This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Fix sprintf buffer overflows
- From: Nick Clifton <nickc at redhat dot com>
- To: binutils at sourceware dot org
- Date: Fri, 01 Jul 2016 12:34:40 +0100
- Subject: Fix sprintf buffer overflows
- Authentication-results: sourceware.org; auth=none
Hi Guys,
I am applying the patch below to fix up a couple of potential buffer
overflows using sprintf. The overflow could only happen if sprintf
was provided with an extremely large integer value to print, but it
is better to be safe than sorry.
Cheers
Nick
binutils/ChangeLog
2016-07-01 Nick Clifton <nickc@redhat.com>
* prdbg.c (pr_enum_type): Use a buffer big enough to hold an
extremely large decimal value.
(pr_range_type): Likewise.
(pr_array_type): Likewise.
(pr_struct_field): Likewise.
(pr_class_baseclass): Likewise.
(pr_class_method_variant): Likewise.
(pr_tag_type): Likewise.
(pr_int_constant): Likewise.
(pr_typed_constant): Likewise.
(pr_variable): Likewise.
(pr_function_parameter): Likewise.
(pr_start_block): Likewise.
(pr_lineno): Likewise.
(pr_end_block): Likewise.
(tg_enum_type): Likewise.
(tg_int_constant): Likewise.
(tg_typed_constant): Likewise.
(tg_start_block): Likewise.
gas/ChangeLog
2016-07-01 Nick Clifton <nickc@redhat.com>
* macro.c (macro_expand_body): Use a buffer big enough to hold an
extremely large integer.
diff --git a/binutils/prdbg.c b/binutils/prdbg.c
index 7f3dcce..92c6087 100644
--- a/binutils/prdbg.c
+++ b/binutils/prdbg.c
@@ -672,7 +672,7 @@ pr_enum_type (void *p, const char *tag, const char **names,
if (values[i] != val)
{
- char ab[20];
+ char ab[22];
print_vma (values[i], ab, FALSE, FALSE);
if (! append_type (info, " = ")
@@ -802,7 +802,7 @@ static bfd_boolean
pr_range_type (void *p, bfd_signed_vma lower, bfd_signed_vma upper)
{
struct pr_handle *info = (struct pr_handle *) p;
- char abl[20], abu[20];
+ char abl[22], abu[22];
assert (info->stack != NULL);
@@ -827,7 +827,7 @@ pr_array_type (void *p, bfd_signed_vma lower, bfd_signed_vma upper,
{
struct pr_handle *info = (struct pr_handle *) p;
char *range_type;
- char abl[20], abu[20], ab[50];
+ char abl[22], abu[22], ab[50];
range_type = pop_type (info);
if (range_type == NULL)
@@ -1151,7 +1151,7 @@ pr_struct_field (void *p, const char *name, bfd_vma bitpos, bfd_vma bitsize,
enum debug_visibility visibility)
{
struct pr_handle *info = (struct pr_handle *) p;
- char ab[20];
+ char ab[22];
char *t;
if (! substitute_type (info, name))
@@ -1335,7 +1335,7 @@ pr_class_baseclass (void *p, bfd_vma bitpos, bfd_boolean is_virtual,
struct pr_handle *info = (struct pr_handle *) p;
char *t;
const char *prefix;
- char ab[20];
+ char ab[22];
char *s, *l, *n;
assert (info->stack != NULL && info->stack->next != NULL);
@@ -1495,7 +1495,7 @@ pr_class_method_variant (void *p, const char *physname,
return FALSE;
if (context || voffset != 0)
{
- char ab[20];
+ char ab[22];
if (context)
{
@@ -1602,7 +1602,7 @@ pr_tag_type (void *p, const char *name, unsigned int id,
{
struct pr_handle *info = (struct pr_handle *) p;
const char *t, *tag;
- char idbuf[20];
+ char idbuf[22];
switch (kind)
{
@@ -1698,7 +1698,7 @@ static bfd_boolean
pr_int_constant (void *p, const char *name, bfd_vma val)
{
struct pr_handle *info = (struct pr_handle *) p;
- char ab[20];
+ char ab[22];
indent (info);
print_vma (val, ab, FALSE, FALSE);
@@ -1725,7 +1725,7 @@ pr_typed_constant (void *p, const char *name, bfd_vma val)
{
struct pr_handle *info = (struct pr_handle *) p;
char *t;
- char ab[20];
+ char ab[22];
t = pop_type (info);
if (t == NULL)
@@ -1748,7 +1748,7 @@ pr_variable (void *p, const char *name, enum debug_var_kind kind,
{
struct pr_handle *info = (struct pr_handle *) p;
char *t;
- char ab[20];
+ char ab[22];
if (! substitute_type (info, name))
return FALSE;
@@ -1811,7 +1811,7 @@ pr_function_parameter (void *p, const char *name,
{
struct pr_handle *info = (struct pr_handle *) p;
char *t;
- char ab[20];
+ char ab[22];
if (kind == DEBUG_PARM_REFERENCE
|| kind == DEBUG_PARM_REF_REG)
@@ -1849,7 +1849,7 @@ static bfd_boolean
pr_start_block (void *p, bfd_vma addr)
{
struct pr_handle *info = (struct pr_handle *) p;
- char ab[20];
+ char ab[22];
if (info->parameter > 0)
{
@@ -1872,7 +1872,7 @@ static bfd_boolean
pr_lineno (void *p, const char *filename, unsigned long lineno, bfd_vma addr)
{
struct pr_handle *info = (struct pr_handle *) p;
- char ab[20];
+ char ab[22];
indent (info);
print_vma (addr, ab, TRUE, TRUE);
@@ -1887,7 +1887,7 @@ static bfd_boolean
pr_end_block (void *p, bfd_vma addr)
{
struct pr_handle *info = (struct pr_handle *) p;
- char ab[20];
+ char ab[22];
info->indent -= 2;
@@ -1993,7 +1993,7 @@ tg_enum_type (void *p, const char *tag, const char **names,
struct pr_handle *info = (struct pr_handle *) p;
unsigned int i;
const char *name;
- char ab[20];
+ char ab[22];
if (! pr_enum_type (p, tag, names, values))
return FALSE;
@@ -2540,7 +2540,7 @@ static bfd_boolean
tg_int_constant (void *p, const char *name, bfd_vma val)
{
struct pr_handle *info = (struct pr_handle *) p;
- char ab[20];
+ char ab[22];
indent (info);
print_vma (val, ab, FALSE, FALSE);
@@ -2569,7 +2569,7 @@ tg_typed_constant (void *p, const char *name, bfd_vma val)
{
struct pr_handle *info = (struct pr_handle *) p;
char *t;
- char ab[20];
+ char ab[22];
t = pop_type (info);
if (t == NULL)
@@ -2747,7 +2747,7 @@ static bfd_boolean
tg_start_block (void *p, bfd_vma addr)
{
struct pr_handle *info = (struct pr_handle *) p;
- char ab[20], kind, *partof;
+ char ab[22], kind, *partof;
char *t;
bfd_boolean local;
diff --git a/gas/macro.c b/gas/macro.c
index 0d1a1d2..deb4a49 100644
--- a/gas/macro.c
+++ b/gas/macro.c
@@ -842,7 +842,7 @@ macro_expand_body (sb *in, sb *out, formal_entry *formals,
{
/* Sub in the macro invocation number. */
- char buffer[10];
+ char buffer[12];
src++;
sprintf (buffer, "%d", macro_number);
sb_add_string (out, buffer);