[pyro][PATCH 22/26] binutls: Security fix for CVE-2017-9753

[Armin Kuster <akuster808@gmail.com>]

Affects: <= 2.28

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/binutils/binutils-2.28.inc   |  1 +
 .../binutils/binutils/CVE-2017-9753.patch          | 79 ++++++++++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 68d21c8..c6ef647 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -64,6 +64,7 @@ SRC_URI = "\
      file://CVE-2017-9750.patch \
      file://CVE-2017-9751.patch \
      file://CVE-2017-9752.patch \
+     file://CVE-2017-9753.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch
new file mode 100644
index 0000000..241142b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753.patch
@@ -0,0 +1,79 @@
+From 04f963fd489cae724a60140e13984415c205f4ac Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 10:35:16 +0100
+Subject: [PATCH] Fix seg-faults in objdump when disassembling a corrupt
+ versados binary.
+
+	PR binutils/21591
+	* versados.c (versados_mkobject): Zero the allocated tdata structure.
+	(process_otr): Check for an invalid offset in the otr structure.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9753
+CVE: CVE-2017-9754
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog  |  6 ++++++
+ bfd/versados.c | 12 ++++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+Index: git/bfd/versados.c
+===================================================================
+--- git.orig/bfd/versados.c
++++ git/bfd/versados.c
+@@ -149,7 +149,7 @@ versados_mkobject (bfd *abfd)
+   if (abfd->tdata.versados_data == NULL)
+     {
+       bfd_size_type amt = sizeof (tdata_type);
+-      tdata_type *tdata = bfd_alloc (abfd, amt);
++      tdata_type *tdata = bfd_zalloc (abfd, amt);
+ 
+       if (tdata == NULL)
+ 	return FALSE;
+@@ -345,13 +345,13 @@ reloc_howto_type versados_howto_table[]
+ };
+ 
+ static int
+-get_offset (int len, unsigned char *ptr)
++get_offset (unsigned int len, unsigned char *ptr)
+ {
+   int val = 0;
+ 
+   if (len)
+     {
+-      int i;
++      unsigned int i;
+ 
+       val = *ptr++;
+       if (val & 0x80)
+@@ -394,9 +394,13 @@ process_otr (bfd *abfd, struct ext_otr *
+ 	  int flag = *srcp++;
+ 	  int esdids = (flag >> 5) & 0x7;
+ 	  int sizeinwords = ((flag >> 3) & 1) ? 2 : 1;
+-	  int offsetlen = flag & 0x7;
++	  unsigned int offsetlen = flag & 0x7;
+ 	  int j;
+ 
++	  /* PR 21591: Check for invalid lengths.  */
++	  if (srcp + esdids + offsetlen >= endp)
++	    return;
++
+ 	  if (esdids == 0)
+ 	    {
+ 	      /* A zero esdid means the new pc is the offset given.  */
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -8,6 +8,10 @@
+        (ieee_archive_p): Likewise.
+ 
+ 2017-06-14  Nick Clifton  <nickc@redhat.com>
++
++       PR binutils/21591
++       * versados.c (versados_mkobject): Zero the allocated tdata structure.
++       (process_otr): Check for an invalid offset in the otr structure.
+  
+        PR binutils/21589
+        * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
-- 
2.7.4