symtab_shndx_hdr->sh_size = amt;
++	  symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr;
+ 
+-	  off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr,
+-							   off, TRUE);
++	  if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0)
++	    {
++	      symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX;
++	      symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx);
++	      symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx);
++	      amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx);
++	      symtab_shndx_hdr->sh_size = amt;
+ 
+-	  if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0
+-	      || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt))
+-	    return FALSE;
++	      off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr,
++							       off, TRUE);
++
++	      if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0
++		  || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt))
++		return FALSE;
++	    }
+ 	}
+ 
+       symstrtab_hdr = &elf_tdata (abfd)->strtab_hdr;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,11 @@
++2017-04-04  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21342
++       * elflink.c (_bfd_elf_define_linkage_sym): Prevent null pointer
++       dereference.
++       (bfd_elf_final_link): Only initialize the extended symbol index
++       section if there are extended symbol tables to list.
++
+ 2017-03-07  Alan Modra  <amodra@gmail.com>
+ 
+ 	PR 21224
-- 
2.7.4

[pyro][PATCH 03/26] binutils: Security fix CVE-2017-8393

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |   1 +
 .../binutils/binutils/CVE-2017-8393.patch          | 205 +++++++++++++++++++++
 2 files changed, 206 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 6ae091c..53299fa 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -45,6 +45,7 @@ SRC_URI = "\
      file://CVE-2017-7210.patch \
      file://CVE-2017-7223.patch \
      file://CVE-2017-7614.patch \
+     file://CVE-2017-8393.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch
new file mode 100644
index 0000000..095cfc7
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch
@@ -0,0 +1,205 @@
+From bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 23 Apr 2017 11:03:34 +0930
+Subject: [PATCH] PR 21412, get_reloc_section assumes .rel/.rela name for
+ SHT_REL/RELA.
+
+This patch fixes an assumption made by code that runs for objcopy and
+strip, that SHT_REL/SHR_RELA sections are always named starting with a
+.rel/.rela prefix.  I'm also modifying the interface for
+elf_backend_get_reloc_section, so any backend function just needs to
+handle name mapping.
+
+	PR 21412
+	* elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
+	parameters and comment.
+	(_bfd_elf_get_reloc_section): Delete.
+	(_bfd_elf_plt_get_reloc_section): Declare.
+	* elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
+	New functions.  Don't blindly skip over assumed .rel/.rela prefix.
+	Extracted from..
+	(_bfd_elf_get_reloc_section): ..here.  Delete.
+	(assign_section_numbers): Call elf_get_reloc_section.
+	* elf64-ppc.c (elf_backend_get_reloc_section): Define.
+	* elfxx-target.h (elf_backend_get_reloc_section): Update.
+
+Upstream-Status: Backort
+CVE: CVE-2017-8393
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog      | 15 ++++++++++++++
+ bfd/elf-bfd.h      |  8 ++++---
+ bfd/elf.c          | 61 +++++++++++++++++++++++++++++++-----------------------
+ bfd/elf64-ppc.c    |  1 +
+ bfd/elfxx-target.h |  2 +-
+ 5 files changed, 57 insertions(+), 30 deletions(-)
+
+Index: git/bfd/elf-bfd.h
+===================================================================
+--- git.orig/bfd/elf-bfd.h
++++ git/bfd/elf-bfd.h
+@@ -1322,8 +1322,10 @@ struct elf_backend_data
+   bfd_size_type (*maybe_function_sym) (const asymbol *sym, asection *sec,
+ 				       bfd_vma *code_off);
+ 
+-  /* Return the section which RELOC_SEC applies to.  */
+-  asection *(*get_reloc_section) (asection *reloc_sec);
++  /* Given NAME, the name of a relocation section stripped of its
++     .rel/.rela prefix, return the section in ABFD to which the
++     relocations apply.  */
++  asection *(*get_reloc_section) (bfd *abfd, const char *name);
+ 
+   /* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which
+      has a type >= SHT_LOOS.  Returns TRUE if the fields were initialised,
+@@ -2392,7 +2394,7 @@ extern bfd_boolean _bfd_elf_is_function_
+ extern bfd_size_type _bfd_elf_maybe_function_sym (const asymbol *, asection *,
+ 						  bfd_vma *);
+ 
+-extern asection *_bfd_elf_get_reloc_section (asection *);
++extern asection *_bfd_elf_plt_get_reloc_section (bfd *, const char *);
+ 
+ extern int bfd_elf_get_default_section_type (flagword);
+ 
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -3532,17 +3532,39 @@ bfd_elf_set_group_contents (bfd *abfd, a
+   H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc);
+ }
+ 
+-/* Return the section which RELOC_SEC applies to.  */
++/* Given NAME, the name of a relocation section stripped of its
++   .rel/.rela prefix, return the section in ABFD to which the
++   relocations apply.  */
+ 
+ asection *
+-_bfd_elf_get_reloc_section (asection *reloc_sec)
++_bfd_elf_plt_get_reloc_section (bfd *abfd, const char *name)
++{
++  /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
++     section likely apply to .got.plt or .got section.  */
++  if (get_elf_backend_data (abfd)->want_got_plt
++      && strcmp (name, ".plt") == 0)
++    {
++      asection *sec;
++
++      name = ".got.plt";
++      sec = bfd_get_section_by_name (abfd, name);
++      if (sec != NULL)
++	return sec;
++      name = ".got";
++    }
++
++  return bfd_get_section_by_name (abfd, name);
++}
++
++/* Return the section to which RELOC_SEC applies.  */
++
++static asection *
++elf_get_reloc_section (asection *reloc_sec)
+ {
+   const char *name;
+   unsigned int type;
+   bfd *abfd;
+-
+-  if (reloc_sec == NULL)
+-    return NULL;
++  const struct elf_backend_data *bed;
+ 
+   type = elf_section_data (reloc_sec)->this_hdr.sh_type;
+   if (type != SHT_REL && type != SHT_RELA)
+@@ -3550,28 +3572,15 @@ _bfd_elf_get_reloc_section (asection *re
+ 
+   /* We look up the section the relocs apply to by name.  */
+   name = reloc_sec->name;
+-  if (type == SHT_REL)
+-    name += 4;
+-  else
+-    name += 5;
++  if (strncmp (name, ".rel", 4) != 0)
++    return NULL;
++  name += 4;
++  if (type == SHT_RELA && *name++ != 'a')
++    return NULL;
+ 
+-  /* If a target needs .got.plt section, relocations in rela.plt/rel.plt
+-     section apply to .got.plt section.  */
+   abfd = reloc_sec->owner;
+-  if (get_elf_backend_data (abfd)->want_got_plt
+-      && strcmp (name, ".plt") == 0)
+-    {
+-      /* .got.plt is a linker created input section.  It may be mapped
+-	 to some other output section.  Try two likely sections.  */
+-      name = ".got.plt";
+-      reloc_sec = bfd_get_section_by_name (abfd, name);
+-      if (reloc_sec != NULL)
+-	return reloc_sec;
+-      name = ".got";
+-    }
+-
+-  reloc_sec = bfd_get_section_by_name (abfd, name);
+-  return reloc_sec;
++  bed = get_elf_backend_data (abfd);
++  return bed->get_reloc_section (abfd, name);
+ }
+ 
+ /* Assign all ELF section numbers.  The dummy first section is handled here
+@@ -3833,7 +3842,7 @@ assign_section_numbers (bfd *abfd, struc
+ 	  if (s != NULL)
+ 	    d->this_hdr.sh_link = elf_section_data (s)->this_idx;
+ 
+-	  s = get_elf_backend_data (abfd)->get_reloc_section (sec);
++	  s = elf_get_reloc_section (sec);
+ 	  if (s != NULL)
+ 	    {
+ 	      d->this_hdr.sh_info = elf_section_data (s)->this_idx;
+Index: git/bfd/elf64-ppc.c
+===================================================================
+--- git.orig/bfd/elf64-ppc.c
++++ git/bfd/elf64-ppc.c
+@@ -121,6 +121,7 @@ static bfd_vma opd_entry_value
+ #define elf_backend_special_sections	      ppc64_elf_special_sections
+ #define elf_backend_merge_symbol_attribute    ppc64_elf_merge_symbol_attribute
+ #define elf_backend_merge_symbol	      ppc64_elf_merge_symbol
++#define elf_backend_get_reloc_section	      bfd_get_section_by_name
+ 
+ /* The name of the dynamic interpreter.  This is put in the .interp
+    section.  */
+Index: git/bfd/elfxx-target.h
+===================================================================
+--- git.orig/bfd/elfxx-target.h
++++ git/bfd/elfxx-target.h
+@@ -706,7 +706,7 @@
+ #endif
+ 
+ #ifndef elf_backend_get_reloc_section
+-#define elf_backend_get_reloc_section _bfd_elf_get_reloc_section
++#define elf_backend_get_reloc_section _bfd_elf_plt_get_reloc_section
+ #endif
+ 
+ #ifndef elf_backend_copy_special_section_fields
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,18 @@
++2017-04-23  Alan Modra  <amodra@gmail.com>
++ 
++       PR 21412
++       * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
++       parameters and comment.
++       (_bfd_elf_get_reloc_section): Delete.
++       (_bfd_elf_plt_get_reloc_section): Declare.
++       * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section):
++       New functions.  Don't blindly skip over assumed .rel/.rela prefix.
++       Extracted from..
++       (_bfd_elf_get_reloc_section): ..here.  Delete.
++       (assign_section_numbers): Call elf_get_reloc_section.
++       * elf64-ppc.c (elf_backend_get_reloc_section): Define.
++       * elfxx-target.h (elf_backend_get_reloc_section): Update.
++
+ 2017-04-04  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21342
-- 
2.7.4

[pyro][PATCH 04/26] binutls: Secuirty fix CVE-2017-8394

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |   1 +
 .../binutils/binutils/CVE-2017-8394.patch          | 118 +++++++++++++++++++++
 2 files changed, 119 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-8394.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 53299fa..8334a4c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -46,6 +46,7 @@ SRC_URI = "\
      file://CVE-2017-7223.patch \
      file://CVE-2017-7614.patch \
      file://CVE-2017-8393.patch \
+     file://CVE-2017-8394.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8394.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8394.patch
new file mode 100644
index 0000000..e6c6b17
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8394.patch
@@ -0,0 +1,118 @@
+From 7eacd66b086cabb1daab20890d5481894d4f56b2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 23 Apr 2017 15:21:11 +0930
+Subject: [PATCH] PR 21414, null pointer deref of _bfd_elf_large_com_section
+ sym
+
+	PR 21414
+	* section.c (GLOBAL_SYM_INIT): Make available in bfd.h.
+	* elf.c (lcomm_sym): New.
+	(_bfd_elf_large_com_section): Use lcomm_sym section symbol.
+	* bfd-in2.h: Regenerate.
+
+Upstream-Status: Backport
+CVE: CVE-2017-8394
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  8 ++++++++
+ bfd/bfd-in2.h | 12 ++++++++++++
+ bfd/elf.c     |  6 ++++--
+ bfd/section.c | 24 ++++++++++++------------
+ 4 files changed, 36 insertions(+), 14 deletions(-)
+
+Index: git/bfd/bfd-in2.h
+===================================================================
+--- git.orig/bfd/bfd-in2.h
++++ git/bfd/bfd-in2.h
+@@ -1838,6 +1838,18 @@ extern asection _bfd_std_section[4];
+      { NULL }, { NULL }                                                \
+     }
+ 
++/* We use a macro to initialize the static asymbol structures because
++   traditional C does not permit us to initialize a union member while
++   gcc warns if we don't initialize it.
++   the_bfd, name, value, attr, section [, udata]  */
++#ifdef __STDC__
++#define GLOBAL_SYM_INIT(NAME, SECTION) \
++  { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }}
++#else
++#define GLOBAL_SYM_INIT(NAME, SECTION) \
++  { 0, NAME, 0, BSF_SECTION_SYM, SECTION }
++#endif
++
+ void bfd_section_list_clear (bfd *);
+ 
+ asection *bfd_get_section_by_name (bfd *abfd, const char *name);
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -11164,9 +11164,11 @@ _bfd_elf_get_synthetic_symtab (bfd *abfd
+ 
+ /* It is only used by x86-64 so far.
+    ??? This repeats *COM* id of zero.  sec->id is supposed to be unique,
+-   but current usage would allow all of _bfd_std_section to be zero.  t*/
++   but current usage would allow all of _bfd_std_section to be zero.  */
++static const asymbol lcomm_sym
++  = GLOBAL_SYM_INIT ("LARGE_COMMON", &_bfd_elf_large_com_section);
+ asection _bfd_elf_large_com_section
+-  = BFD_FAKE_SECTION (_bfd_elf_large_com_section, NULL,
++  = BFD_FAKE_SECTION (_bfd_elf_large_com_section, &lcomm_sym,
+ 		      "LARGE_COMMON", 0, SEC_IS_COMMON);
+ 
+ void
+Index: git/bfd/section.c
+===================================================================
+--- git.orig/bfd/section.c
++++ git/bfd/section.c
+@@ -738,20 +738,20 @@ CODE_FRAGMENT
+ .     { NULL }, { NULL }						\
+ .    }
+ .
++.{* We use a macro to initialize the static asymbol structures because
++.   traditional C does not permit us to initialize a union member while
++.   gcc warns if we don't initialize it.
++.   the_bfd, name, value, attr, section [, udata]  *}
++.#ifdef __STDC__
++.#define GLOBAL_SYM_INIT(NAME, SECTION) \
++.  { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }}
++.#else
++.#define GLOBAL_SYM_INIT(NAME, SECTION) \
++.  { 0, NAME, 0, BSF_SECTION_SYM, SECTION }
++.#endif
++.
+ */
+ 
+-/* We use a macro to initialize the static asymbol structures because
+-   traditional C does not permit us to initialize a union member while
+-   gcc warns if we don't initialize it.  */
+- /* the_bfd, name, value, attr, section [, udata] */
+-#ifdef __STDC__
+-#define GLOBAL_SYM_INIT(NAME, SECTION) \
+-  { 0, NAME, 0, BSF_SECTION_SYM, SECTION, { 0 }}
+-#else
+-#define GLOBAL_SYM_INIT(NAME, SECTION) \
+-  { 0, NAME, 0, BSF_SECTION_SYM, SECTION }
+-#endif
+-
+ /* These symbols are global, not specific to any BFD.  Therefore, anything
+    that tries to change them is broken, and should be repaired.  */
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,4 +1,12 @@
++
+ 2017-04-23  Alan Modra  <amodra@gmail.com>
++       PR 21414
++       * section.c (GLOBAL_SYM_INIT): Make available in bfd.h.
++       * elf.c (lcomm_sym): New.
++       (_bfd_elf_large_com_section): Use lcomm_sym section symbol.
++       * bfd-in2.h: Regenerate.
++
+++2017-04-23  Alan Modra  <amodra@gmail.com>
+  
+        PR 21412
+        * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change
-- 
2.7.4

[pyro][PATCH 05/26] binutls: Security fix CVE-2017-8395

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-8395.patch          | 72 ++++++++++++++++++++++
 2 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-8395.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 8334a4c..8c91f4c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -47,6 +47,7 @@ SRC_URI = "\
      file://CVE-2017-7614.patch \
      file://CVE-2017-8393.patch \
      file://CVE-2017-8394.patch \
+     file://CVE-2017-8395.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8395.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8395.patch
new file mode 100644
index 0000000..0a9bce3
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8395.patch
@@ -0,0 +1,72 @@
+From e63d123268f23a4cbc45ee55fb6dbc7d84729da3 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 26 Apr 2017 13:07:49 +0100
+Subject: [PATCH] Fix seg-fault attempting to compress a debug section in a
+ corrupt binary.
+
+	PR binutils/21431
+	* compress.c (bfd_init_section_compress_status): Check the return
+	value from bfd_malloc.
+
+Upstream-Status: Backport
+CVE: CVE-2017-8395
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog  |  6 ++++++
+ bfd/compress.c | 19 +++++++++----------
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+Index: git/bfd/compress.c
+===================================================================
+--- git.orig/bfd/compress.c
++++ git/bfd/compress.c
+@@ -542,7 +542,6 @@ bfd_init_section_compress_status (bfd *a
+ {
+   bfd_size_type uncompressed_size;
+   bfd_byte *uncompressed_buffer;
+-  bfd_boolean ret;
+ 
+   /* Error if not opened for read.  */
+   if (abfd->direction != read_direction
+@@ -558,18 +557,18 @@ bfd_init_section_compress_status (bfd *a
+   /* Read in the full section contents and compress it.  */
+   uncompressed_size = sec->size;
+   uncompressed_buffer = (bfd_byte *) bfd_malloc (uncompressed_size);
++  /* PR 21431 */
++  if (uncompressed_buffer == NULL)
++    return FALSE;
++
+   if (!bfd_get_section_contents (abfd, sec, uncompressed_buffer,
+ 				 0, uncompressed_size))
+-    ret = FALSE;
+-  else
+-    {
+-      uncompressed_size = bfd_compress_section_contents (abfd, sec,
+-							 uncompressed_buffer,
+-							 uncompressed_size);
+-      ret = uncompressed_size != 0;
+-    }
++    return FALSE;
+ 
+-  return ret;
++  uncompressed_size = bfd_compress_section_contents (abfd, sec,
++						     uncompressed_buffer,
++						     uncompressed_size);
++  return uncompressed_size != 0;
+ }
+ 
+ /*
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2017-04-26  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21431
++       * compress.c (bfd_init_section_compress_status): Check the return
++       value from bfd_malloc.
+ 
+ 2017-04-23  Alan Modra  <amodra@gmail.com>
+        PR 21414
-- 
2.7.4

[pyro][PATCH 06/26] binutils: Secuirty fix CVE-2017-8396 and CVE-2017-8397

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |   1 +
 .../binutils/binutils/CVE-2017-8396_8397.patch     | 102 +++++++++++++++++++++
 2 files changed, 103 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-8396_8397.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 8c91f4c..ca78a30 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -48,6 +48,7 @@ SRC_URI = "\
      file://CVE-2017-8393.patch \
      file://CVE-2017-8394.patch \
      file://CVE-2017-8395.patch \
+     file://CVE-2017-8396_8397.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8396_8397.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8396_8397.patch
new file mode 100644
index 0000000..14f4282
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8396_8397.patch
@@ -0,0 +1,102 @@
+From a941291cab71b9ac356e1c03968c177c03e602ab Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 29 Apr 2017 14:48:16 +0930
+Subject: [PATCH] PR21432, buffer overflow in perform_relocation
+
+The existing reloc offset range tests didn't catch small negative
+offsets less than the size of the reloc field.
+
+	PR 21432
+	* reloc.c (reloc_offset_in_range): New function.
+	(bfd_perform_relocation, bfd_install_relocation): Use it.
+	(_bfd_final_link_relocate): Likewise.
+
+Upstream-Status: Backport
+CVE: CVE-2017-8396
+CVE: CVE-2017-8397
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  7 +++++++
+ bfd/reloc.c   | 32 ++++++++++++++++++++------------
+ 2 files changed, 27 insertions(+), 12 deletions(-)
+
+Index: git/bfd/reloc.c
+===================================================================
+--- git.orig/bfd/reloc.c
++++ git/bfd/reloc.c
+@@ -538,6 +538,22 @@ bfd_check_overflow (enum complain_overfl
+   return flag;
+ }
+ 
++/* HOWTO describes a relocation, at offset OCTET.  Return whether the
++   relocation field is within SECTION of ABFD.  */
++
++static bfd_boolean
++reloc_offset_in_range (reloc_howto_type *howto, bfd *abfd,
++		       asection *section, bfd_size_type octet)
++{
++  bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section);
++  bfd_size_type reloc_size = bfd_get_reloc_size (howto);
++
++  /* The reloc field must be contained entirely within the section.
++     Allow zero length fields (marker relocs or NONE relocs where no
++     relocation will be performed) at the end of the section.  */
++  return octet <= octet_end && octet + reloc_size <= octet_end;
++}
++
+ /*
+ FUNCTION
+ 	bfd_perform_relocation
+@@ -618,13 +634,10 @@ bfd_perform_relocation (bfd *abfd,
+   /* PR 17512: file: 0f67f69d.  */
+   if (howto == NULL)
+     return bfd_reloc_undefined;
+-
+-  /* Is the address of the relocation really within the section?
+-     Include the size of the reloc in the test for out of range addresses.
+-     PR 17512: file: c146ab8b, 46dff27f, 38e53ebf.  */
++  
++  /* Is the address of the relocation really within the section?  */
+   octets = reloc_entry->address * bfd_octets_per_byte (abfd);
+-  if (octets + bfd_get_reloc_size (howto)
+-      > bfd_get_section_limit_octets (abfd, input_section))
++  if (!reloc_offset_in_range (howto, abfd, input_section, octets))
+     return bfd_reloc_outofrange;
+ 
+   /* Work out which section the relocation is targeted at and the
+@@ -1012,8 +1025,7 @@ bfd_install_relocation (bfd *abfd,
+ 
+   /* Is the address of the relocation really within the section?  */
+   octets = reloc_entry->address * bfd_octets_per_byte (abfd);
+-  if (octets + bfd_get_reloc_size (howto)
+-      > bfd_get_section_limit_octets (abfd, input_section))
++  if (!reloc_offset_in_range (howto, abfd, input_section, octets))
+     return bfd_reloc_outofrange;
+ 
+   /* Work out which section the relocation is targeted at and the
+@@ -1351,8 +1363,7 @@ _bfd_final_link_relocate (reloc_howto_ty
+   bfd_size_type octets = address * bfd_octets_per_byte (input_bfd);
+ 
+   /* Sanity check the address.  */
+-  if (octets + bfd_get_reloc_size (howto)
+-      > bfd_get_section_limit_octets (input_bfd, input_section))
++  if (!reloc_offset_in_range (howto, input_bfd, input_section, octets))
+     return bfd_reloc_outofrange;
+ 
+   /* This function assumes that we are dealing with a basic relocation
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-04-29  Alan Modra  <amodra@gmail.com>
++
++       PR 21432
++       * reloc.c (reloc_offset_in_range): New function.
++       (bfd_perform_relocation, bfd_install_relocation): Use it.
++       (_bfd_final_link_relocate): Likewise.
++
+ 2017-04-26  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21431
-- 
2.7.4

[pyro][PATCH 07/26] binutils: Security fix for CVE-2017-8398

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |   1 +
 .../binutils/binutils/CVE-2017-8398.patch          | 147 +++++++++++++++++++++
 2 files changed, 148 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index ca78a30..d58d7b8 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -49,6 +49,7 @@ SRC_URI = "\
      file://CVE-2017-8394.patch \
      file://CVE-2017-8395.patch \
      file://CVE-2017-8396_8397.patch \
+     file://CVE-2017-8398.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch
new file mode 100644
index 0000000..5b9acc8
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch
@@ -0,0 +1,147 @@
+From d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 28 Apr 2017 10:28:04 +0100
+Subject: [PATCH] Fix heap-buffer overflow bugs caused when dumping debug
+ information from a corrupt binary.
+
+	PR binutils/21438
+	* dwarf.c (process_extended_line_op): Do not assume that the
+	string extracted from the section is NUL terminated.
+	(fetch_indirect_string): If the string retrieved from the section
+	is not NUL terminated, return an error message.
+	(fetch_indirect_line_string): Likewise.
+	(fetch_indexed_string): Likewise.
+
+Upstream-Status: Backport
+CVE: CVE-2017-8398
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 10 +++++++++
+ binutils/dwarf.c   | 66 +++++++++++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 60 insertions(+), 16 deletions(-)
+
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
++++ git/binutils/dwarf.c
+@@ -472,15 +472,20 @@ process_extended_line_op (unsigned char
+       printf (_("  Entry\tDir\tTime\tSize\tName\n"));
+       printf ("   %d\t", ++state_machine_regs.last_file_entry);
+ 
+-      name = data;
+-      data += strnlen ((char *) data, end - data) + 1;
+-      printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
+-      data += bytes_read;
+-      printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
+-      data += bytes_read;
+-      printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
+-      data += bytes_read;
+-      printf ("%s\n\n", name);
++      {
++	size_t l;
++
++	name = data;
++	l = strnlen ((char *) data, end - data);
++	data += len + 1;
++	printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
++	data += bytes_read;
++	printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
++	data += bytes_read;
++	printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
++	data += bytes_read;
++	printf ("%.*s\n\n", (int) l, name);
++      }
+ 
+       if (((unsigned int) (data - orig_data) != len) || data == end)
+ 	warn (_("DW_LNE_define_file: Bad opcode length\n"));
+@@ -597,18 +602,27 @@ static const unsigned char *
+ fetch_indirect_string (dwarf_vma offset)
+ {
+   struct dwarf_section *section = &debug_displays [str].section;
++  const unsigned char * ret;
+ 
+   if (section->start == NULL)
+     return (const unsigned char *) _("<no .debug_str section>");
+ 
+-  if (offset > section->size)
++  if (offset >= section->size)
+     {
+       warn (_("DW_FORM_strp offset too big: %s\n"),
+ 	    dwarf_vmatoa ("x", offset));
+       return (const unsigned char *) _("<offset is too big>");
+     }
++  ret = section->start + offset;
++  /* Unfortunately we cannot rely upon the .debug_str section ending with a
++     NUL byte.  Since our caller is expecting to receive a well formed C
++     string we test for the lack of a terminating byte here.  */
++  if (strnlen ((const char *) ret, section->size - offset)
++      == section->size - offset)
++    ret = (const unsigned char *)
++      _("<no NUL byte at end of .debug_str section>");
+ 
+-  return (const unsigned char *) section->start + offset;
++  return ret; 
+ }
+ 
+ static const char *
+@@ -621,6 +635,7 @@ fetch_indexed_string (dwarf_vma idx, str
+   struct dwarf_section *str_section = &debug_displays [str_sec_idx].section;
+   dwarf_vma index_offset = idx * offset_size;
+   dwarf_vma str_offset;
++  const char * ret;
+ 
+   if (index_section->start == NULL)
+     return (dwo ? _("<no .debug_str_offsets.dwo section>")
+@@ -628,7 +643,7 @@ fetch_indexed_string (dwarf_vma idx, str
+ 
+   if (this_set != NULL)
+     index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS];
+-  if (index_offset > index_section->size)
++  if (index_offset >= index_section->size)
+     {
+       warn (_("DW_FORM_GNU_str_index offset too big: %s\n"),
+ 	    dwarf_vmatoa ("x", index_offset));
+@@ -641,14 +656,22 @@ fetch_indexed_string (dwarf_vma idx, str
+ 
+   str_offset = byte_get (index_section->start + index_offset, offset_size);
+   str_offset -= str_section->address;
+-  if (str_offset > str_section->size)
++  if (str_offset >= str_section->size)
+     {
+       warn (_("DW_FORM_GNU_str_index indirect offset too big: %s\n"),
+ 	    dwarf_vmatoa ("x", str_offset));
+       return _("<indirect index offset is too big>");
+     }
+ 
+-  return (const char *) str_section->start + str_offset;
++  ret = (const char *) str_section->start + str_offset;
++  /* Unfortunately we cannot rely upon str_section ending with a NUL byte.
++     Since our caller is expecting to receive a well formed C string we test
++     for the lack of a terminating byte here.  */
++  if (strnlen (ret, str_section->size - str_offset)
++      == str_section->size - str_offset)
++    ret = (const char *) _("<no NUL byte at end of section>");
++
++  return ret;
+ }
+ 
+ static const char *
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,13 @@
++2017-04-28  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21438
++       * dwarf.c (process_extended_line_op): Do not assume that the
++       string extracted from the section is NUL terminated.
++       (fetch_indirect_string): If the string retrieved from the section
++       is not NUL terminated, return an error message.
++       (fetch_indirect_line_string): Likewise.
++       (fetch_indexed_string): Likewise.
++
+ 2017-02-14  Nick Clifton  <nickc@redhat.com>
+ 
+ 	PR binutils/21157
-- 
2.7.4

[pyro][PATCH 08/26] binutils: Security fix CVE-2017-8421

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-8421.patch          | 52 ++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-8421.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index d58d7b8..5b6270a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -50,6 +50,7 @@ SRC_URI = "\
      file://CVE-2017-8395.patch \
      file://CVE-2017-8396_8397.patch \
      file://CVE-2017-8398.patch \
+     file://CVE-2017-8421.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8421.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8421.patch
new file mode 100644
index 0000000..7969c66
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8421.patch
@@ -0,0 +1,52 @@
+From 39ff1b79f687b65f4144ddb379f22587003443fb Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 2 May 2017 11:54:53 +0100
+Subject: [PATCH] Prevent memory exhaustion from a corrupt PE binary with an
+ overlarge number of relocs.
+
+	PR 21440
+	* objdump.c (dump_relocs_in_section): Check for an excessive
+	number of relocs before attempting to dump them.
+
+Upstream-Status: Backport
+CVE: CVE-2017-8421
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/objdump.c | 8 ++++++++
+ 2 files changed, 14 insertions(+)
+
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -3311,6 +3311,14 @@ dump_relocs_in_section (bfd *abfd,
+       return;
+     }
+ 
++  if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
++      && relsize > get_file_size (bfd_get_filename (abfd)))
++    {
++      printf (" (too many: 0x%x)\n", section->reloc_count);
++      bfd_set_error (bfd_error_file_truncated);
++      bfd_fatal (bfd_get_filename (abfd));
++    }
++
+   relpp = (arelent **) xmalloc (relsize);
+   relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms);
+ 
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2017-05-02  Nick Clifton  <nickc@redhat.com>
++
++       PR 21440
++       * objdump.c (dump_relocs_in_section): Check for an excessive
++       number of relocs before attempting to dump them.
++
+ 2017-04-28  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21438
-- 
2.7.4

[pyro][PATCH 09/26] binutils: Security fix for CVE-2017-9038 and CVE-2017-9044

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9038_9044.patch     | 51 ++++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9038_9044.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 5b6270a..377165a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -51,6 +51,7 @@ SRC_URI = "\
      file://CVE-2017-8396_8397.patch \
      file://CVE-2017-8398.patch \
      file://CVE-2017-8421.patch \
+     file://CVE-2017-9038_9044.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9038_9044.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9038_9044.patch
new file mode 100644
index 0000000..535efc3
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9038_9044.patch
@@ -0,0 +1,51 @@
+From f32ba72991d2406b21ab17edc234a2f3fa7fb23d Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 3 Apr 2017 11:01:45 +0100
+Subject: [PATCH] readelf: Update check for invalid word offsets in ARM unwind
+ information.
+
+	PR binutils/21343
+	* readelf.c (get_unwind_section_word): Fix snafu checking for
+	invalid word offsets in ARM unwind information.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9038
+CVE: CVE-2017-9044
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/readelf.c | 6 +++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
++++ git/binutils/readelf.c
+@@ -7972,9 +7972,9 @@ get_unwind_section_word (struct arm_unw_
+     return FALSE;
+ 
+   /* If the offset is invalid then fail.  */
+-  if (word_offset > (sec->sh_size - 4)
+-      /* PR 18879 */
+-      || (sec->sh_size < 5 && word_offset >= sec->sh_size)
++  if (/* PR 21343 *//* PR 18879 */
++      sec->sh_size < 4
++      || word_offset > (sec->sh_size - 4)
+       || ((bfd_signed_vma) word_offset) < 0)
+     return FALSE;
+ 
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2017-04-03  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21343
++       * readelf.c (get_unwind_section_word): Fix snafu checking for
++       invalid word offsets in ARM unwind information.
++
+ 2017-05-02  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 21440
-- 
2.7.4

[pyro][PATCH 10/26] binutils: Security fix for CVE-2017-9039

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9039.patch          | 61 ++++++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 377165a..b8199a4 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -52,6 +52,7 @@ SRC_URI = "\
      file://CVE-2017-8398.patch \
      file://CVE-2017-8421.patch \
      file://CVE-2017-9038_9044.patch \
+     file://CVE-2017-9039.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch
new file mode 100644
index 0000000..aed8f7f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9039.patch
@@ -0,0 +1,61 @@
+From 82156ab704b08b124d319c0decdbd48b3ca2dac5 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 3 Apr 2017 12:14:06 +0100
+Subject: [PATCH] readelf: Fix overlarge memory allocation when reading a
+ binary with an excessive number of program headers.
+
+	PR binutils/21345
+	* readelf.c (get_program_headers): Check for there being too many
+	program headers before attempting to allocate space for them.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9039
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/readelf.c | 17 ++++++++++++++---
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
++++ git/binutils/readelf.c
+@@ -4765,9 +4765,19 @@ get_program_headers (FILE * file)
+   if (program_headers != NULL)
+     return 1;
+ 
+-  phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum,
+-                                         sizeof (Elf_Internal_Phdr));
++  /* Be kind to memory checkers by looking for
++     e_phnum values which we know must be invalid.  */
++  if (elf_header.e_phnum
++      * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof (Elf64_External_Phdr))
++      >= current_file_size)
++    {
++      error (_("Too many program headers - %#x - the file is not that big\n"),
++	     elf_header.e_phnum);
++      return FALSE;
++    }
+ 
++  phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum,
++					 sizeof (Elf_Internal_Phdr));
+   if (phdrs == NULL)
+     {
+       error (_("Out of memory reading %u program headers\n"),
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,5 +1,11 @@
+ 2017-04-03  Nick Clifton  <nickc@redhat.com>
+ 
++       PR binutils/21345
++       * readelf.c (get_program_headers): Check for there being too many
++       program headers before attempting to allocate space for them.
++
++2017-04-03  Nick Clifton  <nickc@redhat.com>
++
+        PR binutils/21343
+        * readelf.c (get_unwind_section_word): Fix snafu checking for
+        invalid word offsets in ARM unwind information.
-- 
2.7.4

[pyro][PATCH 11/26] binutils: Security fix for CVE-2017-9040 and CVE-2017-9042

[Armin Kuster]

Affects: <= 2.28
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9040_9042.patch     | 57 ++++++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9040_9042.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index b8199a4..c376433 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -53,6 +53,7 @@ SRC_URI = "\
      file://CVE-2017-8421.patch \
      file://CVE-2017-9038_9044.patch \
      file://CVE-2017-9039.patch \
+     file://CVE-2017-9040_9042.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_9042.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_9042.patch
new file mode 100644
index 0000000..79c6a7d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_9042.patch
@@ -0,0 +1,57 @@
+From 7296a62a2a237f6b1ad8db8c38b090e9f592c8cf Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 13 Apr 2017 16:06:30 +0100
+Subject: [PATCH] readelf: fix out of range subtraction, seg fault from a NULL
+ pointer and memory exhaustion, all from parsing corrupt binaries.
+
+	PR binutils/21379
+	* readelf.c (process_dynamic_section): Detect over large section
+	offsets in the DT_SYMTAB entry.
+
+	PR binutils/21345
+	* readelf.c (process_mips_specific): Catch an unfeasible memory
+	allocation before it happens and print a suitable error message.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9040
+CVE: CVE-2017-9042
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 12 ++++++++++++
+ binutils/readelf.c | 26 +++++++++++++++++++++-----
+ 2 files changed, 33 insertions(+), 5 deletions(-)
+
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
++++ git/binutils/readelf.c
+@@ -9306,6 +9306,12 @@ process_dynamic_section (FILE * file)
+ 	     processing that.  This is overkill, I know, but it
+ 	     should work.  */
+ 	  section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0);
++	  if ((bfd_size_type) section.sh_offset > current_file_size)
++	    {
++	      /* See PR 21379 for a reproducer.  */
++	      error (_("Invalid DT_SYMTAB entry: %lx"), (long) section.sh_offset);
++	      return FALSE;
++	    }
+ 
+ 	  if (archive_file_offset != 0)
+ 	    section.sh_size = archive_file_size - section.sh_offset;
+@@ -15175,6 +15181,15 @@ process_mips_specific (FILE * file)
+ 	  return 0;
+ 	}
+ 
++      /* PR 21345 - print a slightly more helpful error message
++	 if we are sure that the cmalloc will fail.  */
++      if (conflictsno * sizeof (* iconf) > current_file_size)
++	{
++	  error (_("Overlarge number of conflicts detected: %lx\n"),
++		 (long) conflictsno);
++	  return FALSE;
++	}
++
+       iconf = (Elf32_Conflict *) cmalloc (conflictsno, sizeof (* iconf));
+       if (iconf == NULL)
+ 	{
-- 
2.7.4

[pyro][PATCH 12/26] binutils: Security fix for CVE-2017-9742

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9742.patch          | 45 ++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9742.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index c376433..946f16c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -54,6 +54,7 @@ SRC_URI = "\
      file://CVE-2017-9038_9044.patch \
      file://CVE-2017-9039.patch \
      file://CVE-2017-9040_9042.patch \
+     file://CVE-2017-9742.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9742.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9742.patch
new file mode 100644
index 0000000..0c9ed0d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9742.patch
@@ -0,0 +1,45 @@
+From e64519d1ed7fd8f990f05a5562d5b5c0c44b7d7e Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 17:10:28 +0100
+Subject: [PATCH] Fix seg-fault when trying to disassemble a corrupt score
+ binary.
+
+	PR binutils/21576
+	* score7-dis.c (score_opcodes): Add sentinel.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9742
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ opcodes/ChangeLog    | 5 +++++
+ opcodes/score7-dis.c | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/opcodes/score7-dis.c
+===================================================================
+--- git.orig/opcodes/score7-dis.c
++++ git/opcodes/score7-dis.c
+@@ -513,7 +513,8 @@ static struct score_opcode score_opcodes
+   {0x00000d05, 0x00007f0f, "tvc!"},
+   {0x00000026, 0x3e0003ff, "xor\t\t%20-24r, %15-19r, %10-14r"},
+   {0x00000027, 0x3e0003ff, "xor.c\t\t%20-24r, %15-19r, %10-14r"},
+-  {0x00002007, 0x0000700f, "xor!\t\t%8-11r, %4-7r"}
++  {0x00002007, 0x0000700f, "xor!\t\t%8-11r, %4-7r"},
++  { 0, 0, NULL }
+ };
+ 
+ typedef struct
+Index: git/opcodes/ChangeLog
+===================================================================
+--- git.orig/opcodes/ChangeLog
++++ git/opcodes/ChangeLog
+@@ -1,3 +1,8 @@
++2017-06-14  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21576
++       * score7-dis.c (score_opcodes): Add sentinel.
++
+ 2017-03-07  Alan Modra  <amodra@gmail.com>
+ 
+ 	Apply from master
-- 
2.7.4

[pyro][PATCH 13/26] binutls: Security fix for CVE-2017-9744

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9744.patch          | 46 ++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9744.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 946f16c..815e2bf 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -55,6 +55,7 @@ SRC_URI = "\
      file://CVE-2017-9039.patch \
      file://CVE-2017-9040_9042.patch \
      file://CVE-2017-9742.patch \
+     file://CVE-2017-9744.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9744.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9744.patch
new file mode 100644
index 0000000..c34a5a6
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9744.patch
@@ -0,0 +1,46 @@
+From f461bbd847f15657f3dd2f317c30c75a7520da1f Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 17:01:54 +0100
+Subject: [PATCH] Fix address violation bug when disassembling a corrupt SH
+ binary.
+
+	PR binutils/21578
+	* elf32-sh.c (sh_elf_set_mach_from_flags): Fix check for invalid
+	flag value.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9744
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog  | 6 ++++++
+ bfd/elf32-sh.c | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/bfd/elf32-sh.c
+===================================================================
+--- git.orig/bfd/elf32-sh.c
++++ git/bfd/elf32-sh.c
+@@ -6344,7 +6344,7 @@ sh_elf_set_mach_from_flags (bfd *abfd)
+ {
+   flagword flags = elf_elfheader (abfd)->e_flags & EF_SH_MACH_MASK;
+ 
+-  if (flags >= sizeof(sh_ef_bfd_table))
++  if (flags >= ARRAY_SIZE (sh_ef_bfd_table))
+     return FALSE;
+ 
+   if (sh_ef_bfd_table[flags] == 0)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-06-14  Nick Clifton  <nickc@redhat.com>
++ 
++       PR binutils/21578
++       * elf32-sh.c (sh_elf_set_mach_from_flags): Fix check for invalid
++       flag value.
++
+ 2017-04-29  Alan Modra  <amodra@gmail.com>
+ 
+        PR 21432
-- 
2.7.4

[pyro][PATCH 14/26] binutils: Security fix for CVE-2017-9745

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9745.patch          | 35 ++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 815e2bf..d555d5f 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -56,6 +56,7 @@ SRC_URI = "\
      file://CVE-2017-9040_9042.patch \
      file://CVE-2017-9742.patch \
      file://CVE-2017-9744.patch \
+     file://CVE-2017-9745.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch
new file mode 100644
index 0000000..0b3885b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9745.patch
@@ -0,0 +1,35 @@
+From 76800cba595efc3fe95a446c2d664e42ae4ee869 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 15 Jun 2017 12:08:57 +0100
+Subject: [PATCH] Handle EITR records in VMS Alpha binaries with overlarge
+ command length parameters.
+
+	PR binutils/21579
+	* vms-alpha.c (_bfd_vms_slurp_etir): Extend check of cmd_length.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9745
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog   |  5 +++++
+ bfd/vms-alpha.c | 16 ++++++++--------
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c
++++ git/bfd/vms-alpha.c
+@@ -1741,6 +1741,12 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+       _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+ #endif
+ 
++#if VMS_DEBUG
++      _bfd_vms_debug (4, "etir: %s(%d)\n",
++                      _bfd_vms_etir_name (cmd), cmd);
++      _bfd_hexdump (8, ptr, cmd_length - 4, 0);
++#endif
++
+       switch (cmd)
+         {
+           /* Stack global
-- 
2.7.4

[pyro][PATCH 15/26] binutls: Security for fix CVE-2017-9746

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9746.patch          | 91 ++++++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index d555d5f..235306b 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -57,6 +57,7 @@ SRC_URI = "\
      file://CVE-2017-9742.patch \
      file://CVE-2017-9744.patch \
      file://CVE-2017-9745.patch \
+     file://CVE-2017-9746.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch
new file mode 100644
index 0000000..bd4a40c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9746.patch
@@ -0,0 +1,91 @@
+From ae87f7e73eba29bd38b3a9684a10b948ed715612 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 16:50:03 +0100
+Subject: [PATCH] Fix address violation when disassembling a corrupt binary.
+
+	PR binutils/21580
+binutils * objdump.c (disassemble_bytes): Check for buffer overrun when
+	printing out rae insns.
+
+ld	* testsuite/ld-nds32/diff.d: Adjust expected output.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9746
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/objdump.c           | 27 +++++++++++++++------------
+ ld/ChangeLog                 |  5 +++++
+ ld/testsuite/ld-nds32/diff.d |  6 +++---
+ 3 files changed, 23 insertions(+), 15 deletions(-)
+
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -1855,20 +1855,23 @@ disassemble_bytes (struct disassemble_in
+ 
+ 	      for (j = addr_offset * opb; j < addr_offset * opb + pb; j += bpc)
+ 		{
+-		  int k;
+-
+-		  if (bpc > 1 && inf->display_endian == BFD_ENDIAN_LITTLE)
+-		    {
+-		      for (k = bpc - 1; k >= 0; k--)
+-			printf ("%02x", (unsigned) data[j + k]);
+-		      putchar (' ');
+-		    }
+-		  else
++		  /* PR 21580: Check for a buffer ending early.  */
++		  if (j + bpc <= stop_offset * opb)
+ 		    {
+-		      for (k = 0; k < bpc; k++)
+-			printf ("%02x", (unsigned) data[j + k]);
+-		      putchar (' ');
++		      int k;
++
++		      if (inf->display_endian == BFD_ENDIAN_LITTLE)
++			{
++			  for (k = bpc - 1; k >= 0; k--)
++			    printf ("%02x", (unsigned) data[j + k]);
++			}
++		      else
++			{
++			  for (k = 0; k < bpc; k++)
++			    printf ("%02x", (unsigned) data[j + k]);
++			}
+ 		    }
++		  putchar (' ');
+ 		}
+ 
+ 	      for (; pb < octets_per_line; pb += bpc)
+Index: git/ld/testsuite/ld-nds32/diff.d
+===================================================================
+--- git.orig/ld/testsuite/ld-nds32/diff.d
++++ git/ld/testsuite/ld-nds32/diff.d
+@@ -7,9 +7,9 @@
+ 
+ Disassembly of section .data:
+ 00008000 <WORD> (7e 00 00 00|00 00 00 7e).*
+-00008004 <HALF> (7e 00 7e fe|00 7e 7e fe).*
+-00008006 <BYTE> 7e fe 00 fe.*
+-00008007 <ULEB128> fe 00.*
++00008004 <HALF> (7e 00|00 7e).*
++00008006 <BYTE> 7e.*
++00008007 <ULEB128> fe.*
+ 	...
+ 00008009 <ULEB128_2> fe 00.*
+ .*
+Index: git/ld/ChangeLog
+===================================================================
+--- git.orig/ld/ChangeLog
++++ git/ld/ChangeLog
+@@ -1,3 +1,8 @@
++2017-06-14  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21580
++       * testsuite/ld-nds32/diff.d: Adjust expected output.
++
+ 2017-03-07  Alan Modra  <amodra@gmail.com>
+ 
+ 	* ldlang.c (open_input_bfds): Check that lang_assignment_statement
-- 
2.7.4

[pyro][PATCH 16/26] binutls: Security fix for CVE-2017-9747

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9747.patch          | 43 ++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9747.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 235306b..6822adb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -58,6 +58,7 @@ SRC_URI = "\
      file://CVE-2017-9744.patch \
      file://CVE-2017-9745.patch \
      file://CVE-2017-9746.patch \
+     file://CVE-2017-9747.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9747.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9747.patch
new file mode 100644
index 0000000..41ead54
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9747.patch
@@ -0,0 +1,43 @@
+From 62b76e4b6e0b4cb5b3e0053d1de4097b32577049 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 15 Jun 2017 13:08:47 +0100
+Subject: [PATCH] Fix address violation parsing a corrupt ieee binary.
+
+	PR binutils/21581
+	(ieee_archive_p): Use a static buffer to avoid compiler bugs.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9747
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 2 ++
+ bfd/ieee.c    | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+Index: git/bfd/ieee.c
+===================================================================
+--- git.orig/bfd/ieee.c
++++ git/bfd/ieee.c
+@@ -1357,7 +1357,7 @@ ieee_archive_p (bfd *abfd)
+ {
+   char *library;
+   unsigned int i;
+-  unsigned char buffer[512];
++  static unsigned char buffer[512];
+   file_ptr buffer_offset = 0;
+   ieee_ar_data_type *save = abfd->tdata.ieee_ar_data;
+   ieee_ar_data_type *ieee;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2017-06-15  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21581
++       (ieee_archive_p): Likewise.
++
+ 2017-06-14  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/21578
-- 
2.7.4

[pyro][PATCH 17/26] binutls: Security fix for CVE-2017-9748

[Armin Kuster]

affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9748.patch          | 46 ++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9748.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 6822adb..8a19ac6 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -59,6 +59,7 @@ SRC_URI = "\
      file://CVE-2017-9745.patch \
      file://CVE-2017-9746.patch \
      file://CVE-2017-9747.patch \
+     file://CVE-2017-9748.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9748.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9748.patch
new file mode 100644
index 0000000..0207023
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9748.patch
@@ -0,0 +1,46 @@
+From 63634bb4a107877dd08b6282e28e11cfd1a1649e Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 15 Jun 2017 12:44:23 +0100
+Subject: [PATCH] Avoid a possible compiler bug by using a static buffer
+ instead of a stack local buffer.
+
+	PR binutils/21582
+	* ieee.c (ieee_object_p): Use a static buffer to avoid compiler
+	bugs.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9748
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/ieee.c    | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/bfd/ieee.c
+===================================================================
+--- git.orig/bfd/ieee.c
++++ git/bfd/ieee.c
+@@ -1875,7 +1875,7 @@ ieee_object_p (bfd *abfd)
+   char *processor;
+   unsigned int part;
+   ieee_data_type *ieee;
+-  unsigned char buffer[300];
++  static unsigned char buffer[300];
+   ieee_data_type *save = IEEE_DATA (abfd);
+   bfd_size_type amt;
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,5 +1,9 @@
+ 2017-06-15  Nick Clifton  <nickc@redhat.com>
+ 
++       PR binutils/21582
++       * ieee.c (ieee_object_p): Use a static buffer to avoid compiler
++       bugs.
++
+        PR binutils/21581
+        (ieee_archive_p): Likewise.
+ 
-- 
2.7.4

[pyro][PATCH 18/26] binutils: Security fix for CVE-2017-9749

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9749.patch          | 77 ++++++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9749.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 8a19ac6..b88e154 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -60,6 +60,7 @@ SRC_URI = "\
      file://CVE-2017-9746.patch \
      file://CVE-2017-9747.patch \
      file://CVE-2017-9748.patch \
+     file://CVE-2017-9749.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9749.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9749.patch
new file mode 100644
index 0000000..3cc2afc
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9749.patch
@@ -0,0 +1,77 @@
+From 08c7881b814c546efc3996fd1decdf0877f7a779 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 15 Jun 2017 11:52:02 +0100
+Subject: [PATCH] Prevent invalid array accesses when disassembling a corrupt
+ bfin binary.
+
+	PR binutils/21586
+	* bfin-dis.c (gregs): Clip index to prevent overflow.
+	(regs): Likewise.
+	(regs_lo): Likewise.
+	(regs_hi): Likewise.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9749
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ opcodes/ChangeLog  | 8 ++++++++
+ opcodes/bfin-dis.c | 8 ++++----
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+Index: git/opcodes/ChangeLog
+===================================================================
+--- git.orig/opcodes/ChangeLog
++++ git/opcodes/ChangeLog
+@@ -1,3 +1,11 @@
++2017-06-15  Nick Clifton  <nickc@redhat.com>
++
++	PR binutils/21586
++	* bfin-dis.c (gregs): Clip index to prevent overflow.
++	(regs): Likewise.
++	(regs_lo): Likewise.
++	(regs_hi): Likewise.
++
+ 2017-06-14  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21576
+Index: git/opcodes/bfin-dis.c
+===================================================================
+--- git.orig/opcodes/bfin-dis.c
++++ git/opcodes/bfin-dis.c
+@@ -350,7 +350,7 @@ static const enum machine_registers deco
+   REG_P0, REG_P1, REG_P2, REG_P3, REG_P4, REG_P5, REG_SP, REG_FP,
+ };
+ 
+-#define gregs(x, i) REGNAME (decode_gregs[((i) << 3) | (x)])
++#define gregs(x, i) REGNAME (decode_gregs[(((i) << 3) | (x)) & 15])
+ 
+ /* [dregs pregs (iregs mregs) (bregs lregs)].  */
+ static const enum machine_registers decode_regs[] =
+@@ -361,7 +361,7 @@ static const enum machine_registers deco
+   REG_B0, REG_B1, REG_B2, REG_B3, REG_L0, REG_L1, REG_L2, REG_L3,
+ };
+ 
+-#define regs(x, i) REGNAME (decode_regs[((i) << 3) | (x)])
++#define regs(x, i) REGNAME (decode_regs[(((i) << 3) | (x)) & 31])
+ 
+ /* [dregs pregs (iregs mregs) (bregs lregs) Low Half].  */
+ static const enum machine_registers decode_regs_lo[] =
+@@ -372,7 +372,7 @@ static const enum machine_registers deco
+   REG_BL0, REG_BL1, REG_BL2, REG_BL3, REG_LL0, REG_LL1, REG_LL2, REG_LL3,
+ };
+ 
+-#define regs_lo(x, i) REGNAME (decode_regs_lo[((i) << 3) | (x)])
++#define regs_lo(x, i) REGNAME (decode_regs_lo[(((i) << 3) | (x)) & 31])
+ 
+ /* [dregs pregs (iregs mregs) (bregs lregs) High Half].  */
+ static const enum machine_registers decode_regs_hi[] =
+@@ -383,7 +383,7 @@ static const enum machine_registers deco
+   REG_BH0, REG_BH1, REG_BH2, REG_BH3, REG_LH0, REG_LH1, REG_LH2, REG_LH3,
+ };
+ 
+-#define regs_hi(x, i) REGNAME (decode_regs_hi[((i) << 3) | (x)])
++#define regs_hi(x, i) REGNAME (decode_regs_hi[(((i) << 3) | (x)) & 31])
+ 
+ static const enum machine_registers decode_statbits[] =
+ {
-- 
2.7.4

[pyro][PATCH 19/26] Binutils: Security fix for CVE-2017-9750

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |   1 +
 .../binutils/binutils/CVE-2017-9750.patch          | 247 +++++++++++++++++++++
 2 files changed, 248 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index b88e154..c63a2e5 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -61,6 +61,7 @@ SRC_URI = "\
      file://CVE-2017-9747.patch \
      file://CVE-2017-9748.patch \
      file://CVE-2017-9749.patch \
+     file://CVE-2017-9750.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch
new file mode 100644
index 0000000..fe8fa69
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch
@@ -0,0 +1,247 @@
+From db5fa770268baf8cc82cf9b141d69799fd485fe2 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 13:35:06 +0100
+Subject: [PATCH] Fix address violation problems when disassembling a corrupt
+ RX binary.
+
+	PR binutils/21587
+	* rx-decode.opc: Include libiberty.h
+	(GET_SCALE): New macro - validates access to SCALE array.
+	(GET_PSCALE): New macro - validates access to PSCALE array.
+	(DIs, SIs, S2Is, rx_disp): Use new macros.
+	* rx-decode.c: Regenerate.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9750
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ opcodes/ChangeLog     |  9 +++++++++
+ opcodes/rx-decode.c   | 24 ++++++++++++++----------
+ opcodes/rx-decode.opc | 24 ++++++++++++++----------
+ 3 files changed, 37 insertions(+), 20 deletions(-)
+
+Index: git/opcodes/rx-decode.c
+===================================================================
+--- git.orig/opcodes/rx-decode.c
++++ git/opcodes/rx-decode.c
+@@ -27,6 +27,7 @@
+ #include <string.h>
+ #include "ansidecl.h"
+ #include "opcode/rx.h"
++#include "libiberty.h"
+ 
+ #define RX_OPCODE_BIG_ENDIAN 0
+ 
+@@ -45,7 +46,7 @@ static int trace = 0;
+ #define LSIZE 2
+ 
+ /* These are for when the upper bits are "don't care" or "undefined".  */
+-static int bwl[] =
++static int bwl[4] =
+ {
+   RX_Byte,
+   RX_Word,
+@@ -53,7 +54,7 @@ static int bwl[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int sbwl[] =
++static int sbwl[4] =
+ {
+   RX_SByte,
+   RX_SWord,
+@@ -61,7 +62,7 @@ static int sbwl[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int ubw[] =
++static int ubw[4] =
+ {
+   RX_UByte,
+   RX_UWord,
+@@ -69,7 +70,7 @@ static int ubw[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int memex[] =
++static int memex[4] =
+ {
+   RX_SByte,
+   RX_SWord,
+@@ -89,6 +90,9 @@ static int SCALE[] = { 1, 2, 4, 0 };
+ /* This is for the prefix size enum.  */
+ static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 };
+ 
++#define GET_SCALE(_indx)  ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0)
++#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0)
++
+ static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0,
+ 		       16, 17, 0, 0, 0, 0, 0, 0 };
+ 
+@@ -107,7 +111,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define DC(c)       OP (0, RX_Operand_Immediate, 0, c)
+ #define DR(r)       OP (0, RX_Operand_Register,  r, 0)
+ #define DI(r,a)     OP (0, RX_Operand_Indirect,  r, a)
+-#define DIs(r,a,s)  OP (0, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define DIs(r,a,s)  OP (0, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define DD(t,r,s)   rx_disp (0, t, r, bwl[s], ld);
+ #define DF(r)       OP (0, RX_Operand_Flag,  flagmap[r], 0)
+ 
+@@ -115,7 +119,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define SR(r)       OP (1, RX_Operand_Register,  r, 0)
+ #define SRR(r)      OP (1, RX_Operand_TwoReg,  r, 0)
+ #define SI(r,a)     OP (1, RX_Operand_Indirect,  r, a)
+-#define SIs(r,a,s)  OP (1, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define SIs(r,a,s)  OP (1, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define SD(t,r,s)   rx_disp (1, t, r, bwl[s], ld);
+ #define SP(t,r)     rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1);
+ #define SPm(t,r,m)  rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m];
+@@ -124,7 +128,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define S2C(i)      OP (2, RX_Operand_Immediate, 0, i)
+ #define S2R(r)      OP (2, RX_Operand_Register,  r, 0)
+ #define S2I(r,a)    OP (2, RX_Operand_Indirect,  r, a)
+-#define S2Is(r,a,s) OP (2, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define S2Is(r,a,s) OP (2, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define S2D(t,r,s)  rx_disp (2, t, r, bwl[s], ld);
+ #define S2P(t,r)    rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2);
+ #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m];
+@@ -211,7 +215,7 @@ immediate (int sfield, int ex, LocalData
+ }
+ 
+ static void
+-rx_disp (int n, int type, int reg, int size, LocalData * ld)
++rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld)
+ {
+   int disp;
+ 
+@@ -228,7 +232,7 @@ rx_disp (int n, int type, int reg, int s
+     case 1:
+       ld->rx->op[n].type = RX_Operand_Indirect;
+       disp = GETBYTE ();
+-      ld->rx->op[n].addend = disp * PSCALE[size];
++      ld->rx->op[n].addend = disp * GET_PSCALE (size);
+       break;
+     case 2:
+       ld->rx->op[n].type = RX_Operand_Indirect;
+@@ -238,7 +242,7 @@ rx_disp (int n, int type, int reg, int s
+ #else
+       disp = disp + GETBYTE () * 256;
+ #endif
+-      ld->rx->op[n].addend = disp * PSCALE[size];
++      ld->rx->op[n].addend = disp * GET_PSCALE (size);
+       break;
+     default:
+       abort ();
+Index: git/opcodes/rx-decode.opc
+===================================================================
+--- git.orig/opcodes/rx-decode.opc
++++ git/opcodes/rx-decode.opc
+@@ -26,6 +26,7 @@
+ #include <string.h>
+ #include "ansidecl.h"
+ #include "opcode/rx.h"
++#include "libiberty.h"
+ 
+ #define RX_OPCODE_BIG_ENDIAN 0
+ 
+@@ -44,7 +45,7 @@ static int trace = 0;
+ #define LSIZE 2
+ 
+ /* These are for when the upper bits are "don't care" or "undefined".  */
+-static int bwl[] =
++static int bwl[4] =
+ {
+   RX_Byte,
+   RX_Word,
+@@ -52,7 +53,7 @@ static int bwl[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int sbwl[] =
++static int sbwl[4] =
+ {
+   RX_SByte,
+   RX_SWord,
+@@ -60,7 +61,7 @@ static int sbwl[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int ubw[] =
++static int ubw[4] =
+ {
+   RX_UByte,
+   RX_UWord,
+@@ -68,7 +69,7 @@ static int ubw[] =
+   RX_Bad_Size /* Bogus instructions can have a size field set to 3.  */
+ };
+ 
+-static int memex[] =
++static int memex[4] =
+ {
+   RX_SByte,
+   RX_SWord,
+@@ -88,6 +89,9 @@ static int SCALE[] = { 1, 2, 4, 0 };
+ /* This is for the prefix size enum.  */
+ static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 };
+ 
++#define GET_SCALE(_indx)  ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0)
++#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0)
++
+ static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0,
+ 		       16, 17, 0, 0, 0, 0, 0, 0 };
+ 
+@@ -106,7 +110,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define DC(c)       OP (0, RX_Operand_Immediate, 0, c)
+ #define DR(r)       OP (0, RX_Operand_Register,  r, 0)
+ #define DI(r,a)     OP (0, RX_Operand_Indirect,  r, a)
+-#define DIs(r,a,s)  OP (0, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define DIs(r,a,s)  OP (0, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define DD(t,r,s)   rx_disp (0, t, r, bwl[s], ld);
+ #define DF(r)       OP (0, RX_Operand_Flag,  flagmap[r], 0)
+ 
+@@ -114,7 +118,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define SR(r)       OP (1, RX_Operand_Register,  r, 0)
+ #define SRR(r)      OP (1, RX_Operand_TwoReg,  r, 0)
+ #define SI(r,a)     OP (1, RX_Operand_Indirect,  r, a)
+-#define SIs(r,a,s)  OP (1, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define SIs(r,a,s)  OP (1, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define SD(t,r,s)   rx_disp (1, t, r, bwl[s], ld);
+ #define SP(t,r)     rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1);
+ #define SPm(t,r,m)  rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m];
+@@ -123,7 +127,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4,
+ #define S2C(i)      OP (2, RX_Operand_Immediate, 0, i)
+ #define S2R(r)      OP (2, RX_Operand_Register,  r, 0)
+ #define S2I(r,a)    OP (2, RX_Operand_Indirect,  r, a)
+-#define S2Is(r,a,s) OP (2, RX_Operand_Indirect,  r, (a) * SCALE[s])
++#define S2Is(r,a,s) OP (2, RX_Operand_Indirect,  r, (a) * GET_SCALE (s))
+ #define S2D(t,r,s)  rx_disp (2, t, r, bwl[s], ld);
+ #define S2P(t,r)    rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2);
+ #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m];
+@@ -210,7 +214,7 @@ immediate (int sfield, int ex, LocalData
+ }
+ 
+ static void
+-rx_disp (int n, int type, int reg, int size, LocalData * ld)
++rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld)
+ {
+   int disp;
+ 
+@@ -227,7 +231,7 @@ rx_disp (int n, int type, int reg, int s
+     case 1:
+       ld->rx->op[n].type = RX_Operand_Indirect;
+       disp = GETBYTE ();
+-      ld->rx->op[n].addend = disp * PSCALE[size];
++      ld->rx->op[n].addend = disp * GET_PSCALE (size);
+       break;
+     case 2:
+       ld->rx->op[n].type = RX_Operand_Indirect;
+@@ -237,7 +241,7 @@ rx_disp (int n, int type, int reg, int s
+ #else
+       disp = disp + GETBYTE () * 256;
+ #endif
+-      ld->rx->op[n].addend = disp * PSCALE[size];
++      ld->rx->op[n].addend = disp * GET_PSCALE (size);
+       break;
+     default:
+       abort ();
-- 
2.7.4

[pyro][PATCH 20/26] binutls: Security fix for CVE-2017-9751

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |    1 +
 .../binutils/binutils/CVE-2017-9751.patch          | 3748 ++++++++++++++++++++
 2 files changed, 3749 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9751.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index c63a2e5..99fc1b1 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -62,6 +62,7 @@ SRC_URI = "\
      file://CVE-2017-9748.patch \
      file://CVE-2017-9749.patch \
      file://CVE-2017-9750.patch \
+     file://CVE-2017-9751.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9751.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9751.patch
new file mode 100644
index 0000000..d7c18cf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9751.patch
@@ -0,0 +1,3748 @@
+From 63323b5b23bd83fa7b04ea00dff593c933e9b0e3 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 15 Jun 2017 12:37:01 +0100
+Subject: [PATCH] Fix address violation when disassembling a corrupt RL78
+ binary.
+
+	PR binutils/21588
+	* rl78-decode.opc (OP_BUF_LEN): Define.
+	(GETBYTE): Check for the index exceeding OP_BUF_LEN.
+	(rl78_decode_opcode): Use OP_BUF_LEN as the length of the op_buf
+	array.
+	* rl78-decode.c: Regenerate.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9751
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ opcodes/ChangeLog       |   9 +
+ opcodes/rl78-decode.c   | 820 ++++++++++++++++++++++++------------------------
+ opcodes/rl78-decode.opc |   6 +-
+ 3 files changed, 424 insertions(+), 411 deletions(-)
+
+diff --git a/opcodes/ChangeLog b/opcodes/ChangeLog
+index 34b1844..c77f00a 100644
+--- a/opcodes/ChangeLog
++++ b/opcodes/ChangeLog
+@@ -1,5 +1,14 @@
+ 2017-06-15  Nick Clifton  <nickc@redhat.com>
+ 
++	PR binutils/21588
++	* rl78-decode.opc (OP_BUF_LEN): Define.
++	(GETBYTE): Check for the index exceeding OP_BUF_LEN.
++	(rl78_decode_opcode): Use OP_BUF_LEN as the length of the op_buf
++	array.
++	* rl78-decode.c: Regenerate.
++
++2017-06-15  Nick Clifton  <nickc@redhat.com>
++
+ 	PR binutils/21586
+ 	* bfin-dis.c (gregs): Clip index to prevent overflow.
+ 	(regs): Likewise.
+diff --git a/opcodes/rl78-decode.c b/opcodes/rl78-decode.c
+index d0566ea..b2d4bd6 100644
+--- a/opcodes/rl78-decode.c
++++ b/opcodes/rl78-decode.c
+@@ -51,7 +51,9 @@ typedef struct
+ #define W() rl78->size = RL78_Word
+ 
+ #define AU ATTRIBUTE_UNUSED
+-#define GETBYTE() (ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr))
++
++#define OP_BUF_LEN 20
++#define GETBYTE() (ld->rl78->n_bytes < (OP_BUF_LEN - 1) ? ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr): 0)
+ #define B ((unsigned long) GETBYTE())
+ 
+ #define SYNTAX(x) rl78->syntax = x
+@@ -169,7 +171,7 @@ rl78_decode_opcode (unsigned long pc AU,
+ 		  RL78_Dis_Isa isa)
+ {
+   LocalData lds, * ld = &lds;
+-  unsigned char op_buf[20] = {0};
++  unsigned char op_buf[OP_BUF_LEN] = {0};
+   unsigned char *op = op_buf;
+   int op0, op1;
+ 
+@@ -201,7 +203,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("nop");
+-#line 911 "rl78-decode.opc"
++#line 913 "rl78-decode.opc"
+           ID(nop);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -214,7 +216,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x07:
+         {
+           /** 0000 0rw1			addw	%0, %1				*/
+-#line 274 "rl78-decode.opc"
++#line 276 "rl78-decode.opc"
+           int rw AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -224,7 +226,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rw = 0x%x\n", rw);
+             }
+           SYNTAX("addw	%0, %1");
+-#line 274 "rl78-decode.opc"
++#line 276 "rl78-decode.opc"
+           ID(add); W(); DR(AX); SRW(rw); Fzac;
+ 
+         }
+@@ -239,7 +241,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("addw	%0, %e!1");
+-#line 265 "rl78-decode.opc"
++#line 267 "rl78-decode.opc"
+           ID(add); W(); DR(AX); SM(None, IMMU(2)); Fzac;
+ 
+         }
+@@ -254,7 +256,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("addw	%0, #%1");
+-#line 271 "rl78-decode.opc"
++#line 273 "rl78-decode.opc"
+           ID(add); W(); DR(AX); SC(IMMU(2)); Fzac;
+ 
+         }
+@@ -269,7 +271,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("addw	%0, %1");
+-#line 277 "rl78-decode.opc"
++#line 279 "rl78-decode.opc"
+           ID(add); W(); DR(AX); SM(None, SADDR); Fzac;
+ 
+         }
+@@ -284,7 +286,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("xch	a, x");
+-#line 1234 "rl78-decode.opc"
++#line 1236 "rl78-decode.opc"
+           ID(xch); DR(A); SR(X);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -301,7 +303,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %e1");
+-#line 678 "rl78-decode.opc"
++#line 680 "rl78-decode.opc"
+           ID(mov); DR(A); SM(B, IMMU(2));
+ 
+         }
+@@ -316,7 +318,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("add	%0, #%1");
+-#line 228 "rl78-decode.opc"
++#line 230 "rl78-decode.opc"
+           ID(add); DM(None, SADDR); SC(IMMU(1)); Fzac;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -333,7 +335,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("add	%0, %1");
+-#line 222 "rl78-decode.opc"
++#line 224 "rl78-decode.opc"
+           ID(add); DR(A); SM(None, SADDR); Fzac;
+ 
+         }
+@@ -348,7 +350,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("add	%0, #%1");
+-#line 216 "rl78-decode.opc"
++#line 218 "rl78-decode.opc"
+           ID(add); DR(A); SC(IMMU(1)); Fzac;
+ 
+         }
+@@ -363,7 +365,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("add	%0, %e1");
+-#line 204 "rl78-decode.opc"
++#line 206 "rl78-decode.opc"
+           ID(add); DR(A); SM(HL, 0); Fzac;
+ 
+         }
+@@ -378,7 +380,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("add	%0, %ea1");
+-#line 210 "rl78-decode.opc"
++#line 212 "rl78-decode.opc"
+           ID(add); DR(A); SM(HL, IMMU(1)); Fzac;
+ 
+         }
+@@ -393,7 +395,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("add	%0, %e!1");
+-#line 201 "rl78-decode.opc"
++#line 203 "rl78-decode.opc"
+           ID(add); DR(A); SM(None, IMMU(2)); Fzac;
+ 
+         }
+@@ -408,7 +410,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("addw	%0, #%1");
+-#line 280 "rl78-decode.opc"
++#line 282 "rl78-decode.opc"
+           ID(add); W(); DR(SP); SC(IMMU(1)); Fzac;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -425,7 +427,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("es:");
+-#line 193 "rl78-decode.opc"
++#line 195 "rl78-decode.opc"
+           DE(); SE();
+           op ++;
+           pc ++;
+@@ -440,7 +442,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x16:
+         {
+           /** 0001 0ra0			movw	%0, %1				*/
+-#line 859 "rl78-decode.opc"
++#line 861 "rl78-decode.opc"
+           int ra AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -450,7 +452,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  ra = 0x%x\n", ra);
+             }
+           SYNTAX("movw	%0, %1");
+-#line 859 "rl78-decode.opc"
++#line 861 "rl78-decode.opc"
+           ID(mov); W(); DRW(ra); SR(AX);
+ 
+         }
+@@ -460,7 +462,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x17:
+         {
+           /** 0001 0ra1			movw	%0, %1				*/
+-#line 856 "rl78-decode.opc"
++#line 858 "rl78-decode.opc"
+           int ra AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -470,7 +472,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  ra = 0x%x\n", ra);
+             }
+           SYNTAX("movw	%0, %1");
+-#line 856 "rl78-decode.opc"
++#line 858 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SRW(ra);
+ 
+         }
+@@ -485,7 +487,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%e0, %1");
+-#line 729 "rl78-decode.opc"
++#line 731 "rl78-decode.opc"
+           ID(mov); DM(B, IMMU(2)); SR(A);
+ 
+         }
+@@ -500,7 +502,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%e0, #%1");
+-#line 726 "rl78-decode.opc"
++#line 728 "rl78-decode.opc"
+           ID(mov); DM(B, IMMU(2)); SC(IMMU(1));
+ 
+         }
+@@ -515,7 +517,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("addc	%0, #%1");
+-#line 260 "rl78-decode.opc"
++#line 262 "rl78-decode.opc"
+           ID(addc); DM(None, SADDR); SC(IMMU(1)); Fzac;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -532,7 +534,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("addc	%0, %1");
+-#line 257 "rl78-decode.opc"
++#line 259 "rl78-decode.opc"
+           ID(addc); DR(A); SM(None, SADDR); Fzac;
+ 
+         }
+@@ -547,7 +549,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("addc	%0, #%1");
+-#line 248 "rl78-decode.opc"
++#line 250 "rl78-decode.opc"
+           ID(addc); DR(A); SC(IMMU(1)); Fzac;
+ 
+         }
+@@ -562,7 +564,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("addc	%0, %e1");
+-#line 236 "rl78-decode.opc"
++#line 238 "rl78-decode.opc"
+           ID(addc); DR(A); SM(HL, 0); Fzac;
+ 
+         }
+@@ -577,7 +579,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("addc	%0, %ea1");
+-#line 245 "rl78-decode.opc"
++#line 247 "rl78-decode.opc"
+           ID(addc); DR(A); SM(HL, IMMU(1)); Fzac;
+ 
+         }
+@@ -592,7 +594,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("addc	%0, %e!1");
+-#line 233 "rl78-decode.opc"
++#line 235 "rl78-decode.opc"
+           ID(addc); DR(A); SM(None, IMMU(2)); Fzac;
+ 
+         }
+@@ -607,7 +609,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("subw	%0, #%1");
+-#line 1198 "rl78-decode.opc"
++#line 1200 "rl78-decode.opc"
+           ID(sub); W(); DR(SP); SC(IMMU(1)); Fzac;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -620,7 +622,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x27:
+         {
+           /** 0010 0rw1			subw	%0, %1				*/
+-#line 1192 "rl78-decode.opc"
++#line 1194 "rl78-decode.opc"
+           int rw AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -630,7 +632,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rw = 0x%x\n", rw);
+             }
+           SYNTAX("subw	%0, %1");
+-#line 1192 "rl78-decode.opc"
++#line 1194 "rl78-decode.opc"
+           ID(sub); W(); DR(AX); SRW(rw); Fzac;
+ 
+         }
+@@ -645,7 +647,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("subw	%0, %e!1");
+-#line 1183 "rl78-decode.opc"
++#line 1185 "rl78-decode.opc"
+           ID(sub); W(); DR(AX); SM(None, IMMU(2)); Fzac;
+ 
+         }
+@@ -660,7 +662,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("subw	%0, #%1");
+-#line 1189 "rl78-decode.opc"
++#line 1191 "rl78-decode.opc"
+           ID(sub); W(); DR(AX); SC(IMMU(2)); Fzac;
+ 
+         }
+@@ -675,7 +677,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("subw	%0, %1");
+-#line 1195 "rl78-decode.opc"
++#line 1197 "rl78-decode.opc"
+           ID(sub); W(); DR(AX); SM(None, SADDR); Fzac;
+ 
+         }
+@@ -690,7 +692,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%e0, %1");
+-#line 741 "rl78-decode.opc"
++#line 743 "rl78-decode.opc"
+           ID(mov); DM(C, IMMU(2)); SR(A);
+ 
+         }
+@@ -705,7 +707,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %e1");
+-#line 684 "rl78-decode.opc"
++#line 686 "rl78-decode.opc"
+           ID(mov); DR(A); SM(C, IMMU(2));
+ 
+         }
+@@ -720,7 +722,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("sub	%0, #%1");
+-#line 1146 "rl78-decode.opc"
++#line 1148 "rl78-decode.opc"
+           ID(sub); DM(None, SADDR); SC(IMMU(1)); Fzac;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -737,7 +739,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("sub	%0, %1");
+-#line 1140 "rl78-decode.opc"
++#line 1142 "rl78-decode.opc"
+           ID(sub); DR(A); SM(None, SADDR); Fzac;
+ 
+         }
+@@ -752,7 +754,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("sub	%0, #%1");
+-#line 1134 "rl78-decode.opc"
++#line 1136 "rl78-decode.opc"
+           ID(sub); DR(A); SC(IMMU(1)); Fzac;
+ 
+         }
+@@ -767,7 +769,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("sub	%0, %e1");
+-#line 1122 "rl78-decode.opc"
++#line 1124 "rl78-decode.opc"
+           ID(sub); DR(A); SM(HL, 0); Fzac;
+ 
+         }
+@@ -782,7 +784,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("sub	%0, %ea1");
+-#line 1128 "rl78-decode.opc"
++#line 1130 "rl78-decode.opc"
+           ID(sub); DR(A); SM(HL, IMMU(1)); Fzac;
+ 
+         }
+@@ -797,7 +799,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("sub	%0, %e!1");
+-#line 1119 "rl78-decode.opc"
++#line 1121 "rl78-decode.opc"
+           ID(sub); DR(A); SM(None, IMMU(2)); Fzac;
+ 
+         }
+@@ -808,7 +810,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x36:
+         {
+           /** 0011 0rg0			movw	%0, #%1				*/
+-#line 853 "rl78-decode.opc"
++#line 855 "rl78-decode.opc"
+           int rg AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -818,7 +820,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rg = 0x%x\n", rg);
+             }
+           SYNTAX("movw	%0, #%1");
+-#line 853 "rl78-decode.opc"
++#line 855 "rl78-decode.opc"
+           ID(mov); W(); DRW(rg); SC(IMMU(2));
+ 
+         }
+@@ -830,7 +832,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x00:
+               {
+                 /** 0011 0001 0bit 0000		btclr	%s1, $%a0			*/
+-#line 416 "rl78-decode.opc"
++#line 418 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -840,7 +842,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("btclr	%s1, $%a0");
+-#line 416 "rl78-decode.opc"
++#line 418 "rl78-decode.opc"
+                 ID(branch_cond_clear); SM(None, SADDR); SB(bit); DC(pc+IMMS(1)+4); COND(T);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -850,7 +852,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x01:
+               {
+                 /** 0011 0001 0bit 0001		btclr	%1, $%a0			*/
+-#line 410 "rl78-decode.opc"
++#line 412 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -860,7 +862,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("btclr	%1, $%a0");
+-#line 410 "rl78-decode.opc"
++#line 412 "rl78-decode.opc"
+                 ID(branch_cond_clear); DC(pc+IMMS(1)+3); SR(A); SB(bit); COND(T);
+ 
+               }
+@@ -868,7 +870,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x02:
+               {
+                 /** 0011 0001 0bit 0010		bt	%s1, $%a0			*/
+-#line 402 "rl78-decode.opc"
++#line 404 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -878,7 +880,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("bt	%s1, $%a0");
+-#line 402 "rl78-decode.opc"
++#line 404 "rl78-decode.opc"
+                 ID(branch_cond); SM(None, SADDR); SB(bit); DC(pc+IMMS(1)+4); COND(T);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -888,7 +890,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x03:
+               {
+                 /** 0011 0001 0bit 0011		bt	%1, $%a0			*/
+-#line 396 "rl78-decode.opc"
++#line 398 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -898,7 +900,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("bt	%1, $%a0");
+-#line 396 "rl78-decode.opc"
++#line 398 "rl78-decode.opc"
+                 ID(branch_cond); DC(pc+IMMS(1)+3); SR(A); SB(bit); COND(T);
+ 
+               }
+@@ -906,7 +908,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x04:
+               {
+                 /** 0011 0001 0bit 0100		bf	%s1, $%a0			*/
+-#line 363 "rl78-decode.opc"
++#line 365 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -916,7 +918,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("bf	%s1, $%a0");
+-#line 363 "rl78-decode.opc"
++#line 365 "rl78-decode.opc"
+                 ID(branch_cond); SM(None, SADDR); SB(bit); DC(pc+IMMS(1)+4); COND(F);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -926,7 +928,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x05:
+               {
+                 /** 0011 0001 0bit 0101		bf	%1, $%a0			*/
+-#line 357 "rl78-decode.opc"
++#line 359 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -936,7 +938,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("bf	%1, $%a0");
+-#line 357 "rl78-decode.opc"
++#line 359 "rl78-decode.opc"
+                 ID(branch_cond); DC(pc+IMMS(1)+3); SR(A); SB(bit); COND(F);
+ 
+               }
+@@ -944,7 +946,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x07:
+               {
+                 /** 0011 0001 0cnt 0111		shl	%0, %1				*/
+-#line 1075 "rl78-decode.opc"
++#line 1077 "rl78-decode.opc"
+                 int cnt AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -954,7 +956,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  cnt = 0x%x\n", cnt);
+                   }
+                 SYNTAX("shl	%0, %1");
+-#line 1075 "rl78-decode.opc"
++#line 1077 "rl78-decode.opc"
+                 ID(shl); DR(C); SC(cnt);
+ 
+               }
+@@ -962,7 +964,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x08:
+               {
+                 /** 0011 0001 0cnt 1000		shl	%0, %1				*/
+-#line 1072 "rl78-decode.opc"
++#line 1074 "rl78-decode.opc"
+                 int cnt AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -972,7 +974,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  cnt = 0x%x\n", cnt);
+                   }
+                 SYNTAX("shl	%0, %1");
+-#line 1072 "rl78-decode.opc"
++#line 1074 "rl78-decode.opc"
+                 ID(shl); DR(B); SC(cnt);
+ 
+               }
+@@ -980,7 +982,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x09:
+               {
+                 /** 0011 0001 0cnt 1001		shl	%0, %1				*/
+-#line 1069 "rl78-decode.opc"
++#line 1071 "rl78-decode.opc"
+                 int cnt AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -990,7 +992,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  cnt = 0x%x\n", cnt);
+                   }
+                 SYNTAX("shl	%0, %1");
+-#line 1069 "rl78-decode.opc"
++#line 1071 "rl78-decode.opc"
+                 ID(shl); DR(A); SC(cnt);
+ 
+               }
+@@ -998,7 +1000,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x0a:
+               {
+                 /** 0011 0001 0cnt 1010		shr	%0, %1				*/
+-#line 1086 "rl78-decode.opc"
++#line 1088 "rl78-decode.opc"
+                 int cnt AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -1008,7 +1010,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  cnt = 0x%x\n", cnt);
+                   }
+                 SYNTAX("shr	%0, %1");
+-#line 1086 "rl78-decode.opc"
++#line 1088 "rl78-decode.opc"
+                 ID(shr); DR(A); SC(cnt);
+ 
+               }
+@@ -1016,7 +1018,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x0b:
+               {
+                 /** 0011 0001 0cnt 1011		sar	%0, %1				*/
+-#line 1033 "rl78-decode.opc"
++#line 1035 "rl78-decode.opc"
+                 int cnt AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -1026,7 +1028,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  cnt = 0x%x\n", cnt);
+                   }
+                 SYNTAX("sar	%0, %1");
+-#line 1033 "rl78-decode.opc"
++#line 1035 "rl78-decode.opc"
+                 ID(sar); DR(A); SC(cnt);
+ 
+               }
+@@ -1035,7 +1037,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x8c:
+               {
+                 /** 0011 0001 wcnt 1100		shlw	%0, %1				*/
+-#line 1081 "rl78-decode.opc"
++#line 1083 "rl78-decode.opc"
+                 int wcnt AU = (op[1] >> 4) & 0x0f;
+                 if (trace)
+                   {
+@@ -1045,7 +1047,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  wcnt = 0x%x\n", wcnt);
+                   }
+                 SYNTAX("shlw	%0, %1");
+-#line 1081 "rl78-decode.opc"
++#line 1083 "rl78-decode.opc"
+                 ID(shl); W(); DR(BC); SC(wcnt);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -1056,7 +1058,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x8d:
+               {
+                 /** 0011 0001 wcnt 1101		shlw	%0, %1				*/
+-#line 1078 "rl78-decode.opc"
++#line 1080 "rl78-decode.opc"
+                 int wcnt AU = (op[1] >> 4) & 0x0f;
+                 if (trace)
+                   {
+@@ -1066,7 +1068,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  wcnt = 0x%x\n", wcnt);
+                   }
+                 SYNTAX("shlw	%0, %1");
+-#line 1078 "rl78-decode.opc"
++#line 1080 "rl78-decode.opc"
+                 ID(shl); W(); DR(AX); SC(wcnt);
+ 
+               }
+@@ -1075,7 +1077,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x8e:
+               {
+                 /** 0011 0001 wcnt 1110		shrw	%0, %1				*/
+-#line 1089 "rl78-decode.opc"
++#line 1091 "rl78-decode.opc"
+                 int wcnt AU = (op[1] >> 4) & 0x0f;
+                 if (trace)
+                   {
+@@ -1085,7 +1087,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  wcnt = 0x%x\n", wcnt);
+                   }
+                 SYNTAX("shrw	%0, %1");
+-#line 1089 "rl78-decode.opc"
++#line 1091 "rl78-decode.opc"
+                 ID(shr); W(); DR(AX); SC(wcnt);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -1096,7 +1098,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x8f:
+               {
+                 /** 0011 0001 wcnt 1111		sarw	%0, %1				*/
+-#line 1036 "rl78-decode.opc"
++#line 1038 "rl78-decode.opc"
+                 int wcnt AU = (op[1] >> 4) & 0x0f;
+                 if (trace)
+                   {
+@@ -1106,7 +1108,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  wcnt = 0x%x\n", wcnt);
+                   }
+                 SYNTAX("sarw	%0, %1");
+-#line 1036 "rl78-decode.opc"
++#line 1038 "rl78-decode.opc"
+                 ID(sar); W(); DR(AX); SC(wcnt);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -1116,7 +1118,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x80:
+               {
+                 /** 0011 0001 1bit 0000		btclr	%s1, $%a0			*/
+-#line 413 "rl78-decode.opc"
++#line 415 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -1126,7 +1128,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("btclr	%s1, $%a0");
+-#line 413 "rl78-decode.opc"
++#line 415 "rl78-decode.opc"
+                 ID(branch_cond_clear); SM(None, SFR); SB(bit); DC(pc+IMMS(1)+4); COND(T);
+ 
+               }
+@@ -1134,7 +1136,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x81:
+               {
+                 /** 0011 0001 1bit 0001		btclr	%e1, $%a0			*/
+-#line 407 "rl78-decode.opc"
++#line 409 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -1144,7 +1146,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("btclr	%e1, $%a0");
+-#line 407 "rl78-decode.opc"
++#line 409 "rl78-decode.opc"
+                 ID(branch_cond_clear); DC(pc+IMMS(1)+3); SM(HL,0); SB(bit); COND(T);
+ 
+               }
+@@ -1152,7 +1154,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x82:
+               {
+                 /** 0011 0001 1bit 0010		bt	%s1, $%a0			*/
+-#line 399 "rl78-decode.opc"
++#line 401 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -1162,7 +1164,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("bt	%s1, $%a0");
+-#line 399 "rl78-decode.opc"
++#line 401 "rl78-decode.opc"
+                 ID(branch_cond); SM(None, SFR); SB(bit); DC(pc+IMMS(1)+4); COND(T);
+ 
+               }
+@@ -1170,7 +1172,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x83:
+               {
+                 /** 0011 0001 1bit 0011		bt	%e1, $%a0			*/
+-#line 393 "rl78-decode.opc"
++#line 395 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -1180,7 +1182,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("bt	%e1, $%a0");
+-#line 393 "rl78-decode.opc"
++#line 395 "rl78-decode.opc"
+                 ID(branch_cond); DC(pc+IMMS(1)+3); SM(HL,0); SB(bit); COND(T);
+ 
+               }
+@@ -1188,7 +1190,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x84:
+               {
+                 /** 0011 0001 1bit 0100		bf	%s1, $%a0			*/
+-#line 360 "rl78-decode.opc"
++#line 362 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -1198,7 +1200,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("bf	%s1, $%a0");
+-#line 360 "rl78-decode.opc"
++#line 362 "rl78-decode.opc"
+                 ID(branch_cond); SM(None, SFR); SB(bit); DC(pc+IMMS(1)+4); COND(F);
+ 
+               }
+@@ -1206,7 +1208,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x85:
+               {
+                 /** 0011 0001 1bit 0101		bf	%e1, $%a0			*/
+-#line 354 "rl78-decode.opc"
++#line 356 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -1216,7 +1218,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("bf	%e1, $%a0");
+-#line 354 "rl78-decode.opc"
++#line 356 "rl78-decode.opc"
+                 ID(branch_cond); DC(pc+IMMS(1)+3); SM(HL,0); SB(bit); COND(F);
+ 
+               }
+@@ -1229,7 +1231,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x37:
+         {
+           /** 0011 0ra1			xchw	%0, %1				*/
+-#line 1239 "rl78-decode.opc"
++#line 1241 "rl78-decode.opc"
+           int ra AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -1239,7 +1241,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  ra = 0x%x\n", ra);
+             }
+           SYNTAX("xchw	%0, %1");
+-#line 1239 "rl78-decode.opc"
++#line 1241 "rl78-decode.opc"
+           ID(xch); W(); DR(AX); SRW(ra);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -1256,7 +1258,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%e0, #%1");
+-#line 738 "rl78-decode.opc"
++#line 740 "rl78-decode.opc"
+           ID(mov); DM(C, IMMU(2)); SC(IMMU(1));
+ 
+         }
+@@ -1271,7 +1273,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%e0, #%1");
+-#line 732 "rl78-decode.opc"
++#line 734 "rl78-decode.opc"
+           ID(mov); DM(BC, IMMU(2)); SC(IMMU(1));
+ 
+         }
+@@ -1286,7 +1288,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("subc	%0, #%1");
+-#line 1178 "rl78-decode.opc"
++#line 1180 "rl78-decode.opc"
+           ID(subc); DM(None, SADDR); SC(IMMU(1)); Fzac;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -1303,7 +1305,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("subc	%0, %1");
+-#line 1175 "rl78-decode.opc"
++#line 1177 "rl78-decode.opc"
+           ID(subc); DR(A); SM(None, SADDR); Fzac;
+ 
+         }
+@@ -1318,7 +1320,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("subc	%0, #%1");
+-#line 1166 "rl78-decode.opc"
++#line 1168 "rl78-decode.opc"
+           ID(subc); DR(A); SC(IMMU(1)); Fzac;
+ 
+         }
+@@ -1333,7 +1335,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("subc	%0, %e1");
+-#line 1154 "rl78-decode.opc"
++#line 1156 "rl78-decode.opc"
+           ID(subc); DR(A); SM(HL, 0); Fzac;
+ 
+         }
+@@ -1348,7 +1350,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("subc	%0, %ea1");
+-#line 1163 "rl78-decode.opc"
++#line 1165 "rl78-decode.opc"
+           ID(subc); DR(A); SM(HL, IMMU(1)); Fzac;
+ 
+         }
+@@ -1363,7 +1365,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("subc	%0, %e!1");
+-#line 1151 "rl78-decode.opc"
++#line 1153 "rl78-decode.opc"
+           ID(subc); DR(A); SM(None, IMMU(2)); Fzac;
+ 
+         }
+@@ -1378,7 +1380,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmp	%e!0, #%1");
+-#line 480 "rl78-decode.opc"
++#line 482 "rl78-decode.opc"
+           ID(cmp); DM(None, IMMU(2)); SC(IMMU(1)); Fzac;
+ 
+         }
+@@ -1393,7 +1395,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, #%1");
+-#line 717 "rl78-decode.opc"
++#line 719 "rl78-decode.opc"
+           ID(mov); DR(ES); SC(IMMU(1));
+ 
+         }
+@@ -1408,7 +1410,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmpw	%0, %e!1");
+-#line 531 "rl78-decode.opc"
++#line 533 "rl78-decode.opc"
+           ID(cmp); W(); DR(AX); SM(None, IMMU(2)); Fzac;
+ 
+         }
+@@ -1418,7 +1420,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x47:
+         {
+           /** 0100 0ra1			cmpw	%0, %1				*/
+-#line 540 "rl78-decode.opc"
++#line 542 "rl78-decode.opc"
+           int ra AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -1428,7 +1430,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  ra = 0x%x\n", ra);
+             }
+           SYNTAX("cmpw	%0, %1");
+-#line 540 "rl78-decode.opc"
++#line 542 "rl78-decode.opc"
+           ID(cmp); W(); DR(AX); SRW(ra); Fzac;
+ 
+         }
+@@ -1443,7 +1445,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmpw	%0, #%1");
+-#line 537 "rl78-decode.opc"
++#line 539 "rl78-decode.opc"
+           ID(cmp); W(); DR(AX); SC(IMMU(2)); Fzac;
+ 
+         }
+@@ -1458,7 +1460,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmpw	%0, %1");
+-#line 543 "rl78-decode.opc"
++#line 545 "rl78-decode.opc"
+           ID(cmp); W(); DR(AX); SM(None, SADDR); Fzac;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -1475,7 +1477,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%e0, %1");
+-#line 735 "rl78-decode.opc"
++#line 737 "rl78-decode.opc"
+           ID(mov); DM(BC, IMMU(2)); SR(A);
+ 
+         }
+@@ -1490,7 +1492,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %e1");
+-#line 681 "rl78-decode.opc"
++#line 683 "rl78-decode.opc"
+           ID(mov); DR(A); SM(BC, IMMU(2));
+ 
+         }
+@@ -1505,7 +1507,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmp	%0, #%1");
+-#line 483 "rl78-decode.opc"
++#line 485 "rl78-decode.opc"
+           ID(cmp); DM(None, SADDR); SC(IMMU(1)); Fzac;
+ 
+         }
+@@ -1520,7 +1522,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmp	%0, %1");
+-#line 510 "rl78-decode.opc"
++#line 512 "rl78-decode.opc"
+           ID(cmp); DR(A); SM(None, SADDR); Fzac;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -1537,7 +1539,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmp	%0, #%1");
+-#line 501 "rl78-decode.opc"
++#line 503 "rl78-decode.opc"
+           ID(cmp); DR(A); SC(IMMU(1)); Fzac;
+ 
+         }
+@@ -1552,7 +1554,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmp	%0, %e1");
+-#line 489 "rl78-decode.opc"
++#line 491 "rl78-decode.opc"
+           ID(cmp); DR(A); SM(HL, 0); Fzac;
+ 
+         }
+@@ -1567,7 +1569,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmp	%0, %ea1");
+-#line 498 "rl78-decode.opc"
++#line 500 "rl78-decode.opc"
+           ID(cmp); DR(A); SM(HL, IMMU(1)); Fzac;
+ 
+         }
+@@ -1582,7 +1584,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmp	%0, %e!1");
+-#line 486 "rl78-decode.opc"
++#line 488 "rl78-decode.opc"
+           ID(cmp); DR(A); SM(None, IMMU(2)); Fzac;
+ 
+         }
+@@ -1597,7 +1599,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x57:
+         {
+           /** 0101 0reg			mov	%0, #%1				*/
+-#line 669 "rl78-decode.opc"
++#line 671 "rl78-decode.opc"
+           int reg AU = op[0] & 0x07;
+           if (trace)
+             {
+@@ -1607,7 +1609,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  reg = 0x%x\n", reg);
+             }
+           SYNTAX("mov	%0, #%1");
+-#line 669 "rl78-decode.opc"
++#line 671 "rl78-decode.opc"
+           ID(mov); DRB(reg); SC(IMMU(1));
+ 
+         }
+@@ -1622,7 +1624,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%e0, %1");
+-#line 871 "rl78-decode.opc"
++#line 873 "rl78-decode.opc"
+           ID(mov); W(); DM(B, IMMU(2)); SR(AX);
+ 
+         }
+@@ -1637,7 +1639,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %e1");
+-#line 862 "rl78-decode.opc"
++#line 864 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(B, IMMU(2));
+ 
+         }
+@@ -1652,7 +1654,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("and	%0, #%1");
+-#line 312 "rl78-decode.opc"
++#line 314 "rl78-decode.opc"
+           ID(and); DM(None, SADDR); SC(IMMU(1)); Fz;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -1669,7 +1671,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("and	%0, %1");
+-#line 309 "rl78-decode.opc"
++#line 311 "rl78-decode.opc"
+           ID(and); DR(A); SM(None, SADDR); Fz;
+ 
+         }
+@@ -1684,7 +1686,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("and	%0, #%1");
+-#line 300 "rl78-decode.opc"
++#line 302 "rl78-decode.opc"
+           ID(and); DR(A); SC(IMMU(1)); Fz;
+ 
+         }
+@@ -1699,7 +1701,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("and	%0, %e1");
+-#line 288 "rl78-decode.opc"
++#line 290 "rl78-decode.opc"
+           ID(and); DR(A); SM(HL, 0); Fz;
+ 
+         }
+@@ -1714,7 +1716,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("and	%0, %ea1");
+-#line 294 "rl78-decode.opc"
++#line 296 "rl78-decode.opc"
+           ID(and); DR(A); SM(HL, IMMU(1)); Fz;
+ 
+         }
+@@ -1729,7 +1731,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("and	%0, %e!1");
+-#line 285 "rl78-decode.opc"
++#line 287 "rl78-decode.opc"
+           ID(and); DR(A); SM(None, IMMU(2)); Fz;
+ 
+         }
+@@ -1743,7 +1745,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x67:
+         {
+           /** 0110 0rba			mov	%0, %1				*/
+-#line 672 "rl78-decode.opc"
++#line 674 "rl78-decode.opc"
+           int rba AU = op[0] & 0x07;
+           if (trace)
+             {
+@@ -1753,7 +1755,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rba = 0x%x\n", rba);
+             }
+           SYNTAX("mov	%0, %1");
+-#line 672 "rl78-decode.opc"
++#line 674 "rl78-decode.opc"
+           ID(mov); DR(A); SRB(rba);
+ 
+         }
+@@ -1772,7 +1774,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x07:
+               {
+                 /** 0110 0001 0000 0reg		add	%0, %1				*/
+-#line 225 "rl78-decode.opc"
++#line 227 "rl78-decode.opc"
+                 int reg AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -1782,7 +1784,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  reg = 0x%x\n", reg);
+                   }
+                 SYNTAX("add	%0, %1");
+-#line 225 "rl78-decode.opc"
++#line 227 "rl78-decode.opc"
+                 ID(add); DRB(reg); SR(A); Fzac;
+ 
+               }
+@@ -1796,7 +1798,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x0f:
+               {
+                 /** 0110 0001 0000 1rba		add	%0, %1				*/
+-#line 219 "rl78-decode.opc"
++#line 221 "rl78-decode.opc"
+                 int rba AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -1806,7 +1808,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  rba = 0x%x\n", rba);
+                   }
+                 SYNTAX("add	%0, %1");
+-#line 219 "rl78-decode.opc"
++#line 221 "rl78-decode.opc"
+                 ID(add); DR(A); SRB(rba); Fzac;
+ 
+               }
+@@ -1821,7 +1823,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("addw	%0, %ea1");
+-#line 268 "rl78-decode.opc"
++#line 270 "rl78-decode.opc"
+                 ID(add); W(); DR(AX); SM(HL, IMMU(1)); Fzac;
+ 
+               }
+@@ -1836,7 +1838,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x17:
+               {
+                 /** 0110 0001 0001 0reg		addc	%0, %1				*/
+-#line 254 "rl78-decode.opc"
++#line 256 "rl78-decode.opc"
+                 int reg AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -1846,7 +1848,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  reg = 0x%x\n", reg);
+                   }
+                 SYNTAX("addc	%0, %1");
+-#line 254 "rl78-decode.opc"
++#line 256 "rl78-decode.opc"
+                 ID(addc); DRB(reg); SR(A); Fzac;
+ 
+               }
+@@ -1860,7 +1862,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x1f:
+               {
+                 /** 0110 0001 0001 1rba		addc	%0, %1				*/
+-#line 251 "rl78-decode.opc"
++#line 253 "rl78-decode.opc"
+                 int rba AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -1870,7 +1872,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  rba = 0x%x\n", rba);
+                   }
+                 SYNTAX("addc	%0, %1");
+-#line 251 "rl78-decode.opc"
++#line 253 "rl78-decode.opc"
+                 ID(addc); DR(A); SRB(rba); Fzac;
+ 
+               }
+@@ -1885,7 +1887,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x27:
+               {
+                 /** 0110 0001 0010 0reg		sub	%0, %1				*/
+-#line 1143 "rl78-decode.opc"
++#line 1145 "rl78-decode.opc"
+                 int reg AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -1895,7 +1897,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  reg = 0x%x\n", reg);
+                   }
+                 SYNTAX("sub	%0, %1");
+-#line 1143 "rl78-decode.opc"
++#line 1145 "rl78-decode.opc"
+                 ID(sub); DRB(reg); SR(A); Fzac;
+ 
+               }
+@@ -1909,7 +1911,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x2f:
+               {
+                 /** 0110 0001 0010 1rba		sub	%0, %1				*/
+-#line 1137 "rl78-decode.opc"
++#line 1139 "rl78-decode.opc"
+                 int rba AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -1919,7 +1921,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  rba = 0x%x\n", rba);
+                   }
+                 SYNTAX("sub	%0, %1");
+-#line 1137 "rl78-decode.opc"
++#line 1139 "rl78-decode.opc"
+                 ID(sub); DR(A); SRB(rba); Fzac;
+ 
+               }
+@@ -1934,7 +1936,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("subw	%0, %ea1");
+-#line 1186 "rl78-decode.opc"
++#line 1188 "rl78-decode.opc"
+                 ID(sub); W(); DR(AX); SM(HL, IMMU(1)); Fzac;
+ 
+               }
+@@ -1949,7 +1951,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x37:
+               {
+                 /** 0110 0001 0011 0reg		subc	%0, %1				*/
+-#line 1172 "rl78-decode.opc"
++#line 1174 "rl78-decode.opc"
+                 int reg AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -1959,7 +1961,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  reg = 0x%x\n", reg);
+                   }
+                 SYNTAX("subc	%0, %1");
+-#line 1172 "rl78-decode.opc"
++#line 1174 "rl78-decode.opc"
+                 ID(subc); DRB(reg); SR(A); Fzac;
+ 
+               }
+@@ -1973,7 +1975,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x3f:
+               {
+                 /** 0110 0001 0011 1rba		subc	%0, %1				*/
+-#line 1169 "rl78-decode.opc"
++#line 1171 "rl78-decode.opc"
+                 int rba AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -1983,7 +1985,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  rba = 0x%x\n", rba);
+                   }
+                 SYNTAX("subc	%0, %1");
+-#line 1169 "rl78-decode.opc"
++#line 1171 "rl78-decode.opc"
+                 ID(subc); DR(A); SRB(rba); Fzac;
+ 
+               }
+@@ -1998,7 +2000,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x47:
+               {
+                 /** 0110 0001 0100 0reg		cmp	%0, %1				*/
+-#line 507 "rl78-decode.opc"
++#line 509 "rl78-decode.opc"
+                 int reg AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -2008,7 +2010,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  reg = 0x%x\n", reg);
+                   }
+                 SYNTAX("cmp	%0, %1");
+-#line 507 "rl78-decode.opc"
++#line 509 "rl78-decode.opc"
+                 ID(cmp); DRB(reg); SR(A); Fzac;
+ 
+               }
+@@ -2022,7 +2024,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x4f:
+               {
+                 /** 0110 0001 0100 1rba		cmp	%0, %1				*/
+-#line 504 "rl78-decode.opc"
++#line 506 "rl78-decode.opc"
+                 int rba AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -2032,7 +2034,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  rba = 0x%x\n", rba);
+                   }
+                 SYNTAX("cmp	%0, %1");
+-#line 504 "rl78-decode.opc"
++#line 506 "rl78-decode.opc"
+                 ID(cmp); DR(A); SRB(rba); Fzac;
+ 
+               }
+@@ -2047,7 +2049,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("cmpw	%0, %ea1");
+-#line 534 "rl78-decode.opc"
++#line 536 "rl78-decode.opc"
+                 ID(cmp); W(); DR(AX); SM(HL, IMMU(1)); Fzac;
+ 
+               }
+@@ -2062,7 +2064,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x57:
+               {
+                 /** 0110 0001 0101 0reg		and	%0, %1				*/
+-#line 306 "rl78-decode.opc"
++#line 308 "rl78-decode.opc"
+                 int reg AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -2072,7 +2074,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  reg = 0x%x\n", reg);
+                   }
+                 SYNTAX("and	%0, %1");
+-#line 306 "rl78-decode.opc"
++#line 308 "rl78-decode.opc"
+                 ID(and); DRB(reg); SR(A); Fz;
+ 
+               }
+@@ -2086,7 +2088,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x5f:
+               {
+                 /** 0110 0001 0101 1rba		and	%0, %1				*/
+-#line 303 "rl78-decode.opc"
++#line 305 "rl78-decode.opc"
+                 int rba AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -2096,7 +2098,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  rba = 0x%x\n", rba);
+                   }
+                 SYNTAX("and	%0, %1");
+-#line 303 "rl78-decode.opc"
++#line 305 "rl78-decode.opc"
+                 ID(and); DR(A); SRB(rba); Fz;
+ 
+               }
+@@ -2111,7 +2113,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("inc	%ea0");
+-#line 584 "rl78-decode.opc"
++#line 586 "rl78-decode.opc"
+                 ID(add); DM(HL, IMMU(1)); SC(1); Fza;
+ 
+               }
+@@ -2126,7 +2128,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x67:
+               {
+                 /** 0110 0001 0110 0reg		or	%0, %1				*/
+-#line 961 "rl78-decode.opc"
++#line 963 "rl78-decode.opc"
+                 int reg AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -2136,7 +2138,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  reg = 0x%x\n", reg);
+                   }
+                 SYNTAX("or	%0, %1");
+-#line 961 "rl78-decode.opc"
++#line 963 "rl78-decode.opc"
+                 ID(or); DRB(reg); SR(A); Fz;
+ 
+               }
+@@ -2150,7 +2152,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x6f:
+               {
+                 /** 0110 0001 0110 1rba		or	%0, %1				*/
+-#line 958 "rl78-decode.opc"
++#line 960 "rl78-decode.opc"
+                 int rba AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -2160,7 +2162,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  rba = 0x%x\n", rba);
+                   }
+                 SYNTAX("or	%0, %1");
+-#line 958 "rl78-decode.opc"
++#line 960 "rl78-decode.opc"
+                 ID(or); DR(A); SRB(rba); Fz;
+ 
+               }
+@@ -2175,7 +2177,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("dec	%ea0");
+-#line 551 "rl78-decode.opc"
++#line 553 "rl78-decode.opc"
+                 ID(sub); DM(HL, IMMU(1)); SC(1); Fza;
+ 
+               }
+@@ -2190,7 +2192,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x77:
+               {
+                 /** 0110 0001 0111 0reg		xor	%0, %1				*/
+-#line 1265 "rl78-decode.opc"
++#line 1267 "rl78-decode.opc"
+                 int reg AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -2200,7 +2202,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  reg = 0x%x\n", reg);
+                   }
+                 SYNTAX("xor	%0, %1");
+-#line 1265 "rl78-decode.opc"
++#line 1267 "rl78-decode.opc"
+                 ID(xor); DRB(reg); SR(A); Fz;
+ 
+               }
+@@ -2214,7 +2216,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x7f:
+               {
+                 /** 0110 0001 0111 1rba		xor	%0, %1				*/
+-#line 1262 "rl78-decode.opc"
++#line 1264 "rl78-decode.opc"
+                 int rba AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -2224,7 +2226,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  rba = 0x%x\n", rba);
+                   }
+                 SYNTAX("xor	%0, %1");
+-#line 1262 "rl78-decode.opc"
++#line 1264 "rl78-decode.opc"
+                 ID(xor); DR(A); SRB(rba); Fz;
+ 
+               }
+@@ -2239,7 +2241,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("incw	%ea0");
+-#line 598 "rl78-decode.opc"
++#line 600 "rl78-decode.opc"
+                 ID(add); W(); DM(HL, IMMU(1)); SC(1);
+ 
+               }
+@@ -2255,7 +2257,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("add	%0, %e1");
+-#line 207 "rl78-decode.opc"
++#line 209 "rl78-decode.opc"
+                 ID(add); DR(A); SM2(HL, B, 0); Fzac;
+ 
+               }
+@@ -2270,7 +2272,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("add	%0, %e1");
+-#line 213 "rl78-decode.opc"
++#line 215 "rl78-decode.opc"
+                 ID(add); DR(A); SM2(HL, C, 0); Fzac;
+ 
+               }
+@@ -2309,9 +2311,9 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xf7:
+               {
+                 /** 0110 0001 1nnn 01mm		callt	[%x0]				*/
+-#line 433 "rl78-decode.opc"
++#line 435 "rl78-decode.opc"
+                 int nnn AU = (op[1] >> 4) & 0x07;
+-#line 433 "rl78-decode.opc"
++#line 435 "rl78-decode.opc"
+                 int mm AU = op[1] & 0x03;
+                 if (trace)
+                   {
+@@ -2322,7 +2324,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  mm = 0x%x\n", mm);
+                   }
+                 SYNTAX("callt	[%x0]");
+-#line 433 "rl78-decode.opc"
++#line 435 "rl78-decode.opc"
+                 ID(call); DM(None, 0x80 + mm*16 + nnn*2);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -2338,7 +2340,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x8f:
+               {
+                 /** 0110 0001 1000 1reg		xch	%0, %1				*/
+-#line 1224 "rl78-decode.opc"
++#line 1226 "rl78-decode.opc"
+                 int reg AU = op[1] & 0x07;
+                 if (trace)
+                   {
+@@ -2348,7 +2350,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  reg = 0x%x\n", reg);
+                   }
+                 SYNTAX("xch	%0, %1");
+-#line 1224 "rl78-decode.opc"
++#line 1226 "rl78-decode.opc"
+                 /* Note: DECW uses reg == X, so this must follow DECW */
+                 ID(xch); DR(A); SRB(reg);
+ 
+@@ -2364,7 +2366,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("decw	%ea0");
+-#line 565 "rl78-decode.opc"
++#line 567 "rl78-decode.opc"
+                 ID(sub); W(); DM(HL, IMMU(1)); SC(1);
+ 
+               }
+@@ -2379,7 +2381,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("addc	%0, %e1");
+-#line 239 "rl78-decode.opc"
++#line 241 "rl78-decode.opc"
+                 ID(addc); DR(A); SM2(HL, B, 0); Fzac;
+ 
+               }
+@@ -2394,7 +2396,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("addc	%0, %e1");
+-#line 242 "rl78-decode.opc"
++#line 244 "rl78-decode.opc"
+                 ID(addc); DR(A); SM2(HL, C, 0); Fzac;
+ 
+               }
+@@ -2410,7 +2412,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("sub	%0, %e1");
+-#line 1125 "rl78-decode.opc"
++#line 1127 "rl78-decode.opc"
+                 ID(sub); DR(A); SM2(HL, B, 0); Fzac;
+ 
+               }
+@@ -2425,7 +2427,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("sub	%0, %e1");
+-#line 1131 "rl78-decode.opc"
++#line 1133 "rl78-decode.opc"
+                 ID(sub); DR(A); SM2(HL, C, 0); Fzac;
+ 
+               }
+@@ -2440,7 +2442,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xch	%0, %1");
+-#line 1228 "rl78-decode.opc"
++#line 1230 "rl78-decode.opc"
+                 ID(xch); DR(A); SM(None, SADDR);
+ 
+               }
+@@ -2455,7 +2457,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xch	%0, %e1");
+-#line 1221 "rl78-decode.opc"
++#line 1223 "rl78-decode.opc"
+                 ID(xch); DR(A); SM2(HL, C, 0);
+ 
+               }
+@@ -2470,7 +2472,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xch	%0, %e!1");
+-#line 1203 "rl78-decode.opc"
++#line 1205 "rl78-decode.opc"
+                 ID(xch); DR(A); SM(None, IMMU(2));
+ 
+               }
+@@ -2485,7 +2487,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xch	%0, %s1");
+-#line 1231 "rl78-decode.opc"
++#line 1233 "rl78-decode.opc"
+                 ID(xch); DR(A); SM(None, SFR);
+ 
+               }
+@@ -2500,7 +2502,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xch	%0, %e1");
+-#line 1212 "rl78-decode.opc"
++#line 1214 "rl78-decode.opc"
+                 ID(xch); DR(A); SM(HL, 0);
+ 
+               }
+@@ -2515,7 +2517,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xch	%0, %ea1");
+-#line 1218 "rl78-decode.opc"
++#line 1220 "rl78-decode.opc"
+                 ID(xch); DR(A); SM(HL, IMMU(1));
+ 
+               }
+@@ -2530,7 +2532,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xch	%0, %e1");
+-#line 1206 "rl78-decode.opc"
++#line 1208 "rl78-decode.opc"
+                 ID(xch); DR(A); SM(DE, 0);
+ 
+               }
+@@ -2545,7 +2547,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xch	%0, %ea1");
+-#line 1209 "rl78-decode.opc"
++#line 1211 "rl78-decode.opc"
+                 ID(xch); DR(A); SM(DE, IMMU(1));
+ 
+               }
+@@ -2560,7 +2562,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("subc	%0, %e1");
+-#line 1157 "rl78-decode.opc"
++#line 1159 "rl78-decode.opc"
+                 ID(subc); DR(A); SM2(HL, B, 0); Fzac;
+ 
+               }
+@@ -2575,7 +2577,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("subc	%0, %e1");
+-#line 1160 "rl78-decode.opc"
++#line 1162 "rl78-decode.opc"
+                 ID(subc); DR(A); SM2(HL, C, 0); Fzac;
+ 
+               }
+@@ -2590,7 +2592,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("mov	%0, %1");
+-#line 723 "rl78-decode.opc"
++#line 725 "rl78-decode.opc"
+                 ID(mov); DR(ES); SM(None, SADDR);
+ 
+               }
+@@ -2605,7 +2607,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xch	%0, %e1");
+-#line 1215 "rl78-decode.opc"
++#line 1217 "rl78-decode.opc"
+                 ID(xch); DR(A); SM2(HL, B, 0);
+ 
+               }
+@@ -2620,7 +2622,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("cmp	%0, %e1");
+-#line 492 "rl78-decode.opc"
++#line 494 "rl78-decode.opc"
+                 ID(cmp); DR(A); SM2(HL, B, 0); Fzac;
+ 
+               }
+@@ -2635,7 +2637,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("cmp	%0, %e1");
+-#line 495 "rl78-decode.opc"
++#line 497 "rl78-decode.opc"
+                 ID(cmp); DR(A); SM2(HL, C, 0); Fzac;
+ 
+               }
+@@ -2650,7 +2652,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("bh	$%a0");
+-#line 340 "rl78-decode.opc"
++#line 342 "rl78-decode.opc"
+                 ID(branch_cond); DC(pc+IMMS(1)+3); SR(None); COND(H);
+ 
+               }
+@@ -2665,7 +2667,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("sk%c1");
+-#line 1094 "rl78-decode.opc"
++#line 1096 "rl78-decode.opc"
+                 ID(skip); COND(C);
+ 
+               }
+@@ -2680,7 +2682,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("mov	%0, %e1");
+-#line 660 "rl78-decode.opc"
++#line 662 "rl78-decode.opc"
+                 ID(mov); DR(A); SM2(HL, B, 0);
+ 
+               }
+@@ -2691,7 +2693,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xfa:
+               {
+                 /** 0110 0001 11rg 1010		call	%0				*/
+-#line 430 "rl78-decode.opc"
++#line 432 "rl78-decode.opc"
+                 int rg AU = (op[1] >> 4) & 0x03;
+                 if (trace)
+                   {
+@@ -2701,7 +2703,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  rg = 0x%x\n", rg);
+                   }
+                 SYNTAX("call	%0");
+-#line 430 "rl78-decode.opc"
++#line 432 "rl78-decode.opc"
+                 ID(call); DRW(rg);
+ 
+               }
+@@ -2716,7 +2718,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("br	ax");
+-#line 380 "rl78-decode.opc"
++#line 382 "rl78-decode.opc"
+                 ID(branch); DR(AX);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -2733,7 +2735,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("brk");
+-#line 388 "rl78-decode.opc"
++#line 390 "rl78-decode.opc"
+                 ID(break);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -2750,7 +2752,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("pop	%s0");
+-#line 989 "rl78-decode.opc"
++#line 991 "rl78-decode.opc"
+                 ID(mov); W(); DR(PSW); SPOP();
+ 
+               /*----------------------------------------------------------------------*/
+@@ -2767,7 +2769,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("movs	%ea0, %1");
+-#line 811 "rl78-decode.opc"
++#line 813 "rl78-decode.opc"
+                 ID(mov); DM(HL, IMMU(1)); SR(X); Fzc;
+ 
+               /*----------------------------------------------------------------------*/
+@@ -2780,7 +2782,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xff:
+               {
+                 /** 0110 0001 11rb 1111		sel	rb%1				*/
+-#line 1041 "rl78-decode.opc"
++#line 1043 "rl78-decode.opc"
+                 int rb AU = (op[1] >> 4) & 0x03;
+                 if (trace)
+                   {
+@@ -2790,7 +2792,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  rb = 0x%x\n", rb);
+                   }
+                 SYNTAX("sel	rb%1");
+-#line 1041 "rl78-decode.opc"
++#line 1043 "rl78-decode.opc"
+                 ID(sel); SC(rb);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -2807,7 +2809,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("and	%0, %e1");
+-#line 291 "rl78-decode.opc"
++#line 293 "rl78-decode.opc"
+                 ID(and); DR(A); SM2(HL, B, 0); Fz;
+ 
+               }
+@@ -2822,7 +2824,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("and	%0, %e1");
+-#line 297 "rl78-decode.opc"
++#line 299 "rl78-decode.opc"
+                 ID(and); DR(A); SM2(HL, C, 0); Fz;
+ 
+               }
+@@ -2837,7 +2839,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("bnh	$%a0");
+-#line 343 "rl78-decode.opc"
++#line 345 "rl78-decode.opc"
+                 ID(branch_cond); DC(pc+IMMS(1)+3); SR(None); COND(NH);
+ 
+               }
+@@ -2852,7 +2854,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("sk%c1");
+-#line 1100 "rl78-decode.opc"
++#line 1102 "rl78-decode.opc"
+                 ID(skip); COND(NC);
+ 
+               }
+@@ -2867,7 +2869,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("mov	%e0, %1");
+-#line 627 "rl78-decode.opc"
++#line 629 "rl78-decode.opc"
+                 ID(mov); DM2(HL, B, 0); SR(A);
+ 
+               }
+@@ -2882,7 +2884,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("ror	%0, %1");
+-#line 1022 "rl78-decode.opc"
++#line 1024 "rl78-decode.opc"
+                 ID(ror); DR(A); SC(1);
+ 
+               }
+@@ -2897,7 +2899,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("rolc	%0, %1");
+-#line 1016 "rl78-decode.opc"
++#line 1018 "rl78-decode.opc"
+                 ID(rolc); DR(A); SC(1);
+ 
+               }
+@@ -2912,7 +2914,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("push	%s1");
+-#line 997 "rl78-decode.opc"
++#line 999 "rl78-decode.opc"
+                 ID(mov); W(); DPUSH(); SR(PSW);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -2929,7 +2931,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("cmps	%0, %ea1");
+-#line 526 "rl78-decode.opc"
++#line 528 "rl78-decode.opc"
+                 ID(cmp); DR(X); SM(HL, IMMU(1)); Fzac;
+ 
+               /*----------------------------------------------------------------------*/
+@@ -2946,7 +2948,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("or	%0, %e1");
+-#line 946 "rl78-decode.opc"
++#line 948 "rl78-decode.opc"
+                 ID(or); DR(A); SM2(HL, B, 0); Fz;
+ 
+               }
+@@ -2961,7 +2963,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("or	%0, %e1");
+-#line 952 "rl78-decode.opc"
++#line 954 "rl78-decode.opc"
+                 ID(or); DR(A); SM2(HL, C, 0); Fz;
+ 
+               }
+@@ -2976,7 +2978,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("sk%c1");
+-#line 1097 "rl78-decode.opc"
++#line 1099 "rl78-decode.opc"
+                 ID(skip); COND(H);
+ 
+               }
+@@ -2991,7 +2993,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("sk%c1");
+-#line 1109 "rl78-decode.opc"
++#line 1111 "rl78-decode.opc"
+                 ID(skip); COND(Z);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3008,7 +3010,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("mov	%0, %e1");
+-#line 663 "rl78-decode.opc"
++#line 665 "rl78-decode.opc"
+                 ID(mov); DR(A); SM2(HL, C, 0);
+ 
+               }
+@@ -3023,7 +3025,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("rol	%0, %1");
+-#line 1013 "rl78-decode.opc"
++#line 1015 "rl78-decode.opc"
+                 ID(rol); DR(A); SC(1);
+ 
+               }
+@@ -3038,7 +3040,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("retb");
+-#line 1008 "rl78-decode.opc"
++#line 1010 "rl78-decode.opc"
+                 ID(reti);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3055,7 +3057,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("halt");
+-#line 576 "rl78-decode.opc"
++#line 578 "rl78-decode.opc"
+                 ID(halt);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3066,7 +3068,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xfe:
+               {
+                 /** 0110 0001 111r 1110		rolwc	%0, %1				*/
+-#line 1019 "rl78-decode.opc"
++#line 1021 "rl78-decode.opc"
+                 int r AU = (op[1] >> 4) & 0x01;
+                 if (trace)
+                   {
+@@ -3076,7 +3078,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  r = 0x%x\n", r);
+                   }
+                 SYNTAX("rolwc	%0, %1");
+-#line 1019 "rl78-decode.opc"
++#line 1021 "rl78-decode.opc"
+                 ID(rolc); W(); DRW(r); SC(1);
+ 
+               }
+@@ -3091,7 +3093,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xor	%0, %e1");
+-#line 1250 "rl78-decode.opc"
++#line 1252 "rl78-decode.opc"
+                 ID(xor); DR(A); SM2(HL, B, 0); Fz;
+ 
+               }
+@@ -3106,7 +3108,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("xor	%0, %e1");
+-#line 1256 "rl78-decode.opc"
++#line 1258 "rl78-decode.opc"
+                 ID(xor); DR(A); SM2(HL, C, 0); Fz;
+ 
+               }
+@@ -3121,7 +3123,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("sk%c1");
+-#line 1103 "rl78-decode.opc"
++#line 1105 "rl78-decode.opc"
+                 ID(skip); COND(NH);
+ 
+               }
+@@ -3136,7 +3138,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("sk%c1");
+-#line 1106 "rl78-decode.opc"
++#line 1108 "rl78-decode.opc"
+                 ID(skip); COND(NZ);
+ 
+               }
+@@ -3151,7 +3153,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("mov	%e0, %1");
+-#line 636 "rl78-decode.opc"
++#line 638 "rl78-decode.opc"
+                 ID(mov); DM2(HL, C, 0); SR(A);
+ 
+               }
+@@ -3166,7 +3168,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("rorc	%0, %1");
+-#line 1025 "rl78-decode.opc"
++#line 1027 "rl78-decode.opc"
+                 ID(rorc); DR(A); SC(1);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3186,7 +3188,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("reti");
+-#line 1005 "rl78-decode.opc"
++#line 1007 "rl78-decode.opc"
+                 ID(reti);
+ 
+               }
+@@ -3201,7 +3203,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("stop");
+-#line 1114 "rl78-decode.opc"
++#line 1116 "rl78-decode.opc"
+                 ID(stop);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3221,7 +3223,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%e0, %1");
+-#line 874 "rl78-decode.opc"
++#line 876 "rl78-decode.opc"
+           ID(mov); W(); DM(C, IMMU(2)); SR(AX);
+ 
+         }
+@@ -3236,7 +3238,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %e1");
+-#line 865 "rl78-decode.opc"
++#line 867 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(C, IMMU(2));
+ 
+         }
+@@ -3251,7 +3253,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("or	%0, #%1");
+-#line 967 "rl78-decode.opc"
++#line 969 "rl78-decode.opc"
+           ID(or); DM(None, SADDR); SC(IMMU(1)); Fz;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -3268,7 +3270,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("or	%0, %1");
+-#line 964 "rl78-decode.opc"
++#line 966 "rl78-decode.opc"
+           ID(or); DR(A); SM(None, SADDR); Fz;
+ 
+         }
+@@ -3283,7 +3285,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("or	%0, #%1");
+-#line 955 "rl78-decode.opc"
++#line 957 "rl78-decode.opc"
+           ID(or); DR(A); SC(IMMU(1)); Fz;
+ 
+         }
+@@ -3298,7 +3300,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("or	%0, %e1");
+-#line 943 "rl78-decode.opc"
++#line 945 "rl78-decode.opc"
+           ID(or); DR(A); SM(HL, 0); Fz;
+ 
+         }
+@@ -3313,7 +3315,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("or	%0, %ea1");
+-#line 949 "rl78-decode.opc"
++#line 951 "rl78-decode.opc"
+           ID(or); DR(A); SM(HL, IMMU(1)); Fz;
+ 
+         }
+@@ -3328,7 +3330,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("or	%0, %e!1");
+-#line 940 "rl78-decode.opc"
++#line 942 "rl78-decode.opc"
+           ID(or); DR(A); SM(None, IMMU(2)); Fz;
+ 
+         }
+@@ -3342,7 +3344,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x77:
+         {
+           /** 0111 0rba			mov	%0, %1				*/
+-#line 696 "rl78-decode.opc"
++#line 698 "rl78-decode.opc"
+           int rba AU = op[0] & 0x07;
+           if (trace)
+             {
+@@ -3352,7 +3354,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rba = 0x%x\n", rba);
+             }
+           SYNTAX("mov	%0, %1");
+-#line 696 "rl78-decode.opc"
++#line 698 "rl78-decode.opc"
+           ID(mov); DRB(rba); SR(A);
+ 
+         }
+@@ -3371,7 +3373,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x70:
+               {
+                 /** 0111 0001 0bit 0000		set1	%e!0				*/
+-#line 1046 "rl78-decode.opc"
++#line 1048 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3381,7 +3383,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("set1	%e!0");
+-#line 1046 "rl78-decode.opc"
++#line 1048 "rl78-decode.opc"
+                 ID(mov); DM(None, IMMU(2)); DB(bit); SC(1);
+ 
+               }
+@@ -3396,7 +3398,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x71:
+               {
+                 /** 0111 0001 0bit 0001		mov1	%0, cy				*/
+-#line 803 "rl78-decode.opc"
++#line 805 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3406,7 +3408,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("mov1	%0, cy");
+-#line 803 "rl78-decode.opc"
++#line 805 "rl78-decode.opc"
+                 ID(mov); DM(None, SADDR); DB(bit); SCY();
+ 
+               }
+@@ -3421,7 +3423,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x72:
+               {
+                 /** 0111 0001 0bit 0010		set1	%0				*/
+-#line 1064 "rl78-decode.opc"
++#line 1066 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3431,7 +3433,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("set1	%0");
+-#line 1064 "rl78-decode.opc"
++#line 1066 "rl78-decode.opc"
+                 ID(mov); DM(None, SADDR); DB(bit); SC(1);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3448,7 +3450,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x73:
+               {
+                 /** 0111 0001 0bit 0011		clr1	%0				*/
+-#line 456 "rl78-decode.opc"
++#line 458 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3458,7 +3460,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("clr1	%0");
+-#line 456 "rl78-decode.opc"
++#line 458 "rl78-decode.opc"
+                 ID(mov); DM(None, SADDR); DB(bit); SC(0);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3475,7 +3477,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x74:
+               {
+                 /** 0111 0001 0bit 0100		mov1	cy, %1				*/
+-#line 797 "rl78-decode.opc"
++#line 799 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3485,7 +3487,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("mov1	cy, %1");
+-#line 797 "rl78-decode.opc"
++#line 799 "rl78-decode.opc"
+                 ID(mov); DCY(); SM(None, SADDR); SB(bit);
+ 
+               }
+@@ -3500,7 +3502,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x75:
+               {
+                 /** 0111 0001 0bit 0101		and1	cy, %s1				*/
+-#line 326 "rl78-decode.opc"
++#line 328 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3510,7 +3512,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("and1	cy, %s1");
+-#line 326 "rl78-decode.opc"
++#line 328 "rl78-decode.opc"
+                 ID(and); DCY(); SM(None, SADDR); SB(bit);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3530,7 +3532,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x76:
+               {
+                 /** 0111 0001 0bit 0110		or1	cy, %s1				*/
+-#line 981 "rl78-decode.opc"
++#line 983 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3540,7 +3542,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("or1	cy, %s1");
+-#line 981 "rl78-decode.opc"
++#line 983 "rl78-decode.opc"
+                 ID(or); DCY(); SM(None, SADDR); SB(bit);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3557,7 +3559,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x77:
+               {
+                 /** 0111 0001 0bit 0111		xor1	cy, %s1				*/
+-#line 1285 "rl78-decode.opc"
++#line 1287 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3567,7 +3569,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("xor1	cy, %s1");
+-#line 1285 "rl78-decode.opc"
++#line 1287 "rl78-decode.opc"
+                 ID(xor); DCY(); SM(None, SADDR); SB(bit);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3584,7 +3586,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x78:
+               {
+                 /** 0111 0001 0bit 1000		clr1	%e!0				*/
+-#line 438 "rl78-decode.opc"
++#line 440 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3594,7 +3596,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("clr1	%e!0");
+-#line 438 "rl78-decode.opc"
++#line 440 "rl78-decode.opc"
+                 ID(mov); DM(None, IMMU(2)); DB(bit); SC(0);
+ 
+               }
+@@ -3609,7 +3611,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x79:
+               {
+                 /** 0111 0001 0bit 1001		mov1	%s0, cy				*/
+-#line 806 "rl78-decode.opc"
++#line 808 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3619,7 +3621,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("mov1	%s0, cy");
+-#line 806 "rl78-decode.opc"
++#line 808 "rl78-decode.opc"
+                 ID(mov); DM(None, SFR); DB(bit); SCY();
+ 
+               /*----------------------------------------------------------------------*/
+@@ -3636,7 +3638,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x7a:
+               {
+                 /** 0111 0001 0bit 1010		set1	%s0				*/
+-#line 1058 "rl78-decode.opc"
++#line 1060 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3646,7 +3648,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("set1	%s0");
+-#line 1058 "rl78-decode.opc"
++#line 1060 "rl78-decode.opc"
+                 op0 = SFR;
+                 ID(mov); DM(None, op0); DB(bit); SC(1);
+                 if (op0 == RL78_SFR_PSW && bit == 7)
+@@ -3664,7 +3666,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x7b:
+               {
+                 /** 0111 0001 0bit 1011		clr1	%s0				*/
+-#line 450 "rl78-decode.opc"
++#line 452 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3674,7 +3676,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("clr1	%s0");
+-#line 450 "rl78-decode.opc"
++#line 452 "rl78-decode.opc"
+                 op0 = SFR;
+                 ID(mov); DM(None, op0); DB(bit); SC(0);
+                 if (op0 == RL78_SFR_PSW && bit == 7)
+@@ -3692,7 +3694,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x7c:
+               {
+                 /** 0111 0001 0bit 1100		mov1	cy, %s1				*/
+-#line 800 "rl78-decode.opc"
++#line 802 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3702,7 +3704,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("mov1	cy, %s1");
+-#line 800 "rl78-decode.opc"
++#line 802 "rl78-decode.opc"
+                 ID(mov); DCY(); SM(None, SFR); SB(bit);
+ 
+               }
+@@ -3717,7 +3719,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x7d:
+               {
+                 /** 0111 0001 0bit 1101		and1	cy, %s1				*/
+-#line 323 "rl78-decode.opc"
++#line 325 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3727,7 +3729,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("and1	cy, %s1");
+-#line 323 "rl78-decode.opc"
++#line 325 "rl78-decode.opc"
+                 ID(and); DCY(); SM(None, SFR); SB(bit);
+ 
+               }
+@@ -3742,7 +3744,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x7e:
+               {
+                 /** 0111 0001 0bit 1110		or1	cy, %s1				*/
+-#line 978 "rl78-decode.opc"
++#line 980 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3752,7 +3754,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("or1	cy, %s1");
+-#line 978 "rl78-decode.opc"
++#line 980 "rl78-decode.opc"
+                 ID(or); DCY(); SM(None, SFR); SB(bit);
+ 
+               }
+@@ -3767,7 +3769,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0x7f:
+               {
+                 /** 0111 0001 0bit 1111		xor1	cy, %s1				*/
+-#line 1282 "rl78-decode.opc"
++#line 1284 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3777,7 +3779,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("xor1	cy, %s1");
+-#line 1282 "rl78-decode.opc"
++#line 1284 "rl78-decode.opc"
+                 ID(xor); DCY(); SM(None, SFR); SB(bit);
+ 
+               }
+@@ -3792,7 +3794,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("set1	cy");
+-#line 1055 "rl78-decode.opc"
++#line 1057 "rl78-decode.opc"
+                 ID(mov); DCY(); SC(1);
+ 
+               }
+@@ -3807,7 +3809,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xf1:
+               {
+                 /** 0111 0001 1bit 0001		mov1	%e0, cy				*/
+-#line 785 "rl78-decode.opc"
++#line 787 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3817,7 +3819,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("mov1	%e0, cy");
+-#line 785 "rl78-decode.opc"
++#line 787 "rl78-decode.opc"
+                 ID(mov); DM(HL, 0); DB(bit); SCY();
+ 
+               }
+@@ -3832,7 +3834,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xf2:
+               {
+                 /** 0111 0001 1bit 0010		set1	%e0				*/
+-#line 1049 "rl78-decode.opc"
++#line 1051 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3842,7 +3844,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("set1	%e0");
+-#line 1049 "rl78-decode.opc"
++#line 1051 "rl78-decode.opc"
+                 ID(mov); DM(HL, 0); DB(bit); SC(1);
+ 
+               }
+@@ -3857,7 +3859,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xf3:
+               {
+                 /** 0111 0001 1bit 0011		clr1	%e0				*/
+-#line 441 "rl78-decode.opc"
++#line 443 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3867,7 +3869,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("clr1	%e0");
+-#line 441 "rl78-decode.opc"
++#line 443 "rl78-decode.opc"
+                 ID(mov); DM(HL, 0); DB(bit); SC(0);
+ 
+               }
+@@ -3882,7 +3884,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xf4:
+               {
+                 /** 0111 0001 1bit 0100		mov1	cy, %e1				*/
+-#line 791 "rl78-decode.opc"
++#line 793 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3892,7 +3894,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("mov1	cy, %e1");
+-#line 791 "rl78-decode.opc"
++#line 793 "rl78-decode.opc"
+                 ID(mov); DCY(); SM(HL, 0); SB(bit);
+ 
+               }
+@@ -3907,7 +3909,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xf5:
+               {
+                 /** 0111 0001 1bit 0101		and1	cy, %e1			*/
+-#line 317 "rl78-decode.opc"
++#line 319 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3917,7 +3919,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("and1	cy, %e1");
+-#line 317 "rl78-decode.opc"
++#line 319 "rl78-decode.opc"
+                 ID(and); DCY(); SM(HL, 0); SB(bit);
+ 
+               }
+@@ -3932,7 +3934,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xf6:
+               {
+                 /** 0111 0001 1bit 0110		or1	cy, %e1				*/
+-#line 972 "rl78-decode.opc"
++#line 974 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3942,7 +3944,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("or1	cy, %e1");
+-#line 972 "rl78-decode.opc"
++#line 974 "rl78-decode.opc"
+                 ID(or); DCY(); SM(HL, 0); SB(bit);
+ 
+               }
+@@ -3957,7 +3959,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xf7:
+               {
+                 /** 0111 0001 1bit 0111		xor1	cy, %e1				*/
+-#line 1276 "rl78-decode.opc"
++#line 1278 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -3967,7 +3969,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("xor1	cy, %e1");
+-#line 1276 "rl78-decode.opc"
++#line 1278 "rl78-decode.opc"
+                 ID(xor); DCY(); SM(HL, 0); SB(bit);
+ 
+               }
+@@ -3982,7 +3984,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("clr1	cy");
+-#line 447 "rl78-decode.opc"
++#line 449 "rl78-decode.opc"
+                 ID(mov); DCY(); SC(0);
+ 
+               }
+@@ -3997,7 +3999,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xf9:
+               {
+                 /** 0111 0001 1bit 1001		mov1	%e0, cy				*/
+-#line 788 "rl78-decode.opc"
++#line 790 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -4007,7 +4009,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("mov1	%e0, cy");
+-#line 788 "rl78-decode.opc"
++#line 790 "rl78-decode.opc"
+                 ID(mov); DR(A); DB(bit); SCY();
+ 
+               }
+@@ -4022,7 +4024,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xfa:
+               {
+                 /** 0111 0001 1bit 1010		set1	%0				*/
+-#line 1052 "rl78-decode.opc"
++#line 1054 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -4032,7 +4034,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("set1	%0");
+-#line 1052 "rl78-decode.opc"
++#line 1054 "rl78-decode.opc"
+                 ID(mov); DR(A); DB(bit); SC(1);
+ 
+               }
+@@ -4047,7 +4049,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xfb:
+               {
+                 /** 0111 0001 1bit 1011		clr1	%0				*/
+-#line 444 "rl78-decode.opc"
++#line 446 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -4057,7 +4059,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("clr1	%0");
+-#line 444 "rl78-decode.opc"
++#line 446 "rl78-decode.opc"
+                 ID(mov); DR(A); DB(bit); SC(0);
+ 
+               }
+@@ -4072,7 +4074,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xfc:
+               {
+                 /** 0111 0001 1bit 1100		mov1	cy, %e1				*/
+-#line 794 "rl78-decode.opc"
++#line 796 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -4082,7 +4084,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("mov1	cy, %e1");
+-#line 794 "rl78-decode.opc"
++#line 796 "rl78-decode.opc"
+                 ID(mov); DCY(); SR(A); SB(bit);
+ 
+               }
+@@ -4097,7 +4099,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xfd:
+               {
+                 /** 0111 0001 1bit 1101		and1	cy, %1				*/
+-#line 320 "rl78-decode.opc"
++#line 322 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -4107,7 +4109,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("and1	cy, %1");
+-#line 320 "rl78-decode.opc"
++#line 322 "rl78-decode.opc"
+                 ID(and); DCY(); SR(A); SB(bit);
+ 
+               }
+@@ -4122,7 +4124,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xfe:
+               {
+                 /** 0111 0001 1bit 1110		or1	cy, %1				*/
+-#line 975 "rl78-decode.opc"
++#line 977 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -4132,7 +4134,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("or1	cy, %1");
+-#line 975 "rl78-decode.opc"
++#line 977 "rl78-decode.opc"
+                 ID(or); DCY(); SR(A); SB(bit);
+ 
+               }
+@@ -4147,7 +4149,7 @@ rl78_decode_opcode (unsigned long pc AU,
+           case 0xff:
+               {
+                 /** 0111 0001 1bit 1111		xor1	cy, %1				*/
+-#line 1279 "rl78-decode.opc"
++#line 1281 "rl78-decode.opc"
+                 int bit AU = (op[1] >> 4) & 0x07;
+                 if (trace)
+                   {
+@@ -4157,7 +4159,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                     printf ("  bit = 0x%x\n", bit);
+                   }
+                 SYNTAX("xor1	cy, %1");
+-#line 1279 "rl78-decode.opc"
++#line 1281 "rl78-decode.opc"
+                 ID(xor); DCY(); SR(A); SB(bit);
+ 
+               }
+@@ -4172,7 +4174,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                            op[0], op[1]);
+                   }
+                 SYNTAX("not1	cy");
+-#line 916 "rl78-decode.opc"
++#line 918 "rl78-decode.opc"
+                 ID(xor); DCY(); SC(1);
+ 
+               /*----------------------------------------------------------------------*/
+@@ -4192,7 +4194,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%e0, %1");
+-#line 877 "rl78-decode.opc"
++#line 879 "rl78-decode.opc"
+           ID(mov); W(); DM(BC, IMMU(2)); SR(AX);
+ 
+         }
+@@ -4207,7 +4209,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %e1");
+-#line 868 "rl78-decode.opc"
++#line 870 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(BC, IMMU(2));
+ 
+         }
+@@ -4222,7 +4224,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("xor	%0, #%1");
+-#line 1271 "rl78-decode.opc"
++#line 1273 "rl78-decode.opc"
+           ID(xor); DM(None, SADDR); SC(IMMU(1)); Fz;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -4239,7 +4241,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("xor	%0, %1");
+-#line 1268 "rl78-decode.opc"
++#line 1270 "rl78-decode.opc"
+           ID(xor); DR(A); SM(None, SADDR); Fz;
+ 
+         }
+@@ -4254,7 +4256,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("xor	%0, #%1");
+-#line 1259 "rl78-decode.opc"
++#line 1261 "rl78-decode.opc"
+           ID(xor); DR(A); SC(IMMU(1)); Fz;
+ 
+         }
+@@ -4269,7 +4271,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("xor	%0, %e1");
+-#line 1247 "rl78-decode.opc"
++#line 1249 "rl78-decode.opc"
+           ID(xor); DR(A); SM(HL, 0); Fz;
+ 
+         }
+@@ -4284,7 +4286,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("xor	%0, %ea1");
+-#line 1253 "rl78-decode.opc"
++#line 1255 "rl78-decode.opc"
+           ID(xor); DR(A); SM(HL, IMMU(1)); Fz;
+ 
+         }
+@@ -4299,7 +4301,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("xor	%0, %e!1");
+-#line 1244 "rl78-decode.opc"
++#line 1246 "rl78-decode.opc"
+           ID(xor); DR(A); SM(None, IMMU(2)); Fz;
+ 
+         }
+@@ -4314,7 +4316,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x87:
+         {
+           /** 1000 0reg			inc	%0				*/
+-#line 587 "rl78-decode.opc"
++#line 589 "rl78-decode.opc"
+           int reg AU = op[0] & 0x07;
+           if (trace)
+             {
+@@ -4324,7 +4326,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  reg = 0x%x\n", reg);
+             }
+           SYNTAX("inc	%0");
+-#line 587 "rl78-decode.opc"
++#line 589 "rl78-decode.opc"
+           ID(add); DRB(reg); SC(1); Fza;
+ 
+         }
+@@ -4339,7 +4341,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %ea1");
+-#line 666 "rl78-decode.opc"
++#line 668 "rl78-decode.opc"
+           ID(mov); DR(A); SM(SP, IMMU(1));
+ 
+         }
+@@ -4354,7 +4356,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %e1");
+-#line 648 "rl78-decode.opc"
++#line 650 "rl78-decode.opc"
+           ID(mov); DR(A); SM(DE, 0);
+ 
+         }
+@@ -4369,7 +4371,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %ea1");
+-#line 651 "rl78-decode.opc"
++#line 653 "rl78-decode.opc"
+           ID(mov); DR(A); SM(DE, IMMU(1));
+ 
+         }
+@@ -4384,7 +4386,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %e1");
+-#line 654 "rl78-decode.opc"
++#line 656 "rl78-decode.opc"
+           ID(mov); DR(A); SM(HL, 0);
+ 
+         }
+@@ -4399,7 +4401,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %ea1");
+-#line 657 "rl78-decode.opc"
++#line 659 "rl78-decode.opc"
+           ID(mov); DR(A); SM(HL, IMMU(1));
+ 
+         }
+@@ -4414,7 +4416,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %1");
+-#line 690 "rl78-decode.opc"
++#line 692 "rl78-decode.opc"
+           ID(mov); DR(A); SM(None, SADDR);
+ 
+         }
+@@ -4429,7 +4431,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %s1");
+-#line 687 "rl78-decode.opc"
++#line 689 "rl78-decode.opc"
+           ID(mov); DR(A); SM(None, SFR);
+ 
+         }
+@@ -4444,7 +4446,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %e!1");
+-#line 645 "rl78-decode.opc"
++#line 647 "rl78-decode.opc"
+           ID(mov); DR(A); SM(None, IMMU(2));
+ 
+         }
+@@ -4459,7 +4461,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0x97:
+         {
+           /** 1001 0reg			dec	%0				*/
+-#line 554 "rl78-decode.opc"
++#line 556 "rl78-decode.opc"
+           int reg AU = op[0] & 0x07;
+           if (trace)
+             {
+@@ -4469,7 +4471,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  reg = 0x%x\n", reg);
+             }
+           SYNTAX("dec	%0");
+-#line 554 "rl78-decode.opc"
++#line 556 "rl78-decode.opc"
+           ID(sub); DRB(reg); SC(1); Fza;
+ 
+         }
+@@ -4484,7 +4486,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%a0, %1");
+-#line 642 "rl78-decode.opc"
++#line 644 "rl78-decode.opc"
+           ID(mov); DM(SP, IMMU(1)); SR(A);
+ 
+         }
+@@ -4499,7 +4501,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%e0, %1");
+-#line 615 "rl78-decode.opc"
++#line 617 "rl78-decode.opc"
+           ID(mov); DM(DE, 0); SR(A);
+ 
+         }
+@@ -4514,7 +4516,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%ea0, %1");
+-#line 621 "rl78-decode.opc"
++#line 623 "rl78-decode.opc"
+           ID(mov); DM(DE, IMMU(1)); SR(A);
+ 
+         }
+@@ -4529,7 +4531,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%e0, %1");
+-#line 624 "rl78-decode.opc"
++#line 626 "rl78-decode.opc"
+           ID(mov); DM(HL, 0); SR(A);
+ 
+         }
+@@ -4544,7 +4546,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%ea0, %1");
+-#line 633 "rl78-decode.opc"
++#line 635 "rl78-decode.opc"
+           ID(mov); DM(HL, IMMU(1)); SR(A);
+ 
+         }
+@@ -4559,7 +4561,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %1");
+-#line 747 "rl78-decode.opc"
++#line 749 "rl78-decode.opc"
+           ID(mov); DM(None, SADDR); SR(A);
+ 
+         }
+@@ -4574,7 +4576,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%s0, %1");
+-#line 780 "rl78-decode.opc"
++#line 782 "rl78-decode.opc"
+           ID(mov); DM(None, SFR); SR(A);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -4591,7 +4593,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%e!0, %1");
+-#line 612 "rl78-decode.opc"
++#line 614 "rl78-decode.opc"
+           ID(mov); DM(None, IMMU(2)); SR(A);
+ 
+         }
+@@ -4606,7 +4608,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("inc	%e!0");
+-#line 581 "rl78-decode.opc"
++#line 583 "rl78-decode.opc"
+           ID(add); DM(None, IMMU(2)); SC(1); Fza;
+ 
+         }
+@@ -4617,7 +4619,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0xa7:
+         {
+           /** 1010 0rg1			incw	%0				*/
+-#line 601 "rl78-decode.opc"
++#line 603 "rl78-decode.opc"
+           int rg AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -4627,7 +4629,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rg = 0x%x\n", rg);
+             }
+           SYNTAX("incw	%0");
+-#line 601 "rl78-decode.opc"
++#line 603 "rl78-decode.opc"
+           ID(add); W(); DRW(rg); SC(1);
+ 
+         }
+@@ -4642,7 +4644,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("incw	%e!0");
+-#line 595 "rl78-decode.opc"
++#line 597 "rl78-decode.opc"
+           ID(add); W(); DM(None, IMMU(2)); SC(1);
+ 
+         }
+@@ -4657,7 +4659,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("inc	%0");
+-#line 590 "rl78-decode.opc"
++#line 592 "rl78-decode.opc"
+           ID(add); DM(None, SADDR); SC(1); Fza;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -4674,7 +4676,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("incw	%0");
+-#line 604 "rl78-decode.opc"
++#line 606 "rl78-decode.opc"
+           ID(add); W(); DM(None, SADDR); SC(1);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -4691,7 +4693,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %a1");
+-#line 850 "rl78-decode.opc"
++#line 852 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(SP, IMMU(1));
+ 
+         }
+@@ -4706,7 +4708,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %e1");
+-#line 838 "rl78-decode.opc"
++#line 840 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(DE, 0);
+ 
+         }
+@@ -4721,7 +4723,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %ea1");
+-#line 841 "rl78-decode.opc"
++#line 843 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(DE, IMMU(1));
+ 
+         }
+@@ -4736,7 +4738,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %e1");
+-#line 844 "rl78-decode.opc"
++#line 846 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(HL, 0);
+ 
+         }
+@@ -4751,7 +4753,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %ea1");
+-#line 847 "rl78-decode.opc"
++#line 849 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(HL, IMMU(1));
+ 
+         }
+@@ -4766,7 +4768,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %1");
+-#line 880 "rl78-decode.opc"
++#line 882 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(None, SADDR);
+ 
+         }
+@@ -4781,7 +4783,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %s1");
+-#line 883 "rl78-decode.opc"
++#line 885 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(None, SFR);
+ 
+         }
+@@ -4796,7 +4798,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %e!1");
+-#line 834 "rl78-decode.opc"
++#line 836 "rl78-decode.opc"
+           ID(mov); W(); DR(AX); SM(None, IMMU(2));
+ 
+ 
+@@ -4812,7 +4814,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("dec	%e!0");
+-#line 548 "rl78-decode.opc"
++#line 550 "rl78-decode.opc"
+           ID(sub); DM(None, IMMU(2)); SC(1); Fza;
+ 
+         }
+@@ -4823,7 +4825,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0xb7:
+         {
+           /** 1011 0rg1 			decw	%0				*/
+-#line 568 "rl78-decode.opc"
++#line 570 "rl78-decode.opc"
+           int rg AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -4833,7 +4835,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rg = 0x%x\n", rg);
+             }
+           SYNTAX("decw	%0");
+-#line 568 "rl78-decode.opc"
++#line 570 "rl78-decode.opc"
+           ID(sub); W(); DRW(rg); SC(1);
+ 
+         }
+@@ -4848,7 +4850,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("decw	%e!0");
+-#line 562 "rl78-decode.opc"
++#line 564 "rl78-decode.opc"
+           ID(sub); W(); DM(None, IMMU(2)); SC(1);
+ 
+         }
+@@ -4863,7 +4865,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("dec	%0");
+-#line 557 "rl78-decode.opc"
++#line 559 "rl78-decode.opc"
+           ID(sub); DM(None, SADDR); SC(1); Fza;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -4880,7 +4882,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("decw	%0");
+-#line 571 "rl78-decode.opc"
++#line 573 "rl78-decode.opc"
+           ID(sub); W(); DM(None, SADDR); SC(1);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -4897,7 +4899,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%a0, %1");
+-#line 831 "rl78-decode.opc"
++#line 833 "rl78-decode.opc"
+           ID(mov); W(); DM(SP, IMMU(1)); SR(AX);
+ 
+         }
+@@ -4912,7 +4914,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%e0, %1");
+-#line 819 "rl78-decode.opc"
++#line 821 "rl78-decode.opc"
+           ID(mov); W(); DM(DE, 0); SR(AX);
+ 
+         }
+@@ -4927,7 +4929,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%ea0, %1");
+-#line 822 "rl78-decode.opc"
++#line 824 "rl78-decode.opc"
+           ID(mov); W(); DM(DE, IMMU(1)); SR(AX);
+ 
+         }
+@@ -4942,7 +4944,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%e0, %1");
+-#line 825 "rl78-decode.opc"
++#line 827 "rl78-decode.opc"
+           ID(mov); W(); DM(HL, 0); SR(AX);
+ 
+         }
+@@ -4957,7 +4959,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%ea0, %1");
+-#line 828 "rl78-decode.opc"
++#line 830 "rl78-decode.opc"
+           ID(mov); W(); DM(HL, IMMU(1)); SR(AX);
+ 
+         }
+@@ -4972,7 +4974,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, %1");
+-#line 895 "rl78-decode.opc"
++#line 897 "rl78-decode.opc"
+           ID(mov); W(); DM(None, SADDR); SR(AX);
+ 
+         }
+@@ -4987,7 +4989,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%s0, %1");
+-#line 901 "rl78-decode.opc"
++#line 903 "rl78-decode.opc"
+           ID(mov); W(); DM(None, SFR); SR(AX);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -5004,7 +5006,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%e!0, %1");
+-#line 816 "rl78-decode.opc"
++#line 818 "rl78-decode.opc"
+           ID(mov); W(); DM(None, IMMU(2)); SR(AX);
+ 
+         }
+@@ -5015,7 +5017,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0xc6:
+         {
+           /** 1100 0rg0			pop	%0				*/
+-#line 986 "rl78-decode.opc"
++#line 988 "rl78-decode.opc"
+           int rg AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -5025,7 +5027,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rg = 0x%x\n", rg);
+             }
+           SYNTAX("pop	%0");
+-#line 986 "rl78-decode.opc"
++#line 988 "rl78-decode.opc"
+           ID(mov); W(); DRW(rg); SPOP();
+ 
+         }
+@@ -5036,7 +5038,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0xc7:
+         {
+           /** 1100 0rg1			push	%1				*/
+-#line 994 "rl78-decode.opc"
++#line 996 "rl78-decode.opc"
+           int rg AU = (op[0] >> 1) & 0x03;
+           if (trace)
+             {
+@@ -5046,7 +5048,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rg = 0x%x\n", rg);
+             }
+           SYNTAX("push	%1");
+-#line 994 "rl78-decode.opc"
++#line 996 "rl78-decode.opc"
+           ID(mov); W(); DPUSH(); SRW(rg);
+ 
+         }
+@@ -5061,7 +5063,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%a0, #%1");
+-#line 639 "rl78-decode.opc"
++#line 641 "rl78-decode.opc"
+           ID(mov); DM(SP, IMMU(1)); SC(IMMU(1));
+ 
+         }
+@@ -5076,7 +5078,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%0, #%1");
+-#line 892 "rl78-decode.opc"
++#line 894 "rl78-decode.opc"
+           ID(mov); W(); DM(None, SADDR); SC(IMMU(2));
+ 
+         }
+@@ -5091,7 +5093,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%ea0, #%1");
+-#line 618 "rl78-decode.opc"
++#line 620 "rl78-decode.opc"
+           ID(mov); DM(DE, IMMU(1)); SC(IMMU(1));
+ 
+         }
+@@ -5106,7 +5108,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("movw	%s0, #%1");
+-#line 898 "rl78-decode.opc"
++#line 900 "rl78-decode.opc"
+           ID(mov); W(); DM(None, SFR); SC(IMMU(2));
+ 
+         }
+@@ -5121,7 +5123,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%ea0, #%1");
+-#line 630 "rl78-decode.opc"
++#line 632 "rl78-decode.opc"
+           ID(mov); DM(HL, IMMU(1)); SC(IMMU(1));
+ 
+         }
+@@ -5136,7 +5138,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, #%1");
+-#line 744 "rl78-decode.opc"
++#line 746 "rl78-decode.opc"
+           ID(mov); DM(None, SADDR); SC(IMMU(1));
+ 
+         }
+@@ -5151,7 +5153,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%s0, #%1");
+-#line 750 "rl78-decode.opc"
++#line 752 "rl78-decode.opc"
+           op0 = SFR;
+           op1 = IMMU(1);
+           ID(mov); DM(None, op0); SC(op1);
+@@ -5193,7 +5195,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%e!0, #%1");
+-#line 609 "rl78-decode.opc"
++#line 611 "rl78-decode.opc"
+           ID(mov); DM(None, IMMU(2)); SC(IMMU(1));
+ 
+         }
+@@ -5204,7 +5206,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0xd3:
+         {
+           /** 1101 00rg			cmp0	%0				*/
+-#line 518 "rl78-decode.opc"
++#line 520 "rl78-decode.opc"
+           int rg AU = op[0] & 0x03;
+           if (trace)
+             {
+@@ -5214,7 +5216,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rg = 0x%x\n", rg);
+             }
+           SYNTAX("cmp0	%0");
+-#line 518 "rl78-decode.opc"
++#line 520 "rl78-decode.opc"
+           ID(cmp); DRB(rg); SC(0); Fzac;
+ 
+         }
+@@ -5229,7 +5231,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmp0	%0");
+-#line 521 "rl78-decode.opc"
++#line 523 "rl78-decode.opc"
+           ID(cmp); DM(None, SADDR); SC(0); Fzac;
+ 
+         /*----------------------------------------------------------------------*/
+@@ -5246,7 +5248,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("cmp0	%e!0");
+-#line 515 "rl78-decode.opc"
++#line 517 "rl78-decode.opc"
+           ID(cmp); DM(None, IMMU(2)); SC(0); Fzac;
+ 
+         }
+@@ -5261,7 +5263,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mulu	x");
+-#line 906 "rl78-decode.opc"
++#line 908 "rl78-decode.opc"
+           ID(mulu);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -5278,7 +5280,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("ret");
+-#line 1002 "rl78-decode.opc"
++#line 1004 "rl78-decode.opc"
+           ID(ret);
+ 
+         }
+@@ -5293,7 +5295,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %1");
+-#line 711 "rl78-decode.opc"
++#line 713 "rl78-decode.opc"
+           ID(mov); DR(X); SM(None, SADDR);
+ 
+         }
+@@ -5308,7 +5310,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %e!1");
+-#line 708 "rl78-decode.opc"
++#line 710 "rl78-decode.opc"
+           ID(mov); DR(X); SM(None, IMMU(2));
+ 
+         }
+@@ -5318,7 +5320,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0xfa:
+         {
+           /** 11ra 1010			movw	%0, %1				*/
+-#line 889 "rl78-decode.opc"
++#line 891 "rl78-decode.opc"
+           int ra AU = (op[0] >> 4) & 0x03;
+           if (trace)
+             {
+@@ -5328,7 +5330,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  ra = 0x%x\n", ra);
+             }
+           SYNTAX("movw	%0, %1");
+-#line 889 "rl78-decode.opc"
++#line 891 "rl78-decode.opc"
+           ID(mov); W(); DRW(ra); SM(None, SADDR);
+ 
+         }
+@@ -5338,7 +5340,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0xfb:
+         {
+           /** 11ra 1011			movw	%0, %es!1			*/
+-#line 886 "rl78-decode.opc"
++#line 888 "rl78-decode.opc"
+           int ra AU = (op[0] >> 4) & 0x03;
+           if (trace)
+             {
+@@ -5348,7 +5350,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  ra = 0x%x\n", ra);
+             }
+           SYNTAX("movw	%0, %es!1");
+-#line 886 "rl78-decode.opc"
++#line 888 "rl78-decode.opc"
+           ID(mov); W(); DRW(ra); SM(None, IMMU(2));
+ 
+         }
+@@ -5363,7 +5365,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("bc	$%a0");
+-#line 334 "rl78-decode.opc"
++#line 336 "rl78-decode.opc"
+           ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(C);
+ 
+         }
+@@ -5378,7 +5380,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("bz	$%a0");
+-#line 346 "rl78-decode.opc"
++#line 348 "rl78-decode.opc"
+           ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(Z);
+ 
+         }
+@@ -5393,7 +5395,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("bnc	$%a0");
+-#line 337 "rl78-decode.opc"
++#line 339 "rl78-decode.opc"
+           ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(NC);
+ 
+         }
+@@ -5408,7 +5410,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("bnz	$%a0");
+-#line 349 "rl78-decode.opc"
++#line 351 "rl78-decode.opc"
+           ID(branch_cond); DC(pc+IMMS(1)+2); SR(None); COND(NZ);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -5421,7 +5423,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0xe3:
+         {
+           /** 1110 00rg			oneb	%0				*/
+-#line 924 "rl78-decode.opc"
++#line 926 "rl78-decode.opc"
+           int rg AU = op[0] & 0x03;
+           if (trace)
+             {
+@@ -5431,7 +5433,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rg = 0x%x\n", rg);
+             }
+           SYNTAX("oneb	%0");
+-#line 924 "rl78-decode.opc"
++#line 926 "rl78-decode.opc"
+           ID(mov); DRB(rg); SC(1);
+ 
+         }
+@@ -5446,7 +5448,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("oneb	%0");
+-#line 927 "rl78-decode.opc"
++#line 929 "rl78-decode.opc"
+           ID(mov); DM(None, SADDR); SC(1);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -5463,7 +5465,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("oneb	%e!0");
+-#line 921 "rl78-decode.opc"
++#line 923 "rl78-decode.opc"
+           ID(mov); DM(None, IMMU(2)); SC(1);
+ 
+         }
+@@ -5478,7 +5480,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("onew	%0");
+-#line 932 "rl78-decode.opc"
++#line 934 "rl78-decode.opc"
+           ID(mov); DR(AX); SC(1);
+ 
+         }
+@@ -5493,7 +5495,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("onew	%0");
+-#line 935 "rl78-decode.opc"
++#line 937 "rl78-decode.opc"
+           ID(mov); DR(BC); SC(1);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -5510,7 +5512,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %1");
+-#line 699 "rl78-decode.opc"
++#line 701 "rl78-decode.opc"
+           ID(mov); DR(B); SM(None, SADDR);
+ 
+         }
+@@ -5525,7 +5527,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %e!1");
+-#line 693 "rl78-decode.opc"
++#line 695 "rl78-decode.opc"
+           ID(mov); DR(B); SM(None, IMMU(2));
+ 
+         }
+@@ -5540,7 +5542,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("br	!%!a0");
+-#line 368 "rl78-decode.opc"
++#line 370 "rl78-decode.opc"
+           ID(branch); DC(IMMU(3));
+ 
+         }
+@@ -5555,7 +5557,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("br	%!a0");
+-#line 371 "rl78-decode.opc"
++#line 373 "rl78-decode.opc"
+           ID(branch); DC(IMMU(2));
+ 
+         }
+@@ -5570,7 +5572,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("br	$%!a0");
+-#line 374 "rl78-decode.opc"
++#line 376 "rl78-decode.opc"
+           ID(branch); DC(pc+IMMS(2)+3);
+ 
+         }
+@@ -5585,7 +5587,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("br	$%a0");
+-#line 377 "rl78-decode.opc"
++#line 379 "rl78-decode.opc"
+           ID(branch); DC(pc+IMMS(1)+2);
+ 
+         }
+@@ -5596,7 +5598,7 @@ rl78_decode_opcode (unsigned long pc AU,
+     case 0xf3:
+         {
+           /** 1111 00rg			clrb	%0				*/
+-#line 464 "rl78-decode.opc"
++#line 466 "rl78-decode.opc"
+           int rg AU = op[0] & 0x03;
+           if (trace)
+             {
+@@ -5606,7 +5608,7 @@ rl78_decode_opcode (unsigned long pc AU,
+               printf ("  rg = 0x%x\n", rg);
+             }
+           SYNTAX("clrb	%0");
+-#line 464 "rl78-decode.opc"
++#line 466 "rl78-decode.opc"
+           ID(mov); DRB(rg); SC(0);
+ 
+         }
+@@ -5621,7 +5623,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("clrb	%0");
+-#line 467 "rl78-decode.opc"
++#line 469 "rl78-decode.opc"
+           ID(mov); DM(None, SADDR); SC(0);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -5638,7 +5640,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("clrb	%e!0");
+-#line 461 "rl78-decode.opc"
++#line 463 "rl78-decode.opc"
+           ID(mov); DM(None, IMMU(2)); SC(0);
+ 
+         }
+@@ -5653,7 +5655,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("clrw	%0");
+-#line 472 "rl78-decode.opc"
++#line 474 "rl78-decode.opc"
+           ID(mov); DR(AX); SC(0);
+ 
+         }
+@@ -5668,7 +5670,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("clrw	%0");
+-#line 475 "rl78-decode.opc"
++#line 477 "rl78-decode.opc"
+           ID(mov); DR(BC); SC(0);
+ 
+         /*----------------------------------------------------------------------*/
+@@ -5685,7 +5687,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %1");
+-#line 705 "rl78-decode.opc"
++#line 707 "rl78-decode.opc"
+           ID(mov); DR(C); SM(None, SADDR);
+ 
+         }
+@@ -5700,7 +5702,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("mov	%0, %e!1");
+-#line 702 "rl78-decode.opc"
++#line 704 "rl78-decode.opc"
+           ID(mov); DR(C); SM(None, IMMU(2));
+ 
+         }
+@@ -5715,7 +5717,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("call	!%!a0");
+-#line 421 "rl78-decode.opc"
++#line 423 "rl78-decode.opc"
+           ID(call); DC(IMMU(3));
+ 
+         }
+@@ -5730,7 +5732,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("call	%!a0");
+-#line 424 "rl78-decode.opc"
++#line 426 "rl78-decode.opc"
+           ID(call); DC(IMMU(2));
+ 
+         }
+@@ -5745,7 +5747,7 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("call	$%!a0");
+-#line 427 "rl78-decode.opc"
++#line 429 "rl78-decode.opc"
+           ID(call); DC(pc+IMMS(2)+3);
+ 
+         }
+@@ -5760,13 +5762,13 @@ rl78_decode_opcode (unsigned long pc AU,
+                      op[0]);
+             }
+           SYNTAX("brk1");
+-#line 385 "rl78-decode.opc"
++#line 387 "rl78-decode.opc"
+           ID(break);
+ 
+         }
+       break;
+   }
+-#line 1290 "rl78-decode.opc"
++#line 1292 "rl78-decode.opc"
+ 
+   return rl78->n_bytes;
+ }
+diff --git a/opcodes/rl78-decode.opc b/opcodes/rl78-decode.opc
+index 6212f08..b25e441 100644
+--- a/opcodes/rl78-decode.opc
++++ b/opcodes/rl78-decode.opc
+@@ -50,7 +50,9 @@ typedef struct
+ #define W() rl78->size = RL78_Word
+ 
+ #define AU ATTRIBUTE_UNUSED
+-#define GETBYTE() (ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr))
++
++#define OP_BUF_LEN 20
++#define GETBYTE() (ld->rl78->n_bytes < (OP_BUF_LEN - 1) ? ld->op [ld->rl78->n_bytes++] = ld->getbyte (ld->ptr): 0)
+ #define B ((unsigned long) GETBYTE())
+ 
+ #define SYNTAX(x) rl78->syntax = x
+@@ -168,7 +170,7 @@ rl78_decode_opcode (unsigned long pc AU,
+ 		  RL78_Dis_Isa isa)
+ {
+   LocalData lds, * ld = &lds;
+-  unsigned char op_buf[20] = {0};
++  unsigned char op_buf[OP_BUF_LEN] = {0};
+   unsigned char *op = op_buf;
+   int op0, op1;
+ 
+-- 
+2.7.4
+
-- 
2.7.4

[pyro][PATCH 21/26] binutls: Security fix for CVE-2017-9752

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |   1 +
 .../binutils/binutils/CVE-2017-9752.patch          | 208 +++++++++++++++++++++
 2 files changed, 209 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 99fc1b1..68d21c8 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -63,6 +63,7 @@ SRC_URI = "\
      file://CVE-2017-9749.patch \
      file://CVE-2017-9750.patch \
      file://CVE-2017-9751.patch \
+     file://CVE-2017-9752.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
new file mode 100644
index 0000000..f63a993
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
@@ -0,0 +1,208 @@
+From c53d2e6d744da000aaafe0237bced090aab62818 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 11:27:15 +0100
+Subject: [PATCH] Fix potential address violations when processing a corrupt
+ Alpha VMA binary.
+
+	PR binutils/21589
+	* vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
+	maximum value for the ascic pointer.  Check that name processing
+	does not read beyond this value.
+	(_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+	end of etir record.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9752
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog   |  9 +++++++++
+ bfd/vms-alpha.c | 51 +++++++++++++++++++++++++++++++++++++++++----------
+ 2 files changed, 50 insertions(+), 10 deletions(-)
+
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -9,6 +9,15 @@
+ 
+ 2017-06-14  Nick Clifton  <nickc@redhat.com>
+  
++       PR binutils/21589
++       * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
++       maximum value for the ascic pointer.  Check that name processing
++       does not read beyond this value.
++       (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
++       end of etir record.
++
++2017-06-14  Nick Clifton  <nickc@redhat.com>
++ 
+        PR binutils/21578
+        * elf32-sh.c (sh_elf_set_mach_from_flags): Fix check for invalid
+        flag value.
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c
++++ git/bfd/vms-alpha.c
+@@ -1456,7 +1456,7 @@ dst_retrieve_location (bfd *abfd, unsign
+ /* Write multiple bytes to section image.  */
+ 
+ static bfd_boolean
+-image_write (bfd *abfd, unsigned char *ptr, int size)
++image_write (bfd *abfd, unsigned char *ptr, unsigned int size)
+ {
+ #if VMS_DEBUG
+   _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size,
+@@ -1603,14 +1603,16 @@ _bfd_vms_etir_name (int cmd)
+ #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L)
+ 
+ static void
+-_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic,
++_bfd_vms_get_value (bfd *abfd,
++		    const unsigned char *ascic,
++		    const unsigned char *max_ascic,
+                     struct bfd_link_info *info,
+                     bfd_vma *vma,
+                     struct alpha_vms_link_hash_entry **hp)
+ {
+   char name[257];
+-  int len;
+-  int i;
++  unsigned int len;
++  unsigned int i;
+   struct alpha_vms_link_hash_entry *h;
+ 
+   /* Not linking.  Do not try to resolve the symbol.  */
+@@ -1622,6 +1624,14 @@ _bfd_vms_get_value (bfd *abfd, const uns
+     }
+ 
+   len = *ascic;
++  if (ascic + len >= max_ascic)
++    {
++      _bfd_error_handler (_("Corrupt vms value"));
++      *vma = 0;
++      *hp = NULL;
++      return;
++    }
++
+   for (i = 0; i < len; i++)
+     name[i] = ascic[i + 1];
+   name[i] = 0;
+@@ -1741,6 +1751,15 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+       _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+ #endif
+ 
++      /* PR 21589: Check for a corrupt ETIR record.  */
++      if (cmd_length < 4)
++	{
++	corrupt_etir:
++	  _bfd_error_handler (_("Corrupt ETIR record encountered"));
++	  bfd_set_error (bfd_error_bad_value);
++	  return FALSE;
++	}
++
+       switch (cmd)
+         {
+           /* Stack global
+@@ -1748,7 +1767,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ 
+              stack 32 bit value of symbol (high bits set to 0).  */
+         case ETIR__C_STA_GBL:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h));
+           break;
+ 
+@@ -1757,6 +1776,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ 
+              stack 32 bit value, sign extend to 64 bit.  */
+         case ETIR__C_STA_LW:
++	  if (ptr + 4 >= maxptr)
++	    goto corrupt_etir;
+           _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE);
+           break;
+ 
+@@ -1765,6 +1786,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ 
+              stack 64 bit value of symbol.  */
+         case ETIR__C_STA_QW:
++	  if (ptr + 8 >= maxptr)
++	    goto corrupt_etir;
+           _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE);
+           break;
+ 
+@@ -1778,6 +1801,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+           {
+             int psect;
+ 
++	    if (ptr + 12 >= maxptr)
++	      goto corrupt_etir;
+             psect = bfd_getl32 (ptr);
+             if ((unsigned int) psect >= PRIV (section_count))
+               {
+@@ -1867,6 +1892,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+           {
+             int size;
+ 
++	    if (ptr + 4 >= maxptr)
++	      goto corrupt_etir;
+             size = bfd_getl32 (ptr);
+             _bfd_vms_pop (abfd, &op1, &rel1);
+             if (rel1 != RELC_NONE)
+@@ -1879,7 +1906,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+           /* Store global: write symbol value
+              arg: cs	global symbol name.  */
+         case ETIR__C_STO_GBL:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->typ == EGSD__C_SYMG)
+@@ -1901,7 +1928,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+           /* Store code address: write address of entry point
+              arg: cs	global symbol name (procedure).  */
+         case ETIR__C_STO_CA:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->flags & EGSY__V_NORM)
+@@ -1946,8 +1973,10 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+              da	data.  */
+         case ETIR__C_STO_IMM:
+           {
+-            int size;
++            unsigned int size;
+ 
++	    if (ptr + 4 >= maxptr)
++	      goto corrupt_etir;
+             size = bfd_getl32 (ptr);
+             image_write (abfd, ptr + 4, size);
+           }
+@@ -1960,7 +1989,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+              store global longword: store 32bit value of symbol
+              arg: cs	symbol name.  */
+         case ETIR__C_STO_GBL_LW:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ #if 0
+           abort ();
+ #endif
+@@ -2013,7 +2042,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+              da	signature.  */
+ 
+         case ETIR__C_STC_LP_PSB:
+-          _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h);
++          _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->typ == EGSD__C_SYMG)
+@@ -2109,6 +2138,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+           /* Augment relocation base: increment image location counter by offset
+              arg: lw	offset value.  */
+         case ETIR__C_CTL_AUGRB:
++	  if (ptr + 4 >= maxptr)
++	    goto corrupt_etir;
+           op1 = bfd_getl32 (ptr);
+           image_inc_ptr (abfd, op1);
+           break;
-- 
2.7.4

[pyro][PATCH 22/26] binutls: Security fix for CVE-2017-9753

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9753.patch          | 79 ++++++++++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 68d21c8..c6ef647 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -64,6 +64,7 @@ SRC_URI = "\
      file://CVE-2017-9750.patch \
      file://CVE-2017-9751.patch \
      file://CVE-2017-9752.patch \
+     file://CVE-2017-9753.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch
new file mode 100644
index 0000000..241142b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch
@@ -0,0 +1,79 @@
+From 04f963fd489cae724a60140e13984415c205f4ac Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 10:35:16 +0100
+Subject: [PATCH] Fix seg-faults in objdump when disassembling a corrupt
+ versados binary.
+
+	PR binutils/21591
+	* versados.c (versados_mkobject): Zero the allocated tdata structure.
+	(process_otr): Check for an invalid offset in the otr structure.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9753
+CVE: CVE-2017-9754
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog  |  6 ++++++
+ bfd/versados.c | 12 ++++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+Index: git/bfd/versados.c
+===================================================================
+--- git.orig/bfd/versados.c
++++ git/bfd/versados.c
+@@ -149,7 +149,7 @@ versados_mkobject (bfd *abfd)
+   if (abfd->tdata.versados_data == NULL)
+     {
+       bfd_size_type amt = sizeof (tdata_type);
+-      tdata_type *tdata = bfd_alloc (abfd, amt);
++      tdata_type *tdata = bfd_zalloc (abfd, amt);
+ 
+       if (tdata == NULL)
+ 	return FALSE;
+@@ -345,13 +345,13 @@ reloc_howto_type versados_howto_table[]
+ };
+ 
+ static int
+-get_offset (int len, unsigned char *ptr)
++get_offset (unsigned int len, unsigned char *ptr)
+ {
+   int val = 0;
+ 
+   if (len)
+     {
+-      int i;
++      unsigned int i;
+ 
+       val = *ptr++;
+       if (val & 0x80)
+@@ -394,9 +394,13 @@ process_otr (bfd *abfd, struct ext_otr *
+ 	  int flag = *srcp++;
+ 	  int esdids = (flag >> 5) & 0x7;
+ 	  int sizeinwords = ((flag >> 3) & 1) ? 2 : 1;
+-	  int offsetlen = flag & 0x7;
++	  unsigned int offsetlen = flag & 0x7;
+ 	  int j;
+ 
++	  /* PR 21591: Check for invalid lengths.  */
++	  if (srcp + esdids + offsetlen >= endp)
++	    return;
++
+ 	  if (esdids == 0)
+ 	    {
+ 	      /* A zero esdid means the new pc is the offset given.  */
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -8,6 +8,10 @@
+        (ieee_archive_p): Likewise.
+ 
+ 2017-06-14  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21591
++       * versados.c (versados_mkobject): Zero the allocated tdata structure.
++       (process_otr): Check for an invalid offset in the otr structure.
+  
+        PR binutils/21589
+        * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
-- 
2.7.4

[pyro][PATCH 23/26] binutls: Security fix for CVE-2017-9755

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9755.patch          | 63 ++++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9755.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index c6ef647..b4299c8 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -65,6 +65,7 @@ SRC_URI = "\
      file://CVE-2017-9751.patch \
      file://CVE-2017-9752.patch \
      file://CVE-2017-9753.patch \
+     file://CVE-2017-9755.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755.patch
new file mode 100644
index 0000000..15dc909
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755.patch
@@ -0,0 +1,63 @@
+From 0d96e4df4812c3bad77c229dfef47a9bc115ac12 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Thu, 15 Jun 2017 06:40:17 -0700
+Subject: [PATCH] i386-dis: Check valid bnd register
+
+Since there are only 4 bnd registers, return "(bad)" for register
+number > 3.
+
+	PR binutils/21594
+	* i386-dis.c (OP_E_register): Check valid bnd register.
+	(OP_G): Likewise.
+
+Upstream-Status: Backport 
+CVE: CVE-2017-9755
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ opcodes/ChangeLog  |  6 ++++++
+ opcodes/i386-dis.c | 10 ++++++++++
+ 2 files changed, 16 insertions(+)
+
+Index: git/opcodes/ChangeLog
+===================================================================
+--- git.orig/opcodes/ChangeLog
++++ git/opcodes/ChangeLog
+@@ -1,3 +1,9 @@
++2017-06-15  H.J. Lu  <hongjiu.lu@intel.com>
++
++	PR binutils/21594
++	* i386-dis.c (OP_E_register): Check valid bnd register.
++	(OP_G): Likewise.
++
+ 2017-06-15  Nick Clifton  <nickc@redhat.com>
+ 
+ 	PR binutils/21588
+Index: git/opcodes/i386-dis.c
+===================================================================
+--- git.orig/opcodes/i386-dis.c
++++ git/opcodes/i386-dis.c
+@@ -14939,6 +14939,11 @@ OP_E_register (int bytemode, int sizefla
+       names = address_mode == mode_64bit ? names64 : names32;
+       break;
+     case bnd_mode:
++      if (reg > 0x3)
++	{
++	  oappend ("(bad)");
++	  return;
++	}
+       names = names_bnd;
+       break;
+     case indir_v_mode:
+@@ -15483,6 +15488,11 @@ OP_G (int bytemode, int sizeflag)
+       oappend (names64[modrm.reg + add]);
+       break;
+     case bnd_mode:
++      if (modrm.reg > 0x3)
++	{
++	  oappend ("(bad)");
++	  return;
++	}
+       oappend (names_bnd[modrm.reg]);
+       break;
+     case v_mode:
-- 
2.7.4

[pyro][PATCH 24/26] binutls: Secuirty fix for CVE-2017-9756

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9756.patch          | 50 ++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9756.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index b4299c8..a2b2901 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -66,6 +66,7 @@ SRC_URI = "\
      file://CVE-2017-9752.patch \
      file://CVE-2017-9753.patch \
      file://CVE-2017-9755.patch \
+     file://CVE-2017-9756.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9756.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9756.patch
new file mode 100644
index 0000000..191d0be
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9756.patch
@@ -0,0 +1,50 @@
+From cd3ea7c69acc5045eb28f9bf80d923116e15e4f5 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 15 Jun 2017 13:26:54 +0100
+Subject: [PATCH] Prevent address violation problem when disassembling corrupt
+ aarch64 binary.
+
+	PR binutils/21595
+	* aarch64-dis.c (aarch64_ext_ldst_reglist): Check for an out of
+	range value.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9756
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ opcodes/ChangeLog     | 6 ++++++
+ opcodes/aarch64-dis.c | 3 +++
+ 2 files changed, 9 insertions(+)
+
+Index: git/opcodes/ChangeLog
+===================================================================
+--- git.orig/opcodes/ChangeLog
++++ git/opcodes/ChangeLog
+@@ -6,6 +6,12 @@
+ 
+ 2017-06-15  Nick Clifton  <nickc@redhat.com>
+ 
++	PR binutils/21595
++	* aarch64-dis.c (aarch64_ext_ldst_reglist): Check for an out of
++	range value.
++
++2017-06-15  Nick Clifton  <nickc@redhat.com>
++
+ 	PR binutils/21588
+ 	* rl78-decode.opc (OP_BUF_LEN): Define.
+ 	(GETBYTE): Check for the index exceeding OP_BUF_LEN.
+Index: git/opcodes/aarch64-dis.c
+===================================================================
+--- git.orig/opcodes/aarch64-dis.c
++++ git/opcodes/aarch64-dis.c
+@@ -409,6 +409,9 @@ aarch64_ext_ldst_reglist (const aarch64_
+   info->reglist.first_regno = extract_field (FLD_Rt, code, 0);
+   /* opcode */
+   value = extract_field (FLD_opcode, code, 0);
++  /* PR 21595: Check for a bogus value.  */
++  if (value >= ARRAY_SIZE (data))
++    return 0;
+   if (expected_num != data[value].num_elements || data[value].is_reserved)
+     return 0;
+   info->reglist.num_regs = data[value].num_regs;
-- 
2.7.4

[pyro][PATCH 25/26] binutils: Security fix for CVE-2017-9954

[Armin Kuster]

Affects: <= 2.28
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9954.patch          | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index a2b2901..fe9059a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -67,6 +67,7 @@ SRC_URI = "\
      file://CVE-2017-9753.patch \
      file://CVE-2017-9755.patch \
      file://CVE-2017-9756.patch \
+     file://CVE-2017-9954.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch
new file mode 100644
index 0000000..8a9d7eb
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch
@@ -0,0 +1,58 @@
+From 04e15b4a9462cb1ae819e878a6009829aab8020b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 26 Jun 2017 15:46:34 +0100
+Subject: [PATCH] Fix address violation parsing a corrupt texhex format file.
+
+	PR binutils/21670
+	* tekhex.c (getvalue): Check for the source pointer exceeding the
+	end pointer before the first byte is read.
+
+Upstream-Status: Backport
+CVE: CVE_2017-9954
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/tekhex.c  | 6 +++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+Index: git/bfd/tekhex.c
+===================================================================
+--- git.orig/bfd/tekhex.c
++++ git/bfd/tekhex.c
+@@ -273,6 +273,9 @@ getvalue (char **srcp, bfd_vma *valuep,
+   bfd_vma value = 0;
+   unsigned int len;
+ 
++  if (src >= endp)
++    return FALSE;
++
+   if (!ISHEX (*src))
+     return FALSE;
+ 
+@@ -514,9 +517,10 @@ pass_over (bfd *abfd, bfd_boolean (*func
+   /* To the front of the file.  */
+   if (bfd_seek (abfd, (file_ptr) 0, SEEK_SET) != 0)
+     return FALSE;
++
+   while (! is_eof)
+     {
+-      char src[MAXCHUNK];
++      static char src[MAXCHUNK];
+       char type;
+ 
+       /* Find first '%'.  */
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-06-26  Nick Clifton  <nickc@redhat.com>
++ 
++       PR binutils/21670
++       * tekhex.c (getvalue): Check for the source pointer exceeding the
++       end pointer before the first byte is read.
++
+ 2017-06-15  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21582
-- 
2.7.4

[pyro][PATCH 26/26] binutls: Security fix for CVE-2017-9955

[Armin Kuster]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |   9 +
 .../binutils/binutils/CVE-2017-9955_1.patch        | 168 ++++++++++
 .../binutils/binutils/CVE-2017-9955_2.patch        | 122 +++++++
 .../binutils/binutils/CVE-2017-9955_3.patch        |  48 +++
 .../binutils/binutils/CVE-2017-9955_4.patch        |  51 +++
 .../binutils/binutils/CVE-2017-9955_5.patch        |  89 ++++++
 .../binutils/binutils/CVE-2017-9955_6.patch        |  56 ++++
 .../binutils/binutils/CVE-2017-9955_7.patch        |  80 +++++
 .../binutils/binutils/CVE-2017-9955_8.patch        | 187 +++++++++++
 .../binutils/binutils/CVE-2017-9955_9.patch        | 356 +++++++++++++++++++++
 10 files changed, 1166 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index fe9059a..1784c52 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -68,6 +68,15 @@ SRC_URI = "\
      file://CVE-2017-9755.patch \
      file://CVE-2017-9756.patch \
      file://CVE-2017-9954.patch \
+     file://CVE-2017-9955_1.patch \
+     file://CVE-2017-9955_2.patch \
+     file://CVE-2017-9955_3.patch \
+     file://CVE-2017-9955_4.patch \
+     file://CVE-2017-9955_5.patch \
+     file://CVE-2017-9955_6.patch \
+     file://CVE-2017-9955_7.patch \
+     file://CVE-2017-9955_8.patch \
+     file://CVE-2017-9955_9.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
new file mode 100644
index 0000000..774670f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch
@@ -0,0 +1,168 @@
+From cfd14a500e0485374596234de4db10e88ebc7618 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 26 Jun 2017 15:25:08 +0100
+Subject: [PATCH] Fix address violations when atempting to parse fuzzed
+ binaries.
+
+	PR binutils/21665
+bfd	* opncls.c (get_build_id): Check that the section is beig enough
+	to contain the whole note.
+	* compress.c (bfd_get_full_section_contents): Check for and reject
+	a section whoes size is greater than the size of the entire file.
+	* elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
+	contain a notes section.
+
+binutils* objdump.c (disassemble_section): Skip any section that is bigger
+	than the entire file.
+
+Upstream-Status: Backport 
+CVE: CVE-2017-9955 #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog      | 10 ++++++++++
+ bfd/compress.c     |  6 ++++++
+ bfd/elf32-v850.c   |  4 +++-
+ bfd/opncls.c       | 18 ++++++++++++++++--
+ binutils/ChangeLog |  6 ++++++
+ binutils/objdump.c |  4 ++--
+ 6 files changed, 43 insertions(+), 5 deletions(-)
+
+Index: git/bfd/compress.c
+===================================================================
+--- git.orig/bfd/compress.c
++++ git/bfd/compress.c
+@@ -239,6 +239,12 @@ bfd_get_full_section_contents (bfd *abfd
+       *ptr = NULL;
+       return TRUE;
+     }
++  else if (bfd_get_file_size (abfd) > 0
++	   && sz > (bfd_size_type) bfd_get_file_size (abfd))
++    {
++      *ptr = NULL;
++      return FALSE;
++    }
+ 
+   switch (sec->compress_status)
+     {
+Index: git/bfd/elf32-v850.c
+===================================================================
+--- git.orig/bfd/elf32-v850.c
++++ git/bfd/elf32-v850.c
+@@ -2450,7 +2450,9 @@ v850_elf_copy_notes (bfd *ibfd, bfd *obf
+ 	BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont));
+ 
+       if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL)
+-	BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont));
++	/* If the output is being stripped then it is possible for
++	   the notes section to disappear.  In this case do nothing.  */
++	return;
+ 
+       /* Copy/overwrite notes from the input to the output.  */
+       memcpy (ocont, icont, bfd_section_size (obfd, onotes));
+Index: git/bfd/opncls.c
+===================================================================
+--- git.orig/bfd/opncls.c
++++ git/bfd/opncls.c
+@@ -1776,6 +1776,7 @@ get_build_id (bfd *abfd)
+   Elf_External_Note *enote;
+   bfd_byte *contents;
+   asection *sect;
++  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+ 
+@@ -1790,8 +1791,9 @@ get_build_id (bfd *abfd)
+       return NULL;
+     }
+ 
++  size = bfd_get_section_size (sect);
+   /* FIXME: Should we support smaller build-id notes ?  */
+-  if (bfd_get_section_size (sect) < 0x24)
++  if (size < 0x24)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return NULL;
+@@ -1804,6 +1806,17 @@ get_build_id (bfd *abfd)
+       return NULL;
+     }
+ 
++  /* FIXME: Paranoia - allow for compressed build-id sections.
++     Maybe we should complain if this size is different from
++     the one obtained above...  */
++  size = bfd_get_section_size (sect);
++  if (size < sizeof (Elf_External_Note))
++    {
++      bfd_set_error (bfd_error_invalid_operation);
++      free (contents);
++      return NULL;
++    }
++
+   enote = (Elf_External_Note *) contents;
+   inote.type = H_GET_32 (abfd, enote->type);
+   inote.namesz = H_GET_32 (abfd, enote->namesz);
+@@ -1815,7 +1828,8 @@ get_build_id (bfd *abfd)
+   if (inote.descsz == 0
+       || inote.type != NT_GNU_BUILD_ID
+       || inote.namesz != 4 /* sizeof "GNU"  */
+-      || strcmp (inote.namedata, "GNU") != 0)
++      || strncmp (inote.namedata, "GNU", 4) != 0
++      || size < (12 + BFD_ALIGN (inote.namesz, 4) + inote.descsz))
+     {
+       free (contents);
+       bfd_set_error (bfd_error_invalid_operation);
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -2048,7 +2048,7 @@ disassemble_section (bfd *abfd, asection
+     return;
+ 
+   datasize = bfd_get_section_size (section);
+-  if (datasize == 0)
++  if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
+     return;
+ 
+   if (start_address == (bfd_vma) -1
+@@ -2912,7 +2912,7 @@ dump_target_specific (bfd *abfd)
+ static void
+ dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED)
+ {
+-  bfd_byte *data = 0;
++  bfd_byte *data = NULL;
+   bfd_size_type datasize;
+   bfd_vma addr_offset;
+   bfd_vma start_offset;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,4 +1,14 @@
+ 2017-06-26  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21665
++       * opncls.c (get_build_id): Check that the section is beig enough
++       to contain the whole note.
++       * compress.c (bfd_get_full_section_contents): Check for and reject
++       a section whoes size is greater than the size of the entire file.
++       * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
++       contain a notes section.
++
++2017-06-26  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/21670
+        * tekhex.c (getvalue): Check for the source pointer exceeding the
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2017-06-26  Nick Clifton  <nickc@redhat.com>
++ 
++       PR binutils/21665
++       * objdump.c (disassemble_section): Skip any section that is bigger
++       than the entire file.
++
+ 2017-04-03  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21345
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
new file mode 100644
index 0000000..f95295f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
@@ -0,0 +1,122 @@
+From 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Mon, 26 Jun 2017 09:24:49 -0700
+Subject: [PATCH] Check file size before getting section contents
+
+Don't check the section size in bfd_get_full_section_contents since
+the size of a decompressed section may be larger than the file size.
+Instead, check file size in _bfd_generic_get_section_contents.
+
+	PR binutils/21665
+	* compress.c (bfd_get_full_section_contents): Don't check the
+	file size here.
+	* libbfd.c (_bfd_generic_get_section_contents): Check for and
+	reject a section whoes size + offset is greater than the size
+	of the entire file.
+	(_bfd_generic_get_section_contents_in_window): Likewise.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9955 #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog  | 10 +++++++++-
+ bfd/compress.c |  8 +-------
+ bfd/libbfd.c   | 17 ++++++++++++++++-
+ 3 files changed, 26 insertions(+), 9 deletions(-)
+
+Index: git/bfd/compress.c
+===================================================================
+--- git.orig/bfd/compress.c
++++ git/bfd/compress.c
+@@ -239,12 +239,6 @@ bfd_get_full_section_contents (bfd *abfd
+       *ptr = NULL;
+       return TRUE;
+     }
+-  else if (bfd_get_file_size (abfd) > 0
+-	   && sz > (bfd_size_type) bfd_get_file_size (abfd))
+-    {
+-      *ptr = NULL;
+-      return FALSE;
+-    }
+ 
+   switch (sec->compress_status)
+     {
+@@ -260,7 +254,7 @@ bfd_get_full_section_contents (bfd *abfd
+ 		  /* xgettext:c-format */
+ 		  (_("error: %B(%A) is too large (%#lx bytes)"),
+ 		  abfd, sec, (long) sz);
+-	    return FALSE;
++	      return FALSE;
+ 	    }
+ 	}
+ 
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c
++++ git/bfd/libbfd.c
+@@ -780,6 +780,7 @@ _bfd_generic_get_section_contents (bfd *
+ 				   bfd_size_type count)
+ {
+   bfd_size_type sz;
++  file_ptr filesz;
+   if (count == 0)
+     return TRUE;
+ 
+@@ -802,8 +803,15 @@ _bfd_generic_get_section_contents (bfd *
+     sz = section->rawsize;
+   else
+     sz = section->size;
++  filesz = bfd_get_file_size (abfd);
++  if (filesz < 0)
++    {
++      /* This should never happen.  */
++      abort ();
++    }
+   if (offset + count < count
+-      || offset + count > sz)
++      || offset + count > sz
++      || (section->filepos + offset + sz) > (bfd_size_type) filesz)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return FALSE;
+@@ -826,6 +834,7 @@ _bfd_generic_get_section_contents_in_win
+ {
+ #ifdef USE_MMAP
+   bfd_size_type sz;
++  file_ptr filesz;
+ 
+   if (count == 0)
+     return TRUE;
+@@ -858,7 +867,13 @@ _bfd_generic_get_section_contents_in_win
+     sz = section->rawsize;
+   else
+     sz = section->size;
++  filesz = bfd_get_file_size (abfd);
++    {
++      /* This should never happen.  */
++      abort ();
++    }
+   if (offset + count > sz
++      || (section->filepos + offset + sz) > (bfd_size_type) filesz
+       || ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
+ 				TRUE))
+     return FALSE;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,13 @@
++2017-06-26  H.J. Lu  <hongjiu.lu@intel.com>
++
++       PR binutils/21665
++       * compress.c (bfd_get_full_section_contents): Don't check the
++       file size here.
++       * libbfd.c (_bfd_generic_get_section_contents): Check for and
++       reject a section whoes size + offset is greater than the size
++       of the entire file.
++       (_bfd_generic_get_section_contents_in_window): Likewise.
++
+ 2017-06-26  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21665
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch
new file mode 100644
index 0000000..1b67c4e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_3.patch
@@ -0,0 +1,48 @@
+From 1f473e3d0ad285195934e6a077c7ed32afe66437 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Mon, 26 Jun 2017 15:47:16 -0700
+Subject: [PATCH] Add a missing line to
+ _bfd_generic_get_section_contents_in_window
+
+	PR binutils/21665
+	* libbfd.c (_bfd_generic_get_section_contents_in_window): Add
+	a missing line.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9955 #3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/libbfd.c  | 1 +
+ 2 files changed, 7 insertions(+)
+
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c
++++ git/bfd/libbfd.c
+@@ -868,6 +868,7 @@ _bfd_generic_get_section_contents_in_win
+   else
+     sz = section->size;
+   filesz = bfd_get_file_size (abfd);
++  if (filesz < 0)
+     {
+       /* This should never happen.  */
+       abort ();
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,6 +1,12 @@
+ 2017-06-26  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+        PR binutils/21665
++       * libbfd.c (_bfd_generic_get_section_contents_in_window): Add
++       a missing line.
++
++2017-06-26  H.J. Lu  <hongjiu.lu@intel.com>
++
++       PR binutils/21665
+        * compress.c (bfd_get_full_section_contents): Don't check the
+        file size here.
+        * libbfd.c (_bfd_generic_get_section_contents): Check for and
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch
new file mode 100644
index 0000000..97d529a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_4.patch
@@ -0,0 +1,51 @@
+From ab27f80c5dceaa23c4ba7f62c0d5d22a5d5dd7a1 Mon Sep 17 00:00:00 2001
+From: Pedro Alves <palves@redhat.com>
+Date: Tue, 27 Jun 2017 00:21:25 +0100
+Subject: [PATCH] Fix GDB regressions caused by previous
+ bfd_get_section_contents changes
+
+Ref: https://sourceware.org/ml/binutils/2017-06/msg00343.html
+
+bfd/ChangeLog:
+2017-06-26  Pedro Alves  <palves@redhat.com>
+
+	PR binutils/21665
+	* libbfd.c (_bfd_generic_get_section_contents): Add "count", not
+	"sz".
+
+Upstream-Status: Backport
+CVE: CVE-2017-9955 #4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/libbfd.c  | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-06-26  Pedro Alves  <palves@redhat.com>
++
++	PR binutils/21665
++	* libbfd.c (_bfd_generic_get_section_contents): Add "count", not
++	"sz".
++
+ 2017-06-26  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+        PR binutils/21665
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c
++++ git/bfd/libbfd.c
+@@ -811,7 +811,7 @@ _bfd_generic_get_section_contents (bfd *
+     }
+   if (offset + count < count
+       || offset + count > sz
+-      || (section->filepos + offset + sz) > (bfd_size_type) filesz)
++      || (section->filepos + offset + count) > (bfd_size_type) filesz)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return FALSE;
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch
new file mode 100644
index 0000000..da3bd37
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_5.patch
@@ -0,0 +1,89 @@
+From 7211ae501eb0de1044983f2dfb00091a58fbd66c Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 27 Jun 2017 09:45:04 +0930
+Subject: [PATCH] More fixes for bfd_get_section_contents change
+
+	PR binutils/21665
+	* libbfd.c (_bfd_generic_get_section_contents): Delete abort.
+	Use unsigned file pointer type, and remove cast.
+	* libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise.
+	Add "count", not "sz".
+
+Upstream-Status: Backport
+CVE: CVE-2017-9955 #5
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  8 ++++++++
+ bfd/libbfd.c  | 18 ++++--------------
+ 2 files changed, 12 insertions(+), 14 deletions(-)
+
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,11 @@
++2017-06-27  Alan Modra  <amodra@gmail.com>
++
++	PR binutils/21665
++	* libbfd.c (_bfd_generic_get_section_contents): Delete abort.
++	Use unsigned file pointer type, and remove cast.
++	* libbfd.c (_bfd_generic_get_section_contents_in_window): Likewise.
++	Add "count", not "sz".
++
+ 2017-06-26  Pedro Alves  <palves@redhat.com>
+ 
+ 	PR binutils/21665
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c
++++ git/bfd/libbfd.c
+@@ -780,7 +780,7 @@ _bfd_generic_get_section_contents (bfd *
+ 				   bfd_size_type count)
+ {
+   bfd_size_type sz;
+-  file_ptr filesz;
++  ufile_ptr filesz;
+   if (count == 0)
+     return TRUE;
+ 
+@@ -804,14 +804,9 @@ _bfd_generic_get_section_contents (bfd *
+   else
+     sz = section->size;
+   filesz = bfd_get_file_size (abfd);
+-  if (filesz < 0)
+-    {
+-      /* This should never happen.  */
+-      abort ();
+-    }
+   if (offset + count < count
+       || offset + count > sz
+-      || (section->filepos + offset + count) > (bfd_size_type) filesz)
++      || section->filepos + offset + count > filesz)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return FALSE;
+@@ -834,7 +829,7 @@ _bfd_generic_get_section_contents_in_win
+ {
+ #ifdef USE_MMAP
+   bfd_size_type sz;
+-  file_ptr filesz;
++  ufile_ptr filesz;
+ 
+   if (count == 0)
+     return TRUE;
+@@ -868,13 +863,8 @@ _bfd_generic_get_section_contents_in_win
+   else
+     sz = section->size;
+   filesz = bfd_get_file_size (abfd);
+-  if (filesz < 0)
+-    {
+-      /* This should never happen.  */
+-      abort ();
+-    }
+   if (offset + count > sz
+-      || (section->filepos + offset + sz) > (bfd_size_type) filesz
++      || section->filepos + offset + count > filesz
+       || ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
+ 				TRUE))
+     return FALSE;
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch
new file mode 100644
index 0000000..e36429a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_6.patch
@@ -0,0 +1,56 @@
+From ea9aafc41a764e4e2dbb88a7b031e886b481b99a Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 27 Jun 2017 14:43:49 +0930
+Subject: [PATCH] Warning fix
+
+	PR binutils/21665
+	* libbfd.c (_bfd_generic_get_section_contents): Warning fix.
+	(_bfd_generic_get_section_contents_in_window): Likewise.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9955 #6
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 12 +++++++++---
+ bfd/libbfd.c  |  4 ++--
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+Index: git/bfd/libbfd.c
+===================================================================
+--- git.orig/bfd/libbfd.c
++++ git/bfd/libbfd.c
+@@ -806,7 +806,7 @@ _bfd_generic_get_section_contents (bfd *
+   filesz = bfd_get_file_size (abfd);
+   if (offset + count < count
+       || offset + count > sz
+-      || section->filepos + offset + count > filesz)
++      || (ufile_ptr) section->filepos + offset + count > filesz)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+       return FALSE;
+@@ -864,7 +864,7 @@ _bfd_generic_get_section_contents_in_win
+     sz = section->size;
+   filesz = bfd_get_file_size (abfd);
+   if (offset + count > sz
+-      || section->filepos + offset + count > filesz
++      || (ufile_ptr) section->filepos + offset + count > filesz
+       || ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
+ 				TRUE))
+     return FALSE;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,5 +1,11 @@
+ 2017-06-27  Alan Modra  <amodra@gmail.com>
+ 
++       PR binutils/21665
++       * libbfd.c (_bfd_generic_get_section_contents): Warning fix.
++       (_bfd_generic_get_section_contents_in_window): Likewise.
++
++2017-06-27  Alan Modra  <amodra@gmail.com>
++
+ 	PR binutils/21665
+ 	* libbfd.c (_bfd_generic_get_section_contents): Delete abort.
+ 	Use unsigned file pointer type, and remove cast.
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch
new file mode 100644
index 0000000..2cae63b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_7.patch
@@ -0,0 +1,80 @@
+From 60a02042bacf8d25814430080adda61ed086bca6 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 30 Jun 2017 11:03:37 +0100
+Subject: [PATCH] Fix failures in MMIX linker tests introduced by fix for PR
+ 21665.
+
+	PR binutils/21665
+	* objdump.c (disassemble_section): Move check for an overlarge
+	section to just before the allocation of memory.  Do not check
+	section size against file size, but instead use an arbitrary 2Gb
+	limit.  Issue a warning message if the section is too big.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9955 #7
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  8 ++++++++
+ binutils/objdump.c | 25 ++++++++++++++++++++++++-
+ 2 files changed, 32 insertions(+), 1 deletion(-)
+
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -2048,7 +2048,7 @@ disassemble_section (bfd *abfd, asection
+     return;
+ 
+   datasize = bfd_get_section_size (section);
+-  if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
++  if (datasize == 0)
+     return;
+ 
+   if (start_address == (bfd_vma) -1
+@@ -2112,6 +2112,29 @@ disassemble_section (bfd *abfd, asection
+     }
+   rel_ppend = rel_pp + rel_count;
+ 
++  /* PR 21665: Check for overlarge datasizes.
++     Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
++     this fails when using compressed sections or compressed file formats
++     (eg MMO, tekhex).
++
++     The call to xmalloc below will fail if too much memory is requested,
++     which will catch the problem in the normal use case.  But if a memory
++     checker is in use, eg valgrind or sanitize, then an exception will
++     be still generated, so we try to catch the problem first.
++
++     Unfortunately there is no simple way to determine how much memory can
++     be allocated by calling xmalloc.  So instead we use a simple, arbitrary
++     limit of 2Gb.  Hopefully this should be enough for most users.  If
++     someone does start trying to disassemble sections larger then 2Gb in
++     size they will doubtless complain and we can increase the limit.  */
++#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
++  if (datasize > MAX_XMALLOC)
++    {
++      non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
++		 section->name, (unsigned long) datasize);
++      return;
++    }
++
+   data = (bfd_byte *) xmalloc (datasize);
+ 
+   bfd_get_section_contents (abfd, section, data, 0, datasize);
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,11 @@
++2017-06-30  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21665
++       * objdump.c (disassemble_section): Move check for an overlarge
++       section to just before the allocation of memory.  Do not check
++       section size against file size, but instead use an arbitrary 2Gb
++       limit.  Issue a warning message if the section is too big.
++
+ 2017-06-26  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/21665
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
new file mode 100644
index 0000000..45dd974
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch
@@ -0,0 +1,187 @@
+From bae7501e87ab614115d9d3213b4dd18d96e604db Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 1 Jul 2017 21:58:10 +0930
+Subject: [PATCH] Use bfd_malloc_and_get_section
+
+It's nicer than xmalloc followed by bfd_get_section_contents, since
+xmalloc exits on failure and needs a check that its size_t arg doesn't
+lose high bits when converted from bfd_size_type.
+
+	PR binutils/21665
+	* objdump.c (strtab): Make var a bfd_byte*.
+	(disassemble_section): Don't limit malloc size.  Instead, use
+	bfd_malloc_and_get_section.
+	(read_section_stabs): Use bfd_malloc_and_get_section.  Return
+	bfd_byte*.
+	(find_stabs_section): Remove now unnecessary cast.
+	* objcopy.c (copy_object): Use bfd_malloc_and_get_section.  Free
+	contents on error return.
+	* nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9955 #8
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog | 13 +++++++++++++
+ binutils/nlmconv.c |  6 ++----
+ binutils/objcopy.c |  5 +++--
+ binutils/objdump.c | 44 +++++++-------------------------------------
+ 4 files changed, 25 insertions(+), 43 deletions(-)
+
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,16 @@
++2017-07-01  Alan Modra  <amodra@gmail.com>
++
++	PR binutils/21665
++	* objdump.c (strtab): Make var a bfd_byte*.
++	(disassemble_section): Don't limit malloc size.  Instead, use
++	bfd_malloc_and_get_section.
++	(read_section_stabs): Use bfd_malloc_and_get_section.  Return
++	bfd_byte*.
++	(find_stabs_section): Remove now unnecessary cast.
++	* objcopy.c (copy_object): Use bfd_malloc_and_get_section.  Free
++	contents on error return.
++	* nlmconv.c (copy_sections): Use bfd_malloc_and_get_section.
++
+ 2017-06-30  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21665
+Index: git/binutils/nlmconv.c
+===================================================================
+--- git.orig/binutils/nlmconv.c
++++ git/binutils/nlmconv.c
+@@ -1224,7 +1224,7 @@ copy_sections (bfd *inbfd, asection *ins
+   const char *inname;
+   asection *outsec;
+   bfd_size_type size;
+-  void *contents;
++  bfd_byte *contents;
+   long reloc_size;
+   bfd_byte buf[4];
+   bfd_size_type add;
+@@ -1240,9 +1240,7 @@ copy_sections (bfd *inbfd, asection *ins
+     contents = NULL;
+   else
+     {
+-      contents = xmalloc (size);
+-      if (! bfd_get_section_contents (inbfd, insec, contents,
+-				      (file_ptr) 0, size))
++      if (!bfd_malloc_and_get_section (inbfd, insec, &contents))
+ 	bfd_fatal (bfd_get_filename (inbfd));
+     }
+ 
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -180,7 +180,7 @@ static long dynsymcount = 0;
+ static bfd_byte *stabs;
+ static bfd_size_type stab_size;
+ 
+-static char *strtab;
++static bfd_byte *strtab;
+ static bfd_size_type stabstr_size;
+ 
+ static bfd_boolean is_relocatable = FALSE;
+@@ -2112,29 +2112,6 @@ disassemble_section (bfd *abfd, asection
+     }
+   rel_ppend = rel_pp + rel_count;
+ 
+-  /* PR 21665: Check for overlarge datasizes.
+-     Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
+-     this fails when using compressed sections or compressed file formats
+-     (eg MMO, tekhex).
+-
+-     The call to xmalloc below will fail if too much memory is requested,
+-     which will catch the problem in the normal use case.  But if a memory
+-     checker is in use, eg valgrind or sanitize, then an exception will
+-     be still generated, so we try to catch the problem first.
+-
+-     Unfortunately there is no simple way to determine how much memory can
+-     be allocated by calling xmalloc.  So instead we use a simple, arbitrary
+-     limit of 2Gb.  Hopefully this should be enough for most users.  If
+-     someone does start trying to disassemble sections larger then 2Gb in
+-     size they will doubtless complain and we can increase the limit.  */
+-#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
+-  if (datasize > MAX_XMALLOC)
+-    {
+-      non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
+-		 section->name, (unsigned long) datasize);
+-      return;
+-    }
+-
+   data = (bfd_byte *) xmalloc (datasize);
+ 
+   bfd_get_section_contents (abfd, section, data, 0, datasize);
+@@ -2652,12 +2629,11 @@ dump_dwarf (bfd *abfd)
+ /* Read ABFD's stabs section STABSECT_NAME, and return a pointer to
+    it.  Return NULL on failure.   */
+ 
+-static char *
++static bfd_byte *
+ read_section_stabs (bfd *abfd, const char *sect_name, bfd_size_type *size_ptr)
+ {
+   asection *stabsect;
+-  bfd_size_type size;
+-  char *contents;
++  bfd_byte *contents;
+ 
+   stabsect = bfd_get_section_by_name (abfd, sect_name);
+   if (stabsect == NULL)
+@@ -2666,10 +2642,7 @@ read_section_stabs (bfd *abfd, const cha
+       return FALSE;
+     }
+ 
+-  size = bfd_section_size (abfd, stabsect);
+-  contents  = (char *) xmalloc (size);
+-
+-  if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size))
++  if (!bfd_malloc_and_get_section (abfd, stabsect, &contents))
+     {
+       non_fatal (_("reading %s section of %s failed: %s"),
+ 		 sect_name, bfd_get_filename (abfd),
+@@ -2679,7 +2652,7 @@ read_section_stabs (bfd *abfd, const cha
+       return NULL;
+     }
+ 
+-  *size_ptr = size;
++  *size_ptr = bfd_section_size (abfd, stabsect);
+ 
+   return contents;
+ }
+@@ -2806,8 +2779,7 @@ find_stabs_section (bfd *abfd, asection
+ 
+       if (strtab)
+ 	{
+-	  stabs = (bfd_byte *) read_section_stabs (abfd, section->name,
+-						   &stab_size);
++	  stabs = read_section_stabs (abfd, section->name, &stab_size);
+ 	  if (stabs)
+ 	    print_section_stabs (abfd, section->name, &sought->string_offset);
+ 	}
+Index: git/binutils/objcopy.c
+===================================================================
+--- git.orig/binutils/objcopy.c
++++ git/binutils/objcopy.c
+@@ -2186,14 +2186,15 @@ copy_object (bfd *ibfd, bfd *obfd, const
+ 	      continue;
+ 	    }
+ 
+-	  bfd_byte * contents = xmalloc (size);
+-	  if (bfd_get_section_contents (ibfd, sec, contents, 0, size))
++	  bfd_byte *contents;
++          if (bfd_malloc_and_get_section (ibfd, sec, &contents))
+ 	    {
+ 	      if (fwrite (contents, 1, size, f) != size)
+ 		{
+ 		  non_fatal (_("error writing section contents to %s (error: %s)"),
+ 			     pdump->filename,
+ 			     strerror (errno));
++                  free (contents);
+ 		  return FALSE;
+ 		}
+ 	    }
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch
new file mode 100644
index 0000000..1813a2a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch
@@ -0,0 +1,356 @@
+From 8e2f54bcee7e3e8315d4a39a302eaf8e4389e07d Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 30 May 2017 06:34:05 -0700
+Subject: [PATCH] Add bfd_get_file_size to get archive element size
+
+We can't use stat() to get archive element size.  Add bfd_get_file_size
+to get size for both normal files and archive elements.
+
+bfd/
+
+	PR binutils/21519
+	* bfdio.c (bfd_get_file_size): New function.
+	* bfd-in2.h: Regenerated.
+
+binutils/
+
+	PR binutils/21519
+	* objdump.c (dump_relocs_in_section): Replace get_file_size
+	with bfd_get_file_size to get archive element size.
+	* testsuite/binutils-all/objdump.exp (test_objdump_f): New
+	proc.
+	(test_objdump_h): Likewise.
+	(test_objdump_t): Likewise.
+	(test_objdump_r): Likewise.
+	(test_objdump_s): Likewise.
+	Add objdump tests on archive.
+---
+ bfd/ChangeLog                               |   6 +
+ bfd/bfd-in2.h                               |   2 +
+ bfd/bfdio.c                                 |  23 ++++
+ binutils/ChangeLog                          |  13 ++
+ binutils/objdump.c                          |   2 +-
+ binutils/testsuite/binutils-all/objdump.exp | 178 +++++++++++++++++++---------
+ 6 files changed, 170 insertions(+), 54 deletions(-)
+
+Index: git/bfd/bfd-in2.h
+===================================================================
+--- git.orig/bfd/bfd-in2.h
++++ git/bfd/bfd-in2.h
+@@ -1241,6 +1241,8 @@ long bfd_get_mtime (bfd *abfd);
+ 
+ file_ptr bfd_get_size (bfd *abfd);
+ 
++file_ptr bfd_get_file_size (bfd *abfd);
++
+ void *bfd_mmap (bfd *abfd, void *addr, bfd_size_type len,
+     int prot, int flags, file_ptr offset,
+     void **map_addr, bfd_size_type *map_len);
+Index: git/bfd/bfdio.c
+===================================================================
+--- git.orig/bfd/bfdio.c
++++ git/bfd/bfdio.c
+@@ -434,6 +434,29 @@ bfd_get_size (bfd *abfd)
+   return buf.st_size;
+ }
+ 
++/*
++FUNCTION
++	bfd_get_file_size
++
++SYNOPSIS
++	file_ptr bfd_get_file_size (bfd *abfd);
++
++DESCRIPTION
++	Return the file size (as read from file system) for the file
++	associated with BFD @var{abfd}.  It supports both normal files
++	and archive elements.
++
++*/
++
++file_ptr
++bfd_get_file_size (bfd *abfd)
++{
++  if (abfd->my_archive != NULL
++      && !bfd_is_thin_archive (abfd->my_archive))
++    return arelt_size (abfd);
++
++  return bfd_get_size (abfd);
++}
+ 
+ /*
+ FUNCTION
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -3310,7 +3310,7 @@ dump_relocs_in_section (bfd *abfd,
+     }
+ 
+   if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
+-      && relsize > get_file_size (bfd_get_filename (abfd)))
++      && relsize > bfd_get_file_size (abfd))
+     {
+       printf (" (too many: 0x%x)\n", section->reloc_count);
+       bfd_set_error (bfd_error_file_truncated);
+Index: git/binutils/testsuite/binutils-all/objdump.exp
+===================================================================
+--- git.orig/binutils/testsuite/binutils-all/objdump.exp
++++ git/binutils/testsuite/binutils-all/objdump.exp
+@@ -64,96 +64,168 @@ if [regexp $want $got] then {
+ if {![binutils_assemble $srcdir/$subdir/bintest.s tmpdir/bintest.o]} then {
+     return
+ }
++if {![binutils_assemble $srcdir/$subdir/bintest.s tmpdir/bintest2.o]} then {
++    return
++}
+ if [is_remote host] {
+     set testfile [remote_download host tmpdir/bintest.o]
++    set testfile2 [remote_download host tmpdir/bintest2.o]
+ } else {
+     set testfile tmpdir/bintest.o
++    set testfile2 tmpdir/bintest2.o
++}
++
++if { ![istarget "alpha-*-*"] || [is_elf_format] } then {
++    remote_file host file delete tmpdir/bintest.a
++    set got [binutils_run $AR "rc tmpdir/bintest.a $testfile2"]
++    if ![string match "" $got] then {
++	fail "bintest.a"
++	remote_file host delete tmpdir/bintest.a
++    } else {
++	if [is_remote host] {
++	    set testarchive [remote_download host tmpdir/bintest.a]
++	} else {
++	    set testarchive tmpdir/bintest.a
++	}
++    }
++    remote_file host delete tmpdir/bintest2.o
+ }
+ 
+ # Test objdump -f
+ 
+-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -f $testfile"]
++proc test_objdump_f { testfile dumpfile } {
++    global OBJDUMP
++    global OBJDUMPFLAGS
++    global cpus_regex
+ 
+-set want "$testfile:\[ 	\]*file format.*architecture:\[ 	\]*${cpus_regex}.*HAS_RELOC.*HAS_SYMS"
++    set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -f $testfile"]
+ 
+-if ![regexp $want $got] then {
+-    fail "objdump -f"
+-} else {
+-    pass "objdump -f"
++    set want "$dumpfile:\[ 	\]*file format.*architecture:\[ 	\]*${cpus_regex}.*HAS_RELOC.*HAS_SYMS"
++
++    if ![regexp $want $got] then {
++	fail "objdump -f ($testfile, $dumpfile)"
++    } else {
++	pass "objdump -f ($testfile, $dumpfile)"
++    }
++}
++
++test_objdump_f $testfile $testfile
++if { [ remote_file host exists $testarchive ] } then {
++    test_objdump_f $testarchive bintest2.o
+ }
+ 
+ # Test objdump -h
+ 
+-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -h $testfile"]
++proc test_objdump_h { testfile dumpfile } {
++    global OBJDUMP
++    global OBJDUMPFLAGS
+ 
+-set want "$testfile:\[ 	\]*file format.*Sections.*\[0-9\]+\[ 	\]+\[^ 	\]*(text|TEXT|P|\\\$CODE\\\$)\[^ 	\]*\[ 	\]*(\[0-9a-fA-F\]+).*\[0-9\]+\[ 	\]+\[^ 	\]*(\\.data|DATA|D_1)\[^ 	\]*\[ 	\]*(\[0-9a-fA-F\]+)"
++    set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -h $testfile"]
+ 
+-if ![regexp $want $got all text_name text_size data_name data_size] then {
+-    fail "objdump -h"
+-} else {
+-    verbose "text name is $text_name size is $text_size"
+-    verbose "data name is $data_name size is $data_size"
+-    set ets 8
+-    set eds 4
+-    # The [ti]c4x target has the property sizeof(char)=sizeof(long)=1
+-    if [istarget *c4x*-*-*] then {
+-        set ets 2
+-        set eds 1
+-    }
+-    # c54x section sizes are in bytes, not octets; adjust accordingly
+-    if [istarget *c54x*-*-*] then {
+-	set ets 4
+-	set eds 2
+-    }
+-    if {[expr "0x$text_size"] < $ets || [expr "0x$data_size"] < $eds} then {
+-	send_log "sizes too small\n"
+-	fail "objdump -h"
++    set want "$dumpfile:\[ 	\]*file format.*Sections.*\[0-9\]+\[ 	\]+\[^ 	\]*(text|TEXT|P|\\\$CODE\\\$)\[^ 	\]*\[ 	\]*(\[0-9a-fA-F\]+).*\[0-9\]+\[ 	\]+\[^ 	\]*(\\.data|DATA|D_1)\[^ 	\]*\[ 	\]*(\[0-9a-fA-F\]+)"
++
++    if ![regexp $want $got all text_name text_size data_name data_size] then {
++	fail "objdump -h ($testfile, $dumpfile)"
+     } else {
+-	pass "objdump -h"
++	verbose "text name is $text_name size is $text_size"
++	verbose "data name is $data_name size is $data_size"
++	set ets 8
++	set eds 4
++	# The [ti]c4x target has the property sizeof(char)=sizeof(long)=1
++	if [istarget *c4x*-*-*] then {
++            set ets 2
++            set eds 1
++	}
++	# c54x section sizes are in bytes, not octets; adjust accordingly
++	if [istarget *c54x*-*-*] then {
++	    set ets 4
++	    set eds 2
++        }
++	if {[expr "0x$text_size"] < $ets || [expr "0x$data_size"] < $eds} then {
++	    send_log "sizes too small\n"
++	    fail "objdump -h ($testfile, $dumpfile)"
++	} else {
++	    pass "objdump -h ($testfile, $dumpfile)"
++	}
+     }
+ }
+ 
++test_objdump_h $testfile $testfile
++if { [ remote_file host exists $testarchive ] } then {
++    test_objdump_h $testarchive bintest2.o
++}
++
+ # Test objdump -t
+ 
+-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -t $testfile"]
++proc test_objdump_t { testfile} {
++    global OBJDUMP
++    global OBJDUMPFLAGS
++
++    set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -t $testfile"]
++
++    if [info exists vars] then { unset vars }
++    while {[regexp "(\[a-z\]*_symbol)(.*)" $got all symbol rest]} {
++	set vars($symbol) 1
++	set got $rest
++    }
+ 
+-if [info exists vars] then { unset vars }
+-while {[regexp "(\[a-z\]*_symbol)(.*)" $got all symbol rest]} {
+-    set vars($symbol) 1
+-    set got $rest
++    if {![info exists vars(text_symbol)] \
++	 || ![info exists vars(data_symbol)] \
++	 || ![info exists vars(common_symbol)] \
++	 || ![info exists vars(external_symbol)]} then {
++	fail "objdump -t ($testfile)"
++    } else {
++	pass "objdump -t ($testfile)"
++    }
+ }
+ 
+-if {![info exists vars(text_symbol)] \
+-     || ![info exists vars(data_symbol)] \
+-     || ![info exists vars(common_symbol)] \
+-     || ![info exists vars(external_symbol)]} then {
+-    fail "objdump -t"
+-} else {
+-    pass "objdump -t"
++test_objdump_t $testfile
++if { [ remote_file host exists $testarchive ] } then {
++    test_objdump_t $testarchive
+ }
+ 
+ # Test objdump -r
+ 
+-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -r $testfile"]
++proc test_objdump_r { testfile dumpfile } {
++    global OBJDUMP
++    global OBJDUMPFLAGS
+ 
+-set want "$testfile:\[ 	\]*file format.*RELOCATION RECORDS FOR \\\[\[^\]\]*(text|TEXT|P|\\\$CODE\\\$)\[^\]\]*\\\].*external_symbol"
++    set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -r $testfile"]
+ 
+-if [regexp $want $got] then {
+-    pass "objdump -r"
+-} else {
+-    fail "objdump -r"
++    set want "$dumpfile:\[ 	\]*file format.*RELOCATION RECORDS FOR \\\[\[^\]\]*(text|TEXT|P|\\\$CODE\\\$)\[^\]\]*\\\].*external_symbol"
++
++    if [regexp $want $got] then {
++	pass "objdump -r ($testfile, $dumpfile)"
++    } else {
++	fail "objdump -r ($testfile, $dumpfile)"
++    }
++}
++
++test_objdump_r $testfile $testfile
++if { [ remote_file host exists $testarchive ] } then {
++    test_objdump_r $testarchive bintest2.o
+ }
+ 
+ # Test objdump -s
+ 
+-set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -s $testfile"]
++proc test_objdump_s { testfile dumpfile } {
++    global OBJDUMP
++    global OBJDUMPFLAGS
+ 
+-set want "$testfile:\[ 	\]*file format.*Contents.*(text|TEXT|P|\\\$CODE\\\$)\[^0-9\]*\[ 	\]*\[0-9a-fA-F\]*\[ 	\]*(00000001|01000000|00000100).*Contents.*(data|DATA|D_1)\[^0-9\]*\[ 	\]*\[0-9a-fA-F\]*\[ 	\]*(00000002|02000000|00000200)"
++    set got [binutils_run $OBJDUMP "$OBJDUMPFLAGS -s $testfile"]
+ 
+-if [regexp $want $got] then {
+-    pass "objdump -s"
+-} else {
+-    fail "objdump -s"
++    set want "$dumpfile:\[ 	\]*file format.*Contents.*(text|TEXT|P|\\\$CODE\\\$)\[^0-9\]*\[ 	\]*\[0-9a-fA-F\]*\[ 	\]*(00000001|01000000|00000100).*Contents.*(data|DATA|D_1)\[^0-9\]*\[ 	\]*\[0-9a-fA-F\]*\[ 	\]*(00000002|02000000|00000200)"
++
++    if [regexp $want $got] then {
++	pass "objdump -s ($testfile, $dumpfile)"
++    } else {
++	fail "objdump -s ($testfile, $dumpfile)"
++    }
++}
++
++test_objdump_s $testfile $testfile
++if { [ remote_file host exists $testarchive ] } then {
++    test_objdump_s $testarchive bintest2.o
+ }
+ 
+ # Test objdump -s on a file that contains a compressed .debug section
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-05-30  H.J. Lu  <hongjiu.lu@intel.com>
++
++       PR binutils/21519
++       * bfdio.c (bfd_get_file_size): New function.
++       * bfd-in2.h: Regenerated.
++
+ 2017-06-27  Alan Modra  <amodra@gmail.com>
+ 
+        PR binutils/21665
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,16 @@
++2017-05-30  H.J. Lu  <hongjiu.lu@intel.com>
++
++       PR binutils/21519
++       * objdump.c (dump_relocs_in_section): Replace get_file_size
++       with bfd_get_file_size to get archive element size.
++       * testsuite/binutils-all/objdump.exp (test_objdump_f): New
++       proc.
++       (test_objdump_h): Likewise.
++       (test_objdump_t): Likewise.
++       (test_objdump_r): Likewise.
++       (test_objdump_s): Likewise.
++       Add objdump tests on archive.
++
+ 2017-07-01  Alan Modra  <amodra@gmail.com>
+ 
+ 	PR binutils/21665
-- 
2.7.4

✗ patchtest: failure for "[pyro] binutils: Security fix ..." and 25 more

[Patchwork]

== Series Details ==

Series: "[pyro] binutils: Security fix ..." and 25 more
Revision: 1
URL   : https://patchwork.openembedded.org/series/9951/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] 
  Suggested fix    Sign off the added patch file (meta/recipes-devtools/binutils/binutils/CVE-2017-9955_9.patch)

* Issue             Upstream-Status is in incorrect format [test_upstream_status_presence_format] 
  Suggested fix    Fix Upstream-Status format in CVE-2017-8393.patch
  Current          Upstream-Status: Backort
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe