diff --git a/gdb-6.3-security-errata-20050610.patch b/gdb-6.3-security-errata-20050610.patch index e9d4ace..035b662 100644 --- a/gdb-6.3-security-errata-20050610.patch +++ b/gdb-6.3-security-errata-20050610.patch @@ -16,6 +16,8 @@ (source_command): Update documentation. Check permissions if FROM_TTY is -1. +bfd changes: + 2005-05-17 H.J. Lu * elf.c (group_signature): Check if the symbol table section is @@ -32,8 +34,96 @@ * elfcode.h (elf_object_p): Add more sanity checks on elf header. ---- gdb-6.3/gdb/cli/cli-cmds.c.fix 2005-06-10 15:36:27.000000000 -0400 -+++ gdb-6.3/gdb/cli/cli-cmds.c 2005-06-10 15:40:20.000000000 -0400 +2005-06-21 Jakub Jelinek + + * libbfd-in.h (struct artdata): Add extended_names_size field. + * libbfd.h: Rebuilt. + * coff-rs600.c (_bfd_xcoff_archive_p): Don't clear fields in freshly + allocated object by bfd_zalloc. + * coff64-rs6000.c (xcoff64_archive_p): Likewise. + * ecoff.c (_bfd_ecoff_archive_p): Likewise. + * archive.c (_bfd_generic_mkarchive, bfd_generic_archive_p): Likewise. + (get_extended_arelt_filename): Fail if index is bigger or equal to + extended_names_size. + (_bfd_generic_read_ar_hdr_mag): Don't set bfd_error_malformed_archive, + get_extended_arelt_filename already did that. + (_bfd_slurp_extended_name_table): Initialize extended_names_size field. + Allocate one extra byte and clear it, in case extended names table + is not terminated. + +2005-06-15 Jakub Jelinek + + * libbfd-in.h (bfd_malloc2, bfd_realloc2, bfd_zmalloc2, bfd_alloc2, + bfd_zalloc2): New prototypes. + * bfd-in.h (HALF_BFD_SIZE_TYPE): Define. + * libbfd.c (bfd_malloc2, bfd_realloc2, bfd_zmalloc2): New functions. + * opncls.c (bfd_alloc2, bfd_zalloc2): New functions. + * elf.c (bfd_elf_get_elf_syms, setup_group, assign_section_numbers, + elf_map_symbols, map_sections_to_segments, + assign_file_positions_for_segments, copy_private_bfd_data, + swap_out_syms, _bfd_elf_slurp_version_tables): Use bfd_*alloc2 + where appropriate. + * bfd-in2.h: Rebuilt. + * libbfd.h: Rebuilt. + + * elf.c (_bfd_elf_print_private_bfd_data): Don't crash on bogus + verdef or verneed section. + (_bfd_elf_slurp_version_tables): Handle corrupt verdef and/or + verneed sections gracefully. + * elf32-sparc.c (elf32_sparc_info_to_howto): Don't crash on + bogus relocation values. + * elf64-sparc.c (sparc64_elf_info_to_howto): Likewise. + * elf64-ppc.c (ppc64_elf_info_to_howto): Likewise. + * elf64-s390.c (elf_s390_info_to_howto): Likewise. + * elf32-s390.c (elf_s390_info_to_howto): Likewise. + * elf64-x86-64.c (elf64_x86_64_info_to_howto): Likewise. + * elfxx-ia64.c (lookup_howto): Likewise. + +2005-06-14 Jakub Jelinek + + * elf.c (bfd_elf_get_str_section): Allocate an extra byte after + the end of strtab and clear it. + (elf_read): Remove. + + * elf.c (bfd_section_from_shdr): Fail if name is NULL. + Prevent endless recursion on broken objects. + + * archive.c (do_slurp_coff_armap): Check for overflows. + +2005-05-26 Jakub Jelinek + + * elfcode.h (elf_object_p): Fail if e_shoff != 0, e_shnum == 0 and + first shdr has sh_size == 0. Fail if e_shnum is large to cause + arithmetic overflow when allocating the i_shdr array. + Sanity check sh_link and sh_info fields. Fix e_shstrndx sanity check. + +2005-05-18 H.J. Lu + + * elf.c (group_signature): Check if the symbol table section is + correct. + +2005-05-17 Tavis Ormandy + + * elf.c (bfd_section_from_shdr): Add sanity check when parsing + dynamic sections. + +2005-05-09 Alan Modra + + * elfcode.h (elf_object_p): Add more sanity checks on elf header. + +--- gdb-6.3/include/elf/external.h.fix 2005-07-07 19:14:08.000000000 -0400 ++++ gdb-6.3/include/elf/external.h 2005-07-07 19:18:27.000000000 -0400 +@@ -272,5 +272,8 @@ typedef struct + unsigned char a_val[8]; + } Elf64_External_Auxv; + ++/* Size of SHT_GROUP section entry. */ ++ ++#define GRP_ENTRY_SIZE 4 + + #endif /* _ELF_EXTERNAL_H */ +--- gdb-6.3/gdb/cli/cli-cmds.c.fix 2005-07-07 19:16:17.000000000 -0400 ++++ gdb-6.3/gdb/cli/cli-cmds.c 2005-07-07 19:18:27.000000000 -0400 @@ -38,6 +38,7 @@ #include "objfiles.h" #include "source.h" @@ -85,8 +175,8 @@ script_from_file (stream, file); do_cleanups (old_cleanups); ---- gdb-6.3/gdb/testsuite/gdb.base/gdbinit.exp.fix 2005-06-10 15:42:54.000000000 -0400 -+++ gdb-6.3/gdb/testsuite/gdb.base/gdbinit.exp 2005-06-10 15:40:20.000000000 -0400 +--- gdb-6.3/gdb/testsuite/gdb.base/gdbinit.exp.fix 2005-07-07 19:19:30.000000000 -0400 ++++ gdb-6.3/gdb/testsuite/gdb.base/gdbinit.exp 2005-07-07 19:18:27.000000000 -0400 @@ -0,0 +1,98 @@ +# Copyright 2005 +# Free Software Foundation, Inc. @@ -186,12 +276,32 @@ +} + +remote_exec build "rm .gdbinit" ---- gdb-6.3/gdb/testsuite/gdb.base/gdbinit.sample.fix 2005-06-10 15:43:01.000000000 -0400 -+++ gdb-6.3/gdb/testsuite/gdb.base/gdbinit.sample 2005-06-10 15:40:20.000000000 -0400 +--- gdb-6.3/gdb/testsuite/gdb.base/gdbinit.sample.fix 2005-07-07 19:19:34.000000000 -0400 ++++ gdb-6.3/gdb/testsuite/gdb.base/gdbinit.sample 2005-07-07 19:18:27.000000000 -0400 @@ -0,0 +1 @@ +echo "\nin gdbinit" ---- gdb-6.3/gdb/configure.fix 2005-06-10 15:35:47.000000000 -0400 -+++ gdb-6.3/gdb/configure 2005-06-10 15:41:44.000000000 -0400 +--- gdb-6.3/gdb/main.c.fix 2005-07-07 19:14:26.000000000 -0400 ++++ gdb-6.3/gdb/main.c 2005-07-07 19:18:55.000000000 -0400 +@@ -609,7 +609,7 @@ extern int gdbtk_test (char *); + + if (!inhibit_gdbinit) + { +- catch_command_errors (source_command, homeinit, 0, RETURN_MASK_ALL); ++ catch_command_errors (source_command, homeinit, -1, RETURN_MASK_ALL); + } + + /* Do stats; no need to do them elsewhere since we'll only +@@ -695,7 +695,7 @@ extern int gdbtk_test (char *); + || memcmp ((char *) &homebuf, (char *) &cwdbuf, sizeof (struct stat))) + if (!inhibit_gdbinit) + { +- catch_command_errors (source_command, gdbinit, 0, RETURN_MASK_ALL); ++ catch_command_errors (source_command, gdbinit, -1, RETURN_MASK_ALL); + } + + for (i = 0; i < ncmd; i++) +--- gdb-6.3/gdb/configure.fix 2005-07-07 19:15:29.000000000 -0400 ++++ gdb-6.3/gdb/configure 2005-07-07 19:20:08.000000000 -0400 @@ -6640,7 +6640,7 @@ else fi done @@ -2087,8 +2197,29 @@ rm -rf conftest* am_cv_proto_iconv_arg1="" else ---- gdb-6.3/gdb/config.in.fix 2005-06-10 15:35:33.000000000 -0400 -+++ gdb-6.3/gdb/config.in 2005-06-10 15:40:20.000000000 -0400 +--- gdb-6.3/gdb/configure.in.fix 2005-07-07 19:15:34.000000000 -0400 ++++ gdb-6.3/gdb/configure.in 2005-07-07 19:18:27.000000000 -0400 +@@ -440,6 +440,7 @@ AC_FUNC_ALLOCA + AC_FUNC_MMAP + AC_FUNC_VFORK + AC_CHECK_FUNCS(canonicalize_file_name realpath) ++AC_CHECK_FUNCS(getuid) + AC_CHECK_FUNCS(poll) + AC_CHECK_FUNCS(pread64) + AC_CHECK_FUNCS(sbrk) +--- gdb-6.3/gdb/Makefile.in.fix 2005-07-07 19:16:06.000000000 -0400 ++++ gdb-6.3/gdb/Makefile.in 2005-07-07 19:18:27.000000000 -0400 +@@ -2751,7 +2751,7 @@ cli-cmds.o: $(srcdir)/cli/cli-cmds.c $(d + $(expression_h) $(frame_h) $(value_h) $(language_h) $(filenames_h) \ + $(objfiles_h) $(source_h) $(disasm_h) $(ui_out_h) $(top_h) \ + $(cli_decode_h) $(cli_script_h) $(cli_setshow_h) $(cli_cmds_h) \ +- $(tui_h) ++ $(tui_h) $(gdb_stat_h) + $(CC) -c $(INTERNAL_CFLAGS) $(srcdir)/cli/cli-cmds.c + cli-decode.o: $(srcdir)/cli/cli-decode.c $(defs_h) $(symtab_h) \ + $(gdb_regex_h) $(gdb_string_h) $(ui_out_h) $(cli_cmds_h) \ +--- gdb-6.3/gdb/config.in.fix 2005-07-07 19:16:09.000000000 -0400 ++++ gdb-6.3/gdb/config.in 2005-07-07 19:18:55.000000000 -0400 @@ -203,6 +203,9 @@ /* Define if you have the getpagesize function. */ #undef HAVE_GETPAGESIZE @@ -2099,50 +2230,90 @@ /* Define if you have the monstartup function. */ #undef HAVE_MONSTARTUP ---- gdb-6.3/gdb/main.c.fix 2005-06-10 15:35:51.000000000 -0400 -+++ gdb-6.3/gdb/main.c 2005-06-10 15:40:20.000000000 -0400 -@@ -609,7 +609,7 @@ extern int gdbtk_test (char *); +--- gdb-6.3/bfd/elf.c.fix 2005-07-07 19:09:17.000000000 -0400 ++++ gdb-6.3/bfd/elf.c 2005-07-07 19:18:55.000000000 -0400 +@@ -206,28 +206,6 @@ bfd_elf_hash (const char *namearg) + return h & 0xffffffff; + } - if (!inhibit_gdbinit) +-/* Read a specified number of bytes at a specified offset in an ELF +- file, into a newly allocated buffer, and return a pointer to the +- buffer. */ +- +-static char * +-elf_read (bfd *abfd, file_ptr offset, bfd_size_type size) +-{ +- char *buf; +- +- if ((buf = bfd_alloc (abfd, size)) == NULL) +- return NULL; +- if (bfd_seek (abfd, offset, SEEK_SET) != 0) +- return NULL; +- if (bfd_bread (buf, size, abfd) != size) +- { +- if (bfd_get_error () != bfd_error_system_call) +- bfd_set_error (bfd_error_file_truncated); +- return NULL; +- } +- return buf; +-} +- + bfd_boolean + bfd_elf_mkobject (bfd *abfd) + { +@@ -267,7 +245,21 @@ bfd_elf_get_str_section (bfd *abfd, unsi + /* No cached one, attempt to read, and cache what we read. */ + offset = i_shdrp[shindex]->sh_offset; + shstrtabsize = i_shdrp[shindex]->sh_size; +- shstrtab = elf_read (abfd, offset, shstrtabsize); ++ ++ /* Allocate and clear an extra byte at the end, to prevent crashes ++ in case the string table is not terminated. */ ++ if (shstrtabsize + 1 == 0 ++ || (shstrtab = bfd_alloc (abfd, shstrtabsize + 1)) == NULL ++ || bfd_seek (abfd, offset, SEEK_SET) != 0) ++ shstrtab = NULL; ++ else if (bfd_bread (shstrtab, shstrtabsize, abfd) != shstrtabsize) ++ { ++ if (bfd_get_error () != bfd_error_system_call) ++ bfd_set_error (bfd_error_file_truncated); ++ shstrtab = NULL; ++ } ++ else ++ shstrtab[shstrtabsize] = '\0'; + i_shdrp[shindex]->contents = shstrtab; + } + return shstrtab; +@@ -348,7 +340,7 @@ bfd_elf_get_elf_syms (bfd *ibfd, + pos = symtab_hdr->sh_offset + symoffset * extsym_size; + if (extsym_buf == NULL) + { +- alloc_ext = bfd_malloc (amt); ++ alloc_ext = bfd_malloc2 (symcount, extsym_size); + extsym_buf = alloc_ext; + } + if (extsym_buf == NULL +@@ -367,7 +359,8 @@ bfd_elf_get_elf_syms (bfd *ibfd, + pos = shndx_hdr->sh_offset + symoffset * sizeof (Elf_External_Sym_Shndx); + if (extshndx_buf == NULL) { -- catch_command_errors (source_command, homeinit, 0, RETURN_MASK_ALL); -+ catch_command_errors (source_command, homeinit, -1, RETURN_MASK_ALL); +- alloc_extshndx = bfd_malloc (amt); ++ alloc_extshndx = bfd_malloc2 (symcount, ++ sizeof (Elf_External_Sym_Shndx)); + extshndx_buf = alloc_extshndx; } + if (extshndx_buf == NULL +@@ -381,8 +374,7 @@ bfd_elf_get_elf_syms (bfd *ibfd, - /* Do stats; no need to do them elsewhere since we'll only -@@ -695,7 +695,7 @@ extern int gdbtk_test (char *); - || memcmp ((char *) &homebuf, (char *) &cwdbuf, sizeof (struct stat))) - if (!inhibit_gdbinit) - { -- catch_command_errors (source_command, gdbinit, 0, RETURN_MASK_ALL); -+ catch_command_errors (source_command, gdbinit, -1, RETURN_MASK_ALL); - } - - for (i = 0; i < ncmd; i++) ---- gdb-6.3/gdb/Makefile.in.fix 2005-06-10 15:36:01.000000000 -0400 -+++ gdb-6.3/gdb/Makefile.in 2005-06-10 15:40:20.000000000 -0400 -@@ -2751,7 +2751,7 @@ cli-cmds.o: $(srcdir)/cli/cli-cmds.c $(d - $(expression_h) $(frame_h) $(value_h) $(language_h) $(filenames_h) \ - $(objfiles_h) $(source_h) $(disasm_h) $(ui_out_h) $(top_h) \ - $(cli_decode_h) $(cli_script_h) $(cli_setshow_h) $(cli_cmds_h) \ -- $(tui_h) -+ $(tui_h) $(gdb_stat_h) - $(CC) -c $(INTERNAL_CFLAGS) $(srcdir)/cli/cli-cmds.c - cli-decode.o: $(srcdir)/cli/cli-decode.c $(defs_h) $(symtab_h) \ - $(gdb_regex_h) $(gdb_string_h) $(ui_out_h) $(cli_cmds_h) \ ---- gdb-6.3/gdb/configure.in.fix 2005-06-10 15:38:44.000000000 -0400 -+++ gdb-6.3/gdb/configure.in 2005-06-10 15:40:20.000000000 -0400 -@@ -440,6 +440,7 @@ AC_FUNC_ALLOCA - AC_FUNC_MMAP - AC_FUNC_VFORK - AC_CHECK_FUNCS(canonicalize_file_name realpath) -+AC_CHECK_FUNCS(getuid) - AC_CHECK_FUNCS(poll) - AC_CHECK_FUNCS(pread64) - AC_CHECK_FUNCS(sbrk) ---- gdb-6.3/bfd/elf.c.fix 2005-06-10 15:37:08.000000000 -0400 -+++ gdb-6.3/bfd/elf.c 2005-06-10 15:40:31.000000000 -0400 -@@ -438,8 +438,11 @@ group_signature (bfd *abfd, Elf_Internal + if (intsym_buf == NULL) + { +- bfd_size_type amt = symcount * sizeof (Elf_Internal_Sym); +- intsym_buf = bfd_malloc (amt); ++ intsym_buf = bfd_malloc2 (symcount, sizeof (Elf_Internal_Sym)); + if (intsym_buf == NULL) + goto out; + } +@@ -438,8 +430,11 @@ group_signature (bfd *abfd, Elf_Internal Elf_External_Sym_Shndx eshndx; Elf_Internal_Sym isym; @@ -2156,8 +2327,490 @@ return NULL; /* Go read the symbol. */ ---- gdb-6.3/bfd/elfcode.h.fix 2005-06-10 15:37:17.000000000 -0400 -+++ gdb-6.3/bfd/elfcode.h 2005-06-10 15:40:31.000000000 -0400 +@@ -483,8 +478,9 @@ setup_group (bfd *abfd, Elf_Internal_Shd + { + /* We keep a list of elf section headers for group sections, + so we can find them quickly. */ +- bfd_size_type amt = num_group * sizeof (Elf_Internal_Shdr *); +- elf_tdata (abfd)->group_sect_ptr = bfd_alloc (abfd, amt); ++ bfd_size_type amt; ++ elf_tdata (abfd)->group_sect_ptr ++ = bfd_alloc2 (abfd, num_group, sizeof (Elf_Internal_Shdr *)); + if (elf_tdata (abfd)->group_sect_ptr == NULL) + return FALSE; + +@@ -504,7 +500,8 @@ setup_group (bfd *abfd, Elf_Internal_Shd + /* Read the raw contents. */ + BFD_ASSERT (sizeof (*dest) >= 4); + amt = shdr->sh_size * sizeof (*dest) / 4; +- shdr->contents = bfd_alloc (abfd, amt); ++ shdr->contents = bfd_alloc2 (abfd, shdr->sh_size, ++ sizeof (*dest) / 4); + if (shdr->contents == NULL + || bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 + || (bfd_bread (shdr->contents, shdr->sh_size, abfd) +@@ -1204,8 +1201,9 @@ _bfd_elf_print_private_bfd_data (bfd *ab + for (t = elf_tdata (abfd)->verdef; t != NULL; t = t->vd_nextdef) + { + fprintf (f, "%d 0x%2.2x 0x%8.8lx %s\n", t->vd_ndx, +- t->vd_flags, t->vd_hash, t->vd_nodename); +- if (t->vd_auxptr->vda_nextptr != NULL) ++ t->vd_flags, t->vd_hash, ++ t->vd_nodename ? t->vd_nodename : ""); ++ if (t->vd_auxptr != NULL && t->vd_auxptr->vda_nextptr != NULL) + { + Elf_Internal_Verdaux *a; + +@@ -1213,7 +1211,8 @@ _bfd_elf_print_private_bfd_data (bfd *ab + for (a = t->vd_auxptr->vda_nextptr; + a != NULL; + a = a->vda_nextptr) +- fprintf (f, "%s ", a->vda_nodename); ++ fprintf (f, "%s ", ++ a->vda_nodename ? a->vda_nodename : ""); + fprintf (f, "\n"); + } + } +@@ -1228,10 +1227,12 @@ _bfd_elf_print_private_bfd_data (bfd *ab + { + Elf_Internal_Vernaux *a; + +- fprintf (f, _(" required from %s:\n"), t->vn_filename); ++ fprintf (f, _(" required from %s:\n"), ++ t->vn_filename ? t->vn_filename : ""); + for (a = t->vn_auxptr; a != NULL; a = a->vna_nextptr) + fprintf (f, " 0x%8.8lx 0x%2.2x %2.2d %s\n", a->vna_hash, +- a->vna_flags, a->vna_other, a->vna_nodename); ++ a->vna_flags, a->vna_other, ++ a->vna_nodename ? a->vna_nodename : ""); + } + } + +@@ -1725,6 +1726,8 @@ bfd_section_from_shdr (bfd *abfd, unsign + const char *name; + + name = elf_string_from_elf_strtab (abfd, hdr->sh_name); ++ if (name == NULL) ++ return FALSE; + + switch (hdr->sh_type) + { +@@ -1745,6 +1748,9 @@ bfd_section_from_shdr (bfd *abfd, unsign + case SHT_DYNAMIC: /* Dynamic linking information. */ + if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name)) + return FALSE; ++ if (hdr->sh_link > elf_numsections (abfd) ++ || elf_elfsections (abfd)[hdr->sh_link] == NULL) ++ return FALSE; + if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB) + { + Elf_Internal_Shdr *dynsymhdr; +@@ -1779,7 +1785,8 @@ bfd_section_from_shdr (bfd *abfd, unsign + if (elf_onesymtab (abfd) == shindex) + return TRUE; + +- BFD_ASSERT (hdr->sh_entsize == bed->s->sizeof_sym); ++ if (hdr->sh_entsize != bed->s->sizeof_sym) ++ return FALSE; + BFD_ASSERT (elf_onesymtab (abfd) == 0); + elf_onesymtab (abfd) = shindex; + elf_tdata (abfd)->symtab_hdr = *hdr; +@@ -1803,7 +1810,8 @@ bfd_section_from_shdr (bfd *abfd, unsign + if (elf_dynsymtab (abfd) == shindex) + return TRUE; + +- BFD_ASSERT (hdr->sh_entsize == bed->s->sizeof_sym); ++ if (hdr->sh_entsize != bed->s->sizeof_sym) ++ return FALSE; + BFD_ASSERT (elf_dynsymtab (abfd) == 0); + elf_dynsymtab (abfd) = shindex; + elf_tdata (abfd)->dynsymtab_hdr = *hdr; +@@ -1846,6 +1854,9 @@ bfd_section_from_shdr (bfd *abfd, unsign + Elf_Internal_Shdr *hdr2 = elf_elfsections (abfd)[i]; + if (hdr2->sh_link == shindex) + { ++ /* Prevent endless recursion on broken objects. */ ++ if (i == shindex) ++ return FALSE; + if (! bfd_section_from_shdr (abfd, i)) + return FALSE; + if (elf_onesymtab (abfd) == i) +@@ -1889,6 +1900,11 @@ bfd_section_from_shdr (bfd *abfd, unsign + Elf_Internal_Shdr *hdr2; + unsigned int num_sec = elf_numsections (abfd); + ++ if (hdr->sh_entsize ++ != (bfd_size_type) (hdr->sh_type == SHT_REL ++ ? bed->s->sizeof_rel : bed->s->sizeof_rela)) ++ return FALSE; ++ + /* Check for a bogus link to avoid crashing. */ + if ((hdr->sh_link >= SHN_LORESERVE && hdr->sh_link <= SHN_HIRESERVE) + || hdr->sh_link >= num_sec) +@@ -1944,6 +1960,10 @@ bfd_section_from_shdr (bfd *abfd, unsign + if (hdr->sh_link != elf_onesymtab (abfd) || hdr->sh_info == SHN_UNDEF) + return _bfd_elf_make_section_from_shdr (abfd, hdr, name); + ++ /* Prevent endless recursion on broken objects. */ ++ if (elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL ++ || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA) ++ return FALSE; + if (! bfd_section_from_shdr (abfd, hdr->sh_info)) + return FALSE; + target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info); +@@ -1983,6 +2003,8 @@ bfd_section_from_shdr (bfd *abfd, unsign + break; + + case SHT_GNU_versym: ++ if (hdr->sh_entsize != sizeof (Elf_External_Versym)) ++ return FALSE; + elf_dynversym (abfd) = shindex; + elf_tdata (abfd)->dynversym_hdr = *hdr; + return _bfd_elf_make_section_from_shdr (abfd, hdr, name); +@@ -2001,6 +2023,8 @@ bfd_section_from_shdr (bfd *abfd, unsign + /* We need a BFD section for objcopy and relocatable linking, + and it's handy to have the signature available as the section + name. */ ++ if (hdr->sh_entsize != GRP_ENTRY_SIZE) ++ return FALSE; + name = group_signature (abfd, hdr); + if (name == NULL) + return FALSE; +@@ -2724,7 +2748,6 @@ assign_section_numbers (bfd *abfd) + asection *sec; + unsigned int section_number, secn; + Elf_Internal_Shdr **i_shdrp; +- bfd_size_type amt; + + section_number = 1; + +@@ -2798,13 +2821,11 @@ assign_section_numbers (bfd *abfd) + + /* Set up the list of section header pointers, in agreement with the + indices. */ +- amt = section_number * sizeof (Elf_Internal_Shdr *); +- i_shdrp = bfd_zalloc (abfd, amt); ++ i_shdrp = bfd_zalloc2 (abfd, section_number, sizeof (Elf_Internal_Shdr *)); + if (i_shdrp == NULL) + return FALSE; + +- amt = sizeof (Elf_Internal_Shdr); +- i_shdrp[0] = bfd_zalloc (abfd, amt); ++ i_shdrp[0] = bfd_zalloc (abfd, sizeof (Elf_Internal_Shdr)); + if (i_shdrp[0] == NULL) + { + bfd_release (abfd, i_shdrp); +@@ -3036,7 +3057,6 @@ elf_map_symbols (bfd *abfd) + unsigned int idx; + asection *asect; + asymbol **new_syms; +- bfd_size_type amt; + + #ifdef DEBUG + fprintf (stderr, "elf_map_symbols\n"); +@@ -3050,8 +3070,7 @@ elf_map_symbols (bfd *abfd) + } + + max_index++; +- amt = max_index * sizeof (asymbol *); +- sect_syms = bfd_zalloc (abfd, amt); ++ sect_syms = bfd_zalloc2 (abfd, max_index, sizeof (asymbol *)); + if (sect_syms == NULL) + return FALSE; + elf_section_syms (abfd) = sect_syms; +@@ -3124,8 +3143,7 @@ elf_map_symbols (bfd *abfd) + } + + /* Now sort the symbols so the local symbols are first. */ +- amt = (num_locals + num_globals) * sizeof (asymbol *); +- new_syms = bfd_alloc (abfd, amt); ++ new_syms = bfd_alloc2 (abfd, num_locals + num_globals, sizeof (asymbol *)); + + if (new_syms == NULL) + return FALSE; +@@ -3384,8 +3402,7 @@ map_sections_to_segments (bfd *abfd) + + /* Select the allocated sections, and sort them. */ + +- amt = bfd_count_sections (abfd) * sizeof (asection *); +- sections = bfd_malloc (amt); ++ sections = bfd_malloc2 (bfd_count_sections (abfd), sizeof (asection *)); + if (sections == NULL) + goto error_return; + +@@ -3817,7 +3834,6 @@ assign_file_positions_for_segments (bfd + bfd_vma filehdr_vaddr, filehdr_paddr; + bfd_vma phdrs_vaddr, phdrs_paddr; + Elf_Internal_Phdr *p; +- bfd_size_type amt; + + if (elf_tdata (abfd)->segment_map == NULL) + { +@@ -3889,8 +3905,7 @@ assign_file_positions_for_segments (bfd + if (alloc == 0) + alloc = count; + +- amt = alloc * sizeof (Elf_Internal_Phdr); +- phdrs = bfd_alloc (abfd, amt); ++ phdrs = bfd_alloc2 (abfd, alloc, sizeof (Elf_Internal_Phdr)); + if (phdrs == NULL) + return FALSE; + +@@ -5158,8 +5173,7 @@ copy_private_bfd_data (bfd *ibfd, bfd *o + + /* Gcc 2.96 miscompiles this code on mips. Don't do casting here + to work around this long long bug. */ +- amt = section_count * sizeof (asection *); +- sections = bfd_malloc (amt); ++ sections = bfd_malloc2 (section_count, sizeof (asection *)); + if (sections == NULL) + return FALSE; + +@@ -5601,8 +5615,7 @@ swap_out_syms (bfd *abfd, + symstrtab_hdr = &elf_tdata (abfd)->strtab_hdr; + symstrtab_hdr->sh_type = SHT_STRTAB; + +- amt = (bfd_size_type) (1 + symcount) * bed->s->sizeof_sym; +- outbound_syms = bfd_alloc (abfd, amt); ++ outbound_syms = bfd_alloc2 (abfd, 1 + symcount, bed->s->sizeof_sym); + if (outbound_syms == NULL) + { + _bfd_stringtab_free (stt); +@@ -5615,7 +5628,8 @@ swap_out_syms (bfd *abfd, + if (symtab_shndx_hdr->sh_name != 0) + { + amt = (bfd_size_type) (1 + symcount) * sizeof (Elf_External_Sym_Shndx); +- outbound_shndx = bfd_zalloc (abfd, amt); ++ outbound_shndx = bfd_zalloc2 (abfd, 1 + symcount, ++ sizeof (Elf_External_Sym_Shndx)); + if (outbound_shndx == NULL) + { + _bfd_stringtab_free (stt); +@@ -6028,7 +6042,6 @@ bfd_boolean + _bfd_elf_slurp_version_tables (bfd *abfd) + { + bfd_byte *contents = NULL; +- bfd_size_type amt; + + if (elf_dynverdef (abfd) != 0) + { +@@ -6039,6 +6052,7 @@ _bfd_elf_slurp_version_tables (bfd *abfd + Elf_Internal_Verdef iverdefmem; + unsigned int i; + unsigned int maxidx; ++ bfd_byte *contents_end_def, *contents_end_aux; + + hdr = &elf_tdata (abfd)->dynverdef_hdr; + +@@ -6049,6 +6063,16 @@ _bfd_elf_slurp_version_tables (bfd *abfd + || bfd_bread (contents, hdr->sh_size, abfd) != hdr->sh_size) + goto error_return; + ++ if (hdr->sh_info && hdr->sh_size < sizeof (Elf_External_Verdef)) ++ goto error_return; ++ ++ BFD_ASSERT (sizeof (Elf_External_Verdef) ++ >= sizeof (Elf_External_Verdaux)); ++ contents_end_def = contents + hdr->sh_size ++ - sizeof (Elf_External_Verdef); ++ contents_end_aux = contents + hdr->sh_size ++ - sizeof (Elf_External_Verdaux); ++ + /* We know the number of entries in the section but not the maximum + index. Therefore we have to run through all entries and find + the maximum. */ +@@ -6061,12 +6085,16 @@ _bfd_elf_slurp_version_tables (bfd *abfd + if ((iverdefmem.vd_ndx & ((unsigned) VERSYM_VERSION)) > maxidx) + maxidx = iverdefmem.vd_ndx & ((unsigned) VERSYM_VERSION); + ++ if (iverdefmem.vd_next ++ > (size_t) (contents_end_def - (bfd_byte *) everdef)) ++ goto error_return; ++ + everdef = ((Elf_External_Verdef *) + ((bfd_byte *) everdef + iverdefmem.vd_next)); + } + +- amt = (bfd_size_type) maxidx * sizeof (Elf_Internal_Verdef); +- elf_tdata (abfd)->verdef = bfd_zalloc (abfd, amt); ++ elf_tdata (abfd)->verdef = bfd_zalloc2 (abfd, maxidx, ++ sizeof (Elf_Internal_Verdef)); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return; + +@@ -6082,15 +6110,32 @@ _bfd_elf_slurp_version_tables (bfd *abfd + + _bfd_elf_swap_verdef_in (abfd, everdef, &iverdefmem); + ++ if ((iverdefmem.vd_ndx & VERSYM_VERSION) == 0) ++ { ++error_return_verdef: ++ elf_tdata (abfd)->verdef = NULL; ++ elf_tdata (abfd)->cverdefs = 0; ++ goto error_return; ++ } ++ + iverdef = &iverdefarr[(iverdefmem.vd_ndx & VERSYM_VERSION) - 1]; + memcpy (iverdef, &iverdefmem, sizeof (Elf_Internal_Verdef)); + + iverdef->vd_bfd = abfd; + +- amt = (bfd_size_type) iverdef->vd_cnt * sizeof (Elf_Internal_Verdaux); +- iverdef->vd_auxptr = bfd_alloc (abfd, amt); +- if (iverdef->vd_auxptr == NULL) +- goto error_return; ++ if (iverdef->vd_cnt == 0) ++ iverdef->vd_auxptr = NULL; ++ else ++ { ++ iverdef->vd_auxptr = bfd_alloc2 (abfd, iverdef->vd_cnt, ++ sizeof (Elf_Internal_Verdaux)); ++ if (iverdef->vd_auxptr == NULL) ++ goto error_return_verdef; ++ } ++ ++ if (iverdef->vd_aux ++ > (size_t) (contents_end_aux - (bfd_byte *) everdef)) ++ goto error_return_verdef; + + everdaux = ((Elf_External_Verdaux *) + ((bfd_byte *) everdef + iverdef->vd_aux)); +@@ -6103,20 +6148,25 @@ _bfd_elf_slurp_version_tables (bfd *abfd + bfd_elf_string_from_elf_section (abfd, hdr->sh_link, + iverdaux->vda_name); + if (iverdaux->vda_nodename == NULL) +- goto error_return; ++ goto error_return_verdef; + + if (j + 1 < iverdef->vd_cnt) + iverdaux->vda_nextptr = iverdaux + 1; + else + iverdaux->vda_nextptr = NULL; + ++ if (iverdaux->vda_next ++ > (size_t) (contents_end_aux - (bfd_byte *) everdaux)) ++ goto error_return_verdef; ++ + everdaux = ((Elf_External_Verdaux *) + ((bfd_byte *) everdaux + iverdaux->vda_next)); + } + +- iverdef->vd_nodename = iverdef->vd_auxptr->vda_nodename; ++ if (iverdef->vd_cnt) ++ iverdef->vd_nodename = iverdef->vd_auxptr->vda_nodename; + +- if (i + 1 < hdr->sh_info) ++ if ((size_t) (iverdef - iverdefarr) + 1 < maxidx) + iverdef->vd_nextdef = iverdef + 1; + else + iverdef->vd_nextdef = NULL; +@@ -6135,11 +6185,12 @@ _bfd_elf_slurp_version_tables (bfd *abfd + Elf_External_Verneed *everneed; + Elf_Internal_Verneed *iverneed; + unsigned int i; ++ bfd_byte *contents_end; + + hdr = &elf_tdata (abfd)->dynverref_hdr; + +- amt = (bfd_size_type) hdr->sh_info * sizeof (Elf_Internal_Verneed); +- elf_tdata (abfd)->verref = bfd_zalloc (abfd, amt); ++ elf_tdata (abfd)->verref = bfd_zalloc2 (abfd, hdr->sh_info, ++ sizeof (Elf_Internal_Verneed)); + if (elf_tdata (abfd)->verref == NULL) + goto error_return; + +@@ -6147,11 +6198,22 @@ _bfd_elf_slurp_version_tables (bfd *abfd + + contents = bfd_malloc (hdr->sh_size); + if (contents == NULL) +- goto error_return; ++ { ++error_return_verref: ++ elf_tdata (abfd)->verref = NULL; ++ elf_tdata (abfd)->cverrefs = 0; ++ goto error_return; ++ } + if (bfd_seek (abfd, hdr->sh_offset, SEEK_SET) != 0 + || bfd_bread (contents, hdr->sh_size, abfd) != hdr->sh_size) +- goto error_return; ++ goto error_return_verref; + ++ if (hdr->sh_info && hdr->sh_size < sizeof (Elf_External_Verneed)) ++ goto error_return_verref; ++ ++ BFD_ASSERT (sizeof (Elf_External_Verneed) ++ == sizeof (Elf_External_Vernaux)); ++ contents_end = contents + hdr->sh_size - sizeof (Elf_External_Verneed); + everneed = (Elf_External_Verneed *) contents; + iverneed = elf_tdata (abfd)->verref; + for (i = 0; i < hdr->sh_info; i++, iverneed++) +@@ -6168,11 +6230,21 @@ _bfd_elf_slurp_version_tables (bfd *abfd + bfd_elf_string_from_elf_section (abfd, hdr->sh_link, + iverneed->vn_file); + if (iverneed->vn_filename == NULL) +- goto error_return; ++ goto error_return_verref; + +- amt = iverneed->vn_cnt; +- amt *= sizeof (Elf_Internal_Vernaux); +- iverneed->vn_auxptr = bfd_alloc (abfd, amt); ++ if (iverneed->vn_cnt == 0) ++ iverneed->vn_auxptr = NULL; ++ else ++ { ++ iverneed->vn_auxptr = bfd_alloc2 (abfd, iverneed->vn_cnt, ++ sizeof (Elf_Internal_Vernaux)); ++ if (iverneed->vn_auxptr == NULL) ++ goto error_return_verref; ++ } ++ ++ if (iverneed->vn_aux ++ > (size_t) (contents_end - (bfd_byte *) everneed)) ++ goto error_return_verref; + + evernaux = ((Elf_External_Vernaux *) + ((bfd_byte *) everneed + iverneed->vn_aux)); +@@ -6185,13 +6257,17 @@ _bfd_elf_slurp_version_tables (bfd *abfd + bfd_elf_string_from_elf_section (abfd, hdr->sh_link, + ivernaux->vna_name); + if (ivernaux->vna_nodename == NULL) +- goto error_return; ++ goto error_return_verref; + + if (j + 1 < iverneed->vn_cnt) + ivernaux->vna_nextptr = ivernaux + 1; + else + ivernaux->vna_nextptr = NULL; + ++ if (ivernaux->vna_next ++ > (size_t) (contents_end - (bfd_byte *) evernaux)) ++ goto error_return_verref; ++ + evernaux = ((Elf_External_Vernaux *) + ((bfd_byte *) evernaux + ivernaux->vna_next)); + } +@@ -6201,6 +6277,10 @@ _bfd_elf_slurp_version_tables (bfd *abfd + else + iverneed->vn_nextref = NULL; + ++ if (iverneed->vn_next ++ > (size_t) (contents_end - (bfd_byte *) everneed)) ++ goto error_return_verref; ++ + everneed = ((Elf_External_Verneed *) + ((bfd_byte *) everneed + iverneed->vn_next)); + } +--- gdb-6.3/bfd/elfcode.h.fix 2005-07-07 19:09:22.000000000 -0400 ++++ gdb-6.3/bfd/elfcode.h 2005-07-07 19:18:55.000000000 -0400 +@@ -33,7 +33,7 @@ Foundation, Inc., 59 Temple Place - Suit + /* Problems and other issues to resolve. + + (1) BFD expects there to be some fixed number of "sections" in +- the object file. I.E. there is a "section_count" variable in the ++ the object file. I.E. there is a "section_count" variable in the + bfd structure which contains the number of sections. However, ELF + supports multiple "views" of a file. In particular, with current + implementations, executable files typically have two tables, a @@ -613,8 +613,13 @@ elf_object_p (bfd *abfd) if (i_ehdrp->e_shoff != 0) @@ -2261,3 +2914,679 @@ /* Read in the program headers. */ if (i_ehdrp->e_phnum == 0) elf_tdata (abfd)->phdr = NULL; +@@ -1059,7 +1124,7 @@ elf_slurp_symbol_table (bfd *abfd, asymb + symcount); + + /* Slurp in the symbols without the version information, +- since that is more helpful than just quitting. */ ++ since that is more helpful than just quitting. */ + verhdr = NULL; + } + +@@ -1126,7 +1191,7 @@ elf_slurp_symbol_table (bfd *abfd, asymb + sym->symbol.section = bfd_abs_section_ptr; + + /* If this is a relocatable file, then the symbol value is +- already section relative. */ ++ already section relative. */ + if ((abfd->flags & (EXEC_P | DYNAMIC)) != 0) + sym->symbol.value -= sym->symbol.section->vma; + +--- gdb-6.3/bfd/archive.c.fix 2005-07-07 19:09:29.000000000 -0400 ++++ gdb-6.3/bfd/archive.c 2005-07-07 19:18:55.000000000 -0400 +@@ -170,11 +170,13 @@ _bfd_generic_mkarchive (bfd *abfd) + if (bfd_ardata (abfd) == NULL) + return FALSE; + +- bfd_ardata (abfd)->cache = NULL; +- bfd_ardata (abfd)->archive_head = NULL; +- bfd_ardata (abfd)->symdefs = NULL; +- bfd_ardata (abfd)->extended_names = NULL; +- bfd_ardata (abfd)->tdata = NULL; ++ /* Already cleared by bfd_zalloc above. ++ bfd_ardata (abfd)->cache = NULL; ++ bfd_ardata (abfd)->archive_head = NULL; ++ bfd_ardata (abfd)->symdefs = NULL; ++ bfd_ardata (abfd)->extended_names = NULL; ++ bfd_ardata (abfd)->extended_names_size = 0; ++ bfd_ardata (abfd)->tdata = NULL; */ + + return TRUE; + } +@@ -302,7 +304,7 @@ get_extended_arelt_filename (bfd *arch, + errno = 0; + /* Skip first char, which is '/' in SVR4 or ' ' in some other variants. */ + index = strtol (name + 1, NULL, 10); +- if (errno != 0) ++ if (errno != 0 || index >= bfd_ardata (arch)->extended_names_size) + { + bfd_set_error (bfd_error_malformed_archive); + return NULL; +@@ -372,10 +374,7 @@ _bfd_generic_read_ar_hdr_mag (bfd *abfd, + { + filename = get_extended_arelt_filename (abfd, hdr.ar_name); + if (filename == NULL) +- { +- bfd_set_error (bfd_error_malformed_archive); +- return NULL; +- } ++ return NULL; + } + /* BSD4.4-style long filename. + Only implemented for reading, so far! */ +@@ -601,11 +600,13 @@ bfd_generic_archive_p (bfd *abfd) + } + + bfd_ardata (abfd)->first_file_filepos = SARMAG; +- bfd_ardata (abfd)->cache = NULL; +- bfd_ardata (abfd)->archive_head = NULL; +- bfd_ardata (abfd)->symdefs = NULL; +- bfd_ardata (abfd)->extended_names = NULL; +- bfd_ardata (abfd)->tdata = NULL; ++ /* Cleared by bfd_zalloc above. ++ bfd_ardata (abfd)->cache = NULL; ++ bfd_ardata (abfd)->archive_head = NULL; ++ bfd_ardata (abfd)->symdefs = NULL; ++ bfd_ardata (abfd)->extended_names = NULL; ++ bfd_ardata (abfd)->extended_names_size = 0; ++ bfd_ardata (abfd)->tdata = NULL; */ + + if (!BFD_SEND (abfd, _bfd_slurp_armap, (abfd)) + || !BFD_SEND (abfd, _bfd_slurp_extended_name_table, (abfd))) +@@ -804,9 +805,15 @@ do_slurp_coff_armap (bfd *abfd) + /* The coff armap must be read sequentially. So we construct a + bsd-style one in core all at once, for simplicity. */ + ++ if (nsymz > ~ (bfd_size_type) 0 / sizeof (carsym)) ++ return FALSE; ++ + carsym_size = (nsymz * sizeof (carsym)); + ptrsize = (4 * nsymz); + ++ if (carsym_size + stringsize + 1 <= carsym_size) ++ return FALSE; ++ + ardata->symdefs = bfd_zalloc (abfd, carsym_size + stringsize + 1); + if (ardata->symdefs == NULL) + return FALSE; +@@ -1043,6 +1050,7 @@ _bfd_slurp_extended_name_table (bfd *abf + strncmp (nextname, "// ", 16) != 0) + { + bfd_ardata (abfd)->extended_names = NULL; ++ bfd_ardata (abfd)->extended_names_size = 0; + return TRUE; + } + +@@ -1051,7 +1059,11 @@ _bfd_slurp_extended_name_table (bfd *abf + return FALSE; + + amt = namedata->parsed_size; +- bfd_ardata (abfd)->extended_names = bfd_zalloc (abfd, amt); ++ if (amt + 1 == 0) ++ goto byebye; ++ ++ bfd_ardata (abfd)->extended_names_size = amt; ++ bfd_ardata (abfd)->extended_names = bfd_zalloc (abfd, amt + 1); + if (bfd_ardata (abfd)->extended_names == NULL) + { + byebye: +@@ -1074,15 +1086,17 @@ _bfd_slurp_extended_name_table (bfd *abf + trailing '/'. DOS/NT created archive often have \ in them + We'll fix all problems here.. */ + { +- char *temp = bfd_ardata (abfd)->extended_names; ++ char *ext_names = bfd_ardata (abfd)->extended_names; ++ char *temp = ext_names; + char *limit = temp + namedata->parsed_size; + for (; temp < limit; ++temp) + { + if (*temp == '\012') +- temp[temp[-1] == '/' ? -1 : 0] = '\0'; ++ temp[temp > ext_names && temp[-1] == '/' ? -1 : 0] = '\0'; + if (*temp == '\\') + *temp = '/'; + } ++ *limit = '\0'; + } + + /* Pad to an even boundary if you have to. */ +--- gdb-6.3/bfd/libbfd-in.h.fix 2005-07-07 19:09:39.000000000 -0400 ++++ gdb-6.3/bfd/libbfd-in.h 2005-07-07 19:18:55.000000000 -0400 +@@ -61,6 +61,7 @@ struct artdata { + carsym *symdefs; /* the symdef entries */ + symindex symdef_count; /* how many there are */ + char *extended_names; /* clever intel extension */ ++ bfd_size_type extended_names_size; /* Size of extended names */ + /* when more compilers are standard C, this can be a time_t */ + long armap_timestamp; /* Timestamp value written into armap. + This is used for BSD archives to check +@@ -90,6 +91,12 @@ extern void *bfd_realloc + (void *, bfd_size_type); + extern void *bfd_zmalloc + (bfd_size_type); ++extern void *bfd_malloc2 ++ (bfd_size_type, bfd_size_type); ++extern void *bfd_realloc2 ++ (void *, bfd_size_type, bfd_size_type); ++extern void *bfd_zmalloc2 ++ (bfd_size_type, bfd_size_type); + + extern void _bfd_default_error_handler (const char *s, ...); + extern bfd_error_handler_type _bfd_error_handler; +@@ -100,6 +107,10 @@ extern void *bfd_alloc + (bfd *, bfd_size_type); + extern void *bfd_zalloc + (bfd *, bfd_size_type); ++extern void *bfd_alloc2 ++ (bfd *, bfd_size_type, bfd_size_type); ++extern void *bfd_zalloc2 ++ (bfd *, bfd_size_type, bfd_size_type); + extern void bfd_release + (bfd *, void *); + +--- gdb-6.3/bfd/bfd-in.h.fix 2005-07-07 19:09:45.000000000 -0400 ++++ gdb-6.3/bfd/bfd-in.h 2005-07-07 19:18:55.000000000 -0400 +@@ -144,6 +144,9 @@ typedef unsigned long bfd_size_type; + + #endif /* not BFD64 */ + ++#define HALF_BFD_SIZE_TYPE \ ++ (((bfd_size_type) 1) << (8 * sizeof (bfd_size_type) / 2)) ++ + #ifndef BFD_HOST_64_BIT + /* Fall back on a 32 bit type. The idea is to make these types always + available for function return types, but in the case that +--- gdb-6.3/bfd/libbfd.c.fix 2005-07-07 19:09:51.000000000 -0400 ++++ gdb-6.3/bfd/libbfd.c 2005-07-07 19:18:55.000000000 -0400 +@@ -156,6 +156,36 @@ bfd_malloc (bfd_size_type size) + return ptr; + } + ++/* Allocate memory using malloc, nmemb * size with overflow checking. */ ++ ++void * ++bfd_malloc2 (bfd_size_type nmemb, bfd_size_type size) ++{ ++ void *ptr; ++ ++ if ((nmemb | size) >= HALF_BFD_SIZE_TYPE ++ && size != 0 ++ && nmemb > ~(bfd_size_type) 0 / size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return NULL; ++ } ++ ++ size *= nmemb; ++ ++ if (size != (size_t) size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return NULL; ++ } ++ ++ ptr = malloc ((size_t) size); ++ if (ptr == NULL && (size_t) size != 0) ++ bfd_set_error (bfd_error_no_memory); ++ ++ return ptr; ++} ++ + /* Reallocate memory using realloc. */ + + void * +@@ -180,6 +210,40 @@ bfd_realloc (void *ptr, bfd_size_type si + return ret; + } + ++/* Reallocate memory using realloc, nmemb * size with overflow checking. */ ++ ++void * ++bfd_realloc2 (void *ptr, bfd_size_type nmemb, bfd_size_type size) ++{ ++ void *ret; ++ ++ if ((nmemb | size) >= HALF_BFD_SIZE_TYPE ++ && size != 0 ++ && nmemb > ~(bfd_size_type) 0 / size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return NULL; ++ } ++ ++ size *= nmemb; ++ ++ if (size != (size_t) size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return NULL; ++ } ++ ++ if (ptr == NULL) ++ ret = malloc ((size_t) size); ++ else ++ ret = realloc (ptr, (size_t) size); ++ ++ if (ret == NULL && (size_t) size != 0) ++ bfd_set_error (bfd_error_no_memory); ++ ++ return ret; ++} ++ + /* Allocate memory using malloc and clear it. */ + + void * +@@ -205,6 +269,44 @@ bfd_zmalloc (bfd_size_type size) + + return ptr; + } ++ ++/* Allocate memory using malloc (nmemb * size) with overflow checking ++ and clear it. */ ++ ++void * ++bfd_zmalloc2 (bfd_size_type nmemb, bfd_size_type size) ++{ ++ void *ptr; ++ ++ if ((nmemb | size) >= HALF_BFD_SIZE_TYPE ++ && size != 0 ++ && nmemb > ~(bfd_size_type) 0 / size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return NULL; ++ } ++ ++ size *= nmemb; ++ ++ if (size != (size_t) size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return NULL; ++ } ++ ++ ptr = malloc ((size_t) size); ++ ++ if ((size_t) size != 0) ++ { ++ if (ptr == NULL) ++ bfd_set_error (bfd_error_no_memory); ++ else ++ memset (ptr, 0, (size_t) size); ++ } ++ ++ return ptr; ++} ++ + /* + INTERNAL_FUNCTION + bfd_write_bigendian_4byte_int +--- gdb-6.3/bfd/opncls.c.fix 2005-07-07 19:09:59.000000000 -0400 ++++ gdb-6.3/bfd/opncls.c 2005-07-07 19:18:55.000000000 -0400 +@@ -849,6 +849,54 @@ bfd_zalloc (bfd *abfd, bfd_size_type siz + return res; + } + ++void * ++bfd_alloc2 (bfd *abfd, bfd_size_type nmemb, bfd_size_type size) ++{ ++ void *ret; ++ ++ if ((nmemb | size) >= HALF_BFD_SIZE_TYPE ++ && size != 0 ++ && nmemb > ~(bfd_size_type) 0 / size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return NULL; ++ } ++ ++ size *= nmemb; ++ ++ if (size != (unsigned long) size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return NULL; ++ } ++ ++ ret = objalloc_alloc (abfd->memory, (unsigned long) size); ++ if (ret == NULL) ++ bfd_set_error (bfd_error_no_memory); ++ return ret; ++} ++ ++void * ++bfd_zalloc2 (bfd *abfd, bfd_size_type nmemb, bfd_size_type size) ++{ ++ void *res; ++ ++ if ((nmemb | size) >= HALF_BFD_SIZE_TYPE ++ && size != 0 ++ && nmemb > ~(bfd_size_type) 0 / size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return NULL; ++ } ++ ++ size *= nmemb; ++ ++ res = bfd_alloc (abfd, size); ++ if (res) ++ memset (res, 0, (size_t) size); ++ return res; ++} ++ + /* Free a block allocated for a BFD. + Note: Also frees all more recently allocated blocks! */ + +--- gdb-6.3/bfd/bfd-in2.h.fix 2005-07-07 19:10:08.000000000 -0400 ++++ gdb-6.3/bfd/bfd-in2.h 2005-07-07 19:18:55.000000000 -0400 +@@ -151,6 +151,9 @@ typedef unsigned long bfd_size_type; + + #endif /* not BFD64 */ + ++#define HALF_BFD_SIZE_TYPE \ ++ (((bfd_size_type) 1) << (8 * sizeof (bfd_size_type) / 2)) ++ + #ifndef BFD_HOST_64_BIT + /* Fall back on a 32 bit type. The idea is to make these types always + available for function return types, but in the case that +--- gdb-6.3/bfd/libbfd.h.fix 2005-07-07 19:10:13.000000000 -0400 ++++ gdb-6.3/bfd/libbfd.h 2005-07-07 19:18:55.000000000 -0400 +@@ -66,6 +66,7 @@ struct artdata { + carsym *symdefs; /* the symdef entries */ + symindex symdef_count; /* how many there are */ + char *extended_names; /* clever intel extension */ ++ bfd_size_type extended_names_size; /* Size of extended names */ + /* when more compilers are standard C, this can be a time_t */ + long armap_timestamp; /* Timestamp value written into armap. + This is used for BSD archives to check +@@ -95,6 +96,12 @@ extern void *bfd_realloc + (void *, bfd_size_type); + extern void *bfd_zmalloc + (bfd_size_type); ++extern void *bfd_malloc2 ++ (bfd_size_type, bfd_size_type); ++extern void *bfd_realloc2 ++ (void *, bfd_size_type, bfd_size_type); ++extern void *bfd_zmalloc2 ++ (bfd_size_type, bfd_size_type); + + extern void _bfd_default_error_handler (const char *s, ...); + extern bfd_error_handler_type _bfd_error_handler; +@@ -105,6 +112,10 @@ extern void *bfd_alloc + (bfd *, bfd_size_type); + extern void *bfd_zalloc + (bfd *, bfd_size_type); ++extern void *bfd_alloc2 ++ (bfd *, bfd_size_type, bfd_size_type); ++extern void *bfd_zalloc2 ++ (bfd *, bfd_size_type, bfd_size_type); + extern void bfd_release + (bfd *, void *); + +--- gdb-6.3/bfd/elf32-sparc.c.fix 2005-07-07 19:10:19.000000000 -0400 ++++ gdb-6.3/bfd/elf32-sparc.c 2005-07-07 19:18:55.000000000 -0400 +@@ -313,7 +313,8 @@ elf32_sparc_info_to_howto (abfd, cache_p + arelent *cache_ptr; + Elf_Internal_Rela *dst; + { +- switch (ELF32_R_TYPE(dst->r_info)) ++ unsigned int r_type = ELF32_R_TYPE(dst->r_info); ++ switch (r_type) + { + case R_SPARC_GNU_VTINHERIT: + cache_ptr->howto = &elf32_sparc_vtinherit_howto; +@@ -328,8 +329,13 @@ elf32_sparc_info_to_howto (abfd, cache_p + break; + + default: +- BFD_ASSERT (ELF32_R_TYPE(dst->r_info) < (unsigned int) R_SPARC_max_std); +- cache_ptr->howto = &_bfd_sparc_elf_howto_table[ELF32_R_TYPE(dst->r_info)]; ++ if (r_type >= (unsigned int) R_SPARC_max_std) ++ { ++ (*_bfd_error_handler) (_("invalid relocation type %d"), ++ (int) r_type); ++ r_type = R_SPARC_NONE; ++ } ++ cache_ptr->howto = &_bfd_sparc_elf_howto_table[r_type]; + } + } + +--- gdb-6.3/bfd/elf64-ppc.c.fix 2005-07-07 19:10:27.000000000 -0400 ++++ gdb-6.3/bfd/elf64-ppc.c 2005-07-07 19:18:55.000000000 -0400 +@@ -2118,8 +2118,13 @@ ppc64_elf_info_to_howto (bfd *abfd ATTRI + ppc_howto_init (); + + type = ELF64_R_TYPE (dst->r_info); +- BFD_ASSERT (type < (sizeof (ppc64_elf_howto_table) +- / sizeof (ppc64_elf_howto_table[0]))); ++ if (type >= (sizeof (ppc64_elf_howto_table) ++ / sizeof (ppc64_elf_howto_table[0]))) ++ { ++ (*_bfd_error_handler) (_("%B: invalid relocation type %d"), ++ abfd, (int) type); ++ type = R_PPC64_NONE; ++ } + cache_ptr->howto = ppc64_elf_howto_table[type]; + } + +--- gdb-6.3/bfd/elf64-sparc.c.fix 2005-07-07 19:10:35.000000000 -0400 ++++ gdb-6.3/bfd/elf64-sparc.c 2005-07-07 19:18:55.000000000 -0400 +@@ -310,8 +310,14 @@ sparc64_elf_info_to_howto (abfd, cache_p + arelent *cache_ptr; + Elf_Internal_Rela *dst; + { +- BFD_ASSERT (ELF64_R_TYPE_ID (dst->r_info) < (unsigned int) R_SPARC_max_std); +- cache_ptr->howto = &sparc64_elf_howto_table[ELF64_R_TYPE_ID (dst->r_info)]; ++ unsigned int r_type = ELF64_R_TYPE_ID (dst->r_info); ++ if (r_type >= (unsigned int) R_SPARC_max_std) ++ { ++ (*_bfd_error_handler) (_("invalid relocation type %d"), ++ (int) r_type); ++ r_type = R_SPARC_NONE; ++ } ++ cache_ptr->howto = &sparc64_elf_howto_table[r_type]; + } + + struct sparc64_elf_section_data +--- gdb-6.3/bfd/elf32-s390.c.fix 2005-07-07 19:10:58.000000000 -0400 ++++ gdb-6.3/bfd/elf32-s390.c 2005-07-07 19:18:55.000000000 -0400 +@@ -350,7 +350,8 @@ elf_s390_info_to_howto (abfd, cache_ptr, + arelent *cache_ptr; + Elf_Internal_Rela *dst; + { +- switch (ELF32_R_TYPE(dst->r_info)) ++ unsigned int r_type = ELF32_R_TYPE(dst->r_info); ++ switch (r_type) + { + case R_390_GNU_VTINHERIT: + cache_ptr->howto = &elf32_s390_vtinherit_howto; +@@ -361,8 +362,13 @@ elf_s390_info_to_howto (abfd, cache_ptr, + break; + + default: +- BFD_ASSERT (ELF32_R_TYPE(dst->r_info) < (unsigned int) R_390_max); +- cache_ptr->howto = &elf_howto_table[ELF32_R_TYPE(dst->r_info)]; ++ if (r_type >= sizeof (elf_howto_table) / sizeof (elf_howto_table[0])) ++ { ++ (*_bfd_error_handler) (_("%B: invalid relocation type %d"), ++ abfd, (int) r_type); ++ r_type = R_390_NONE; ++ } ++ cache_ptr->howto = &elf_howto_table[r_type]; + } + } + +--- gdb-6.3/bfd/elf64-s390.c.fix 2005-07-07 19:11:09.000000000 -0400 ++++ gdb-6.3/bfd/elf64-s390.c 2005-07-07 19:18:55.000000000 -0400 +@@ -372,7 +372,8 @@ elf_s390_info_to_howto (abfd, cache_ptr, + arelent *cache_ptr; + Elf_Internal_Rela *dst; + { +- switch (ELF64_R_TYPE(dst->r_info)) ++ unsigned int r_type = ELF64_R_TYPE(dst->r_info); ++ switch (r_type) + { + case R_390_GNU_VTINHERIT: + cache_ptr->howto = &elf64_s390_vtinherit_howto; +@@ -383,8 +384,13 @@ elf_s390_info_to_howto (abfd, cache_ptr, + break; + + default: +- BFD_ASSERT (ELF64_R_TYPE(dst->r_info) < (unsigned int) R_390_max); +- cache_ptr->howto = &elf_howto_table[ELF64_R_TYPE(dst->r_info)]; ++ if (r_type >= sizeof (elf_howto_table) / sizeof (elf_howto_table[0])) ++ { ++ (*_bfd_error_handler) (_("%B: invalid relocation type %d"), ++ abfd, (int) r_type); ++ r_type = R_390_NONE; ++ } ++ cache_ptr->howto = &elf_howto_table[r_type]; + } + } + +--- gdb-6.3/bfd/elfxx-ia64.c.fix 2005-07-07 19:11:16.000000000 -0400 ++++ gdb-6.3/bfd/elfxx-ia64.c 2005-07-07 19:18:55.000000000 -0400 +@@ -479,7 +479,8 @@ lookup_howto (rtype) + elf_code_to_howto_index[ia64_howto_table[i].type] = i; + } + +- BFD_ASSERT (rtype <= R_IA64_MAX_RELOC_CODE); ++ if (rtype > R_IA64_MAX_RELOC_CODE) ++ return 0; + i = elf_code_to_howto_index[rtype]; + if (i >= NELEMS (ia64_howto_table)) + return 0; +--- gdb-6.3/bfd/coffcode.h.fix 2005-07-07 19:11:23.000000000 -0400 ++++ gdb-6.3/bfd/coffcode.h 2005-07-07 19:18:55.000000000 -0400 +@@ -5060,7 +5060,7 @@ coff_slurp_reloc_table (abfd, asect, sym + amt = (bfd_size_type) asect->reloc_count * sizeof (arelent); + reloc_cache = (arelent *) bfd_alloc (abfd, amt); + +- if (reloc_cache == NULL) ++ if (reloc_cache == NULL || native_relocs == NULL) + return FALSE; + + for (idx = 0; idx < asect->reloc_count; idx++) +--- gdb-6.3/bfd/peXXigen.c.fix 2005-07-07 19:11:29.000000000 -0400 ++++ gdb-6.3/bfd/peXXigen.c 2005-07-07 19:18:55.000000000 -0400 +@@ -1167,7 +1167,7 @@ pe_print_idata (abfd, vfile) + bfd_vma toc_address; + bfd_vma start_address; + bfd_byte *data; +- int offset; ++ bfd_vma offset; + + if (!bfd_malloc_and_get_section (abfd, rel_section, &data)) + { +@@ -1178,6 +1178,13 @@ pe_print_idata (abfd, vfile) + + offset = abfd->start_address - rel_section->vma; + ++ if (offset >= rel_section->size || offset + 8 > rel_section->size) ++ { ++ if (data != NULL) ++ free (data); ++ return FALSE; ++ } ++ + start_address = bfd_get_32 (abfd, data + offset); + loadable_toc_address = bfd_get_32 (abfd, data + offset + 4); + toc_address = loadable_toc_address - 32768; +@@ -1251,6 +1258,9 @@ pe_print_idata (abfd, vfile) + if (hint_addr == 0 && first_thunk == 0) + break; + ++ if (dll_name - adj >= section->size) ++ break; ++ + dll = (char *) data + dll_name - adj; + fprintf (file, _("\n\tDLL Name: %s\n"), dll); + +--- gdb-6.3/bfd/coff-rs6000.c.fix 2005-07-07 19:11:38.000000000 -0400 ++++ gdb-6.3/bfd/coff-rs6000.c 2005-07-07 19:18:55.000000000 -0400 +@@ -1294,10 +1294,12 @@ _bfd_xcoff_archive_p (abfd) + if (bfd_ardata (abfd) == (struct artdata *) NULL) + goto error_ret_restore; + +- bfd_ardata (abfd)->cache = NULL; +- bfd_ardata (abfd)->archive_head = NULL; +- bfd_ardata (abfd)->symdefs = NULL; +- bfd_ardata (abfd)->extended_names = NULL; ++ /* Cleared by bfd_zalloc above. ++ bfd_ardata (abfd)->cache = NULL; ++ bfd_ardata (abfd)->archive_head = NULL; ++ bfd_ardata (abfd)->symdefs = NULL; ++ bfd_ardata (abfd)->extended_names = NULL; ++ bfd_ardata (abfd)->extended_names_size = 0; */ + + /* Now handle the two formats. */ + if (magic[1] != 'b') +--- gdb-6.3/bfd/coff64-rs6000.c.fix 2005-07-07 19:11:46.000000000 -0400 ++++ gdb-6.3/bfd/coff64-rs6000.c 2005-07-07 19:18:55.000000000 -0400 +@@ -1983,10 +1983,12 @@ xcoff64_archive_p (abfd) + if (bfd_ardata (abfd) == (struct artdata *) NULL) + goto error_ret_restore; + +- bfd_ardata (abfd)->cache = NULL; +- bfd_ardata (abfd)->archive_head = NULL; +- bfd_ardata (abfd)->symdefs = NULL; +- bfd_ardata (abfd)->extended_names = NULL; ++ /* Already cleared by bfd_zalloc above. ++ bfd_ardata (abfd)->cache = NULL; ++ bfd_ardata (abfd)->archive_head = NULL; ++ bfd_ardata (abfd)->symdefs = NULL; ++ bfd_ardata (abfd)->extended_names = NULL; ++ bfd_ardata (abfd)->extended_names_size = 0; */ + bfd_ardata (abfd)->first_file_filepos = bfd_scan_vma (hdr.firstmemoff, + (const char **) NULL, + 10); +--- gdb-6.3/bfd/ecoff.c.fix 2005-07-07 19:11:51.000000000 -0400 ++++ gdb-6.3/bfd/ecoff.c 2005-07-07 19:18:55.000000000 -0400 +@@ -3329,11 +3329,13 @@ _bfd_ecoff_archive_p (abfd) + } + + bfd_ardata (abfd)->first_file_filepos = SARMAG; +- bfd_ardata (abfd)->cache = NULL; +- bfd_ardata (abfd)->archive_head = NULL; +- bfd_ardata (abfd)->symdefs = NULL; +- bfd_ardata (abfd)->extended_names = NULL; +- bfd_ardata (abfd)->tdata = NULL; ++ /* Already cleared by bfd_zalloc above. ++ bfd_ardata (abfd)->cache = NULL; ++ bfd_ardata (abfd)->archive_head = NULL; ++ bfd_ardata (abfd)->symdefs = NULL; ++ bfd_ardata (abfd)->extended_names = NULL; ++ bfd_ardata (abfd)->extended_names_size = 0; ++ bfd_ardata (abfd)->tdata = NULL; */ + + if (! _bfd_ecoff_slurp_armap (abfd) + || ! _bfd_ecoff_slurp_extended_name_table (abfd)) +--- gdb-6.3/bfd/elf64-x86-64.c.fix 2005-07-07 19:17:31.000000000 -0400 ++++ gdb-6.3/bfd/elf64-x86-64.c 2005-07-07 19:18:55.000000000 -0400 +@@ -176,16 +176,19 @@ elf64_x86_64_info_to_howto (bfd *abfd AT + unsigned r_type, i; + + r_type = ELF64_R_TYPE (dst->r_info); +- if (r_type < (unsigned int) R_X86_64_GNU_VTINHERIT) ++ if (r_type < (unsigned int) R_X86_64_GNU_VTINHERIT ++ || r_type >= (unsigned int) R_X86_64_max) + { +- BFD_ASSERT (r_type <= (unsigned int) R_X86_64_TPOFF32); ++ if (r_type > (unsigned int) R_X86_64_TPOFF32) ++ { ++ (*_bfd_error_handler) (_("%B: invalid relocation type %d"), ++ abfd, (int) r_type); ++ r_type = R_X86_64_NONE; ++ } + i = r_type; + } + else +- { +- BFD_ASSERT (r_type < (unsigned int) R_X86_64_max); +- i = r_type - ((unsigned int) R_X86_64_GNU_VTINHERIT - R_X86_64_TPOFF32 - 1); +- } ++ i = r_type - ((unsigned int) R_X86_64_GNU_VTINHERIT - R_X86_64_TPOFF32 - 1); + cache_ptr->howto = &x86_64_elf_howto_table[i]; + BFD_ASSERT (r_type == cache_ptr->howto->type); + } diff --git a/gdb.spec b/gdb.spec index 3ebd8fc..53c2f4e 100644 --- a/gdb.spec +++ b/gdb.spec @@ -11,7 +11,7 @@ Name: gdb Version: 6.3.0.0 # The release always contains a leading reserved number, start it at 0. -Release: 1.30 +Release: 1.34 License: GPL Group: Development/Debuggers @@ -479,6 +479,13 @@ fi # don't include the files in include, they are part of binutils %changelog +* Fri Jul 08 2005 Jeff Johnston 6.3.0.0-1.34 +- Bump up release number. + +* Thu Jul 07 2005 Jeff Johnston 6.3.0.0-1.31 +- Modify security errata to include additional bfd robustness updates +- Bugzilla 158680 + * Fri Jun 10 2005 Jeff Johnston 6.3.0.0-1.30 - Bump up release number.