CVS commit: [netbsd-5] src/gnu/dist/binutils

Sun, 30 Sep 2012 11:17:58 -0700 

Module Name:    src
Committed By:   bouyer
Date:           Sun Sep 30 18:17:50 UTC 2012

Modified Files:
        src/gnu/dist/binutils/bfd [netbsd-5]: archive.c
        src/gnu/dist/binutils/binutils [netbsd-5]: arsup.c

Log Message:
gnu/dist/binutils/bfd/archive.c                 patch
gnu/dist/binutils/binutils/arsup.c              patch

        Fix buffer overflow in ar(1), from toolchain/46827
        [christos, ticket #1793]


To generate a diff of this commit:
cvs rdiff -u -r1.5.26.1 -r1.5.26.2 src/gnu/dist/binutils/bfd/archive.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.26.1 src/gnu/dist/binutils/binutils/arsup.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/gnu/dist/binutils/bfd/archive.c
diff -u src/gnu/dist/binutils/bfd/archive.c:1.5.26.1 src/gnu/dist/binutils/bfd/archive.c:1.5.26.2
--- src/gnu/dist/binutils/bfd/archive.c:1.5.26.1	Thu Dec  4 02:21:30 2008
+++ src/gnu/dist/binutils/bfd/archive.c	Sun Sep 30 18:17:50 2012
@@ -1325,7 +1325,7 @@ bfd_ar_hdr_from_filesystem (bfd *abfd, c
   struct ar_hdr *hdr;
   char *temp, *temp1;
   bfd_size_type amt;
-  char tmpbuf[11];
+  char tmpbuf[1024];
 
   if (member && (member->flags & BFD_IN_MEMORY) != 0)
     {
@@ -1355,7 +1355,8 @@ bfd_ar_hdr_from_filesystem (bfd *abfd, c
   strncpy (hdr->ar_fmag, ARFMAG, 2);
 
   /* Goddamned sprintf doesn't permit MAXIMUM field lengths.  */
-  sprintf ((hdr->ar_date), "%-12ld", (long) status.st_mtime);
+  sprintf (tmpbuf, "%-12ld", (long) status.st_mtime);
+  memcpy(hdr->ar_date, tmpbuf, sizeof(hdr->ar_date));
 #ifdef HPUX_LARGE_AR_IDS
   /* HP has a very "special" way to handle UID/GID's with numeric values
      > 99999.  */
@@ -1363,7 +1364,10 @@ bfd_ar_hdr_from_filesystem (bfd *abfd, c
     hpux_uid_gid_encode (hdr->ar_gid, (long) status.st_uid);
   else
 #endif
-    sprintf ((hdr->ar_uid), "%ld", (long) status.st_uid);
+  {
+  sprintf (tmpbuf, "%ld", (long) status.st_uid);
+  memcpy(hdr->ar_uid, tmpbuf, sizeof(hdr->ar_uid));
+  }
 #ifdef HPUX_LARGE_AR_IDS
   /* HP has a very "special" way to handle UID/GID's with numeric values
      > 99999.  */
@@ -1371,8 +1375,12 @@ bfd_ar_hdr_from_filesystem (bfd *abfd, c
     hpux_uid_gid_encode (hdr->ar_uid, (long) status.st_gid);
   else
 #endif
-  sprintf ((hdr->ar_gid), "%ld", (long) status.st_gid);
-  sprintf ((hdr->ar_mode), "%-8o", (unsigned int) status.st_mode);
+  {
+  sprintf (tmpbuf, "%ld", (long) status.st_gid);
+  memcpy(hdr->ar_gid, tmpbuf, sizeof(hdr->ar_gid));
+  }
+  sprintf (tmpbuf, "%-8o", (unsigned int) status.st_mode);
+  memcpy(hdr->ar_mode, tmpbuf, sizeof(hdr->ar_mode));
   sprintf (tmpbuf, "%-10ld", (long) status.st_size);
   memcpy(hdr->ar_size, tmpbuf, sizeof(hdr->ar_size));
   /* Correct for a lossage in sprintf whereby it null-terminates.  I cannot

Index: src/gnu/dist/binutils/binutils/arsup.c
diff -u src/gnu/dist/binutils/binutils/arsup.c:1.1.1.3 src/gnu/dist/binutils/binutils/arsup.c:1.1.1.3.26.1
--- src/gnu/dist/binutils/binutils/arsup.c:1.1.1.3	Thu Feb  2 20:38:46 2006
+++ src/gnu/dist/binutils/binutils/arsup.c	Sun Sep 30 18:17:50 2012
@@ -147,7 +147,7 @@ char *real_name;
 void
 ar_open (char *name, int t)
 {
-  char *tname = (char *) xmalloc (strlen (name) + 10);
+  char *tname = (char *) xmalloc (4096);
   const char *bname = lbasename (name);
   real_name = name;

Reply via email to