Fix CVE-2021-45078 (incomplete fix for CVE-2018-12699): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45078 https://sourceware.org/bugzilla/show_bug.cgi?id=28694 Patch copied from upstream source repository: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02 From 161e87d12167b1e36193385485c1f6ce92f74f02 Mon Sep 17 00:00:00 2001 From: Alan Modra <amodra@gmail.com> Date: Wed, 15 Dec 2021 11:48:42 +1030 Subject: [PATCH] PR28694, Out-of-bounds write in stab_xcoff_builtin_type PR 28694 * stabs.c (stab_xcoff_builtin_type): Make typenum unsigned. Negate typenum earlier, simplifying bounds checking. Correct off-by-one indexing. Adjust switch cases. --- binutils/stabs.c | 87 ++++++++++++++++++++++++------------------------ 1 file changed, 43 insertions(+), 44 deletions(-) diff --git a/binutils/stabs.c b/binutils/stabs.c index 274bfb0e7fa..83ee3ea5fa4 100644 --- a/binutils/stabs.c +++ b/binutils/stabs.c @@ -202,7 +202,7 @@ static debug_type stab_find_type (void *, struct stab_handle *, const int *); static bool stab_record_type (void *, struct stab_handle *, const int *, debug_type); static debug_type stab_xcoff_builtin_type - (void *, struct stab_handle *, int); + (void *, struct stab_handle *, unsigned int); static debug_type stab_find_tagged_type (void *, struct stab_handle *, const char *, int, enum debug_type_kind); static debug_type *stab_demangle_argtypes @@ -3496,166 +3496,167 @@ stab_record_type (void *dhandle ATTRIBUTE_UNUSED, struct stab_handle *info, static debug_type stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info, - int typenum) + unsigned int typenum) { debug_type rettype; const char *name; - if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT) + typenum = -typenum - 1; + if (typenum >= XCOFF_TYPE_COUNT) { - fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum); + fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1); return DEBUG_TYPE_NULL; } - if (info->xcoff_types[-typenum] != NULL) - return info->xcoff_types[-typenum]; + if (info->xcoff_types[typenum] != NULL) + return info->xcoff_types[typenum]; - switch (-typenum) + switch (typenum) { - case 1: + case 0: /* The size of this and all the other types are fixed, defined by the debugging format. */ name = "int"; rettype = debug_make_int_type (dhandle, 4, false); break; - case 2: + case 1: name = "char"; rettype = debug_make_int_type (dhandle, 1, false); break; - case 3: + case 2: name = "short"; rettype = debug_make_int_type (dhandle, 2, false); break; - case 4: + case 3: name = "long"; rettype = debug_make_int_type (dhandle, 4, false); break; - case 5: + case 4: name = "unsigned char"; rettype = debug_make_int_type (dhandle, 1, true); break; - case 6: + case 5: name = "signed char"; rettype = debug_make_int_type (dhandle, 1, false); break; - case 7: + case 6: name = "unsigned short"; rettype = debug_make_int_type (dhandle, 2, true); break; - case 8: + case 7: name = "unsigned int"; rettype = debug_make_int_type (dhandle, 4, true); break; - case 9: + case 8: name = "unsigned"; rettype = debug_make_int_type (dhandle, 4, true); break; - case 10: + case 9: name = "unsigned long"; rettype = debug_make_int_type (dhandle, 4, true); break; - case 11: + case 10: name = "void"; rettype = debug_make_void_type (dhandle); break; - case 12: + case 11: /* IEEE single precision (32 bit). */ name = "float"; rettype = debug_make_float_type (dhandle, 4); break; - case 13: + case 12: /* IEEE double precision (64 bit). */ name = "double"; rettype = debug_make_float_type (dhandle, 8); break; - case 14: + case 13: /* This is an IEEE double on the RS/6000, and different machines with different sizes for "long double" should use different negative type numbers. See stabs.texinfo. */ name = "long double"; rettype = debug_make_float_type (dhandle, 8); break; - case 15: + case 14: name = "integer"; rettype = debug_make_int_type (dhandle, 4, false); break; - case 16: + case 15: name = "boolean"; rettype = debug_make_bool_type (dhandle, 4); break; - case 17: + case 16: name = "short real"; rettype = debug_make_float_type (dhandle, 4); break; - case 18: + case 17: name = "real"; rettype = debug_make_float_type (dhandle, 8); break; - case 19: + case 18: /* FIXME */ name = "stringptr"; rettype = NULL; break; - case 20: + case 19: /* FIXME */ name = "character"; rettype = debug_make_int_type (dhandle, 1, true); break; - case 21: + case 20: name = "logical*1"; rettype = debug_make_bool_type (dhandle, 1); break; - case 22: + case 21: name = "logical*2"; rettype = debug_make_bool_type (dhandle, 2); break; - case 23: + case 22: name = "logical*4"; rettype = debug_make_bool_type (dhandle, 4); break; - case 24: + case 23: name = "logical"; rettype = debug_make_bool_type (dhandle, 4); break; - case 25: + case 24: /* Complex type consisting of two IEEE single precision values. */ name = "complex"; rettype = debug_make_complex_type (dhandle, 8); break; - case 26: + case 25: /* Complex type consisting of two IEEE double precision values. */ name = "double complex"; rettype = debug_make_complex_type (dhandle, 16); break; - case 27: + case 26: name = "integer*1"; rettype = debug_make_int_type (dhandle, 1, false); break; - case 28: + case 27: name = "integer*2"; rettype = debug_make_int_type (dhandle, 2, false); break; - case 29: + case 28: name = "integer*4"; rettype = debug_make_int_type (dhandle, 4, false); break; - case 30: + case 29: /* FIXME */ name = "wchar"; rettype = debug_make_int_type (dhandle, 2, false); break; - case 31: + case 30: name = "long long"; rettype = debug_make_int_type (dhandle, 8, false); break; - case 32: + case 31: name = "unsigned long long"; rettype = debug_make_int_type (dhandle, 8, true); break; - case 33: + case 32: name = "logical*8"; rettype = debug_make_bool_type (dhandle, 8); break; - case 34: + case 33: name = "integer*8"; rettype = debug_make_int_type (dhandle, 8, false); break; @@ -3664,9 +3665,7 @@ stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info, } rettype = debug_name_type (dhandle, name, rettype); - - info->xcoff_types[-typenum] = rettype; - + info->xcoff_types[typenum] = rettype; return rettype; } -- 2.27.0