[75865] trunk/dports/cross/mipsel-linux-binutils
jmr at macports.org
jmr at macports.org
Thu Feb 10 21:12:33 PST 2011
Revision: 75865
http://trac.macports.org/changeset/75865
Author: jmr at macports.org
Date: 2011-02-10 21:12:33 -0800 (Thu, 10 Feb 2011)
Log Message:
-----------
mipsel-linux-binutils: fix buffer overflow in ar (#22756)
Modified Paths:
--------------
trunk/dports/cross/mipsel-linux-binutils/Portfile
Added Paths:
-----------
trunk/dports/cross/mipsel-linux-binutils/files/spacepad.diff
Modified: trunk/dports/cross/mipsel-linux-binutils/Portfile
===================================================================
--- trunk/dports/cross/mipsel-linux-binutils/Portfile 2011-02-10 23:03:30 UTC (rev 75864)
+++ trunk/dports/cross/mipsel-linux-binutils/Portfile 2011-02-11 05:12:33 UTC (rev 75865)
@@ -4,7 +4,7 @@
name mipsel-linux-binutils
version 2.16.1
-revision 2
+revision 3
categories cross
platforms darwin
maintainers nomaintainer
@@ -21,7 +21,8 @@
300-001_ld_makefile_patch.patch \
300-006_better_file_error.patch \
300-012_check_ldrunpath_length.patch \
- 702-binutils-skip-comments.patch
+ 702-binutils-skip-comments.patch \
+ spacepad.diff
set target mipsel-linux-uclibc
set cprefix ${prefix}/cross/${target}
Added: trunk/dports/cross/mipsel-linux-binutils/files/spacepad.diff
===================================================================
--- trunk/dports/cross/mipsel-linux-binutils/files/spacepad.diff (rev 0)
+++ trunk/dports/cross/mipsel-linux-binutils/files/spacepad.diff 2011-02-11 05:12:33 UTC (rev 75865)
@@ -0,0 +1,321 @@
+===================================================================
+RCS file: /cvs/src/src/bfd/archive.c,v
+retrieving revision 1.36
+retrieving revision 1.37
+diff -u -r1.36 -r1.37
+--- src/bfd/archive.c 2005/03/10 21:26:53 1.36
++++ src/bfd/archive.c 2005/03/11 16:37:17 1.37
+@@ -121,7 +121,7 @@
+
+ Regular files with long names (or embedded spaces, for BSD variants):
+ "/18 " - SVR4 style, name at offset 18 in name table.
+- "#1/23 " - Long name (or embedded paces) 23 characters long,
++ "#1/23 " - Long name (or embedded spaces) 23 characters long,
+ BSD 4.4 style, full name follows header.
+ Implemented for reading, not writing.
+ " 18 " - Long name 18 characters long, extended pseudo-BSD.
+@@ -155,7 +155,22 @@
+
+ #define arch_eltdata(bfd) ((struct areltdata *) ((bfd)->arelt_data))
+ #define arch_hdr(bfd) ((struct ar_hdr *) arch_eltdata(bfd)->arch_header)
+-
++
++void
++_bfd_ar_spacepad (char *p, size_t n, const char *fmt, long val)
++{
++ static char buf[20];
++ size_t len;
++ snprintf (buf, sizeof (buf), fmt, val);
++ len = strlen (buf);
++ if (len < n)
++ {
++ memcpy (p, buf, len);
++ memset (p + len, ' ', n - len);
++ }
++ else
++ memcpy (p, buf, n);
++}
+
+ bfd_boolean
+ _bfd_generic_mkarchive (bfd *abfd)
+@@ -1283,17 +1298,8 @@
+ strptr[thislen + 1] = '\012';
+ }
+ hdr->ar_name[0] = ar_padchar (current);
+- /* We know there will always be enough room (one of the few
+- cases where you may safely use sprintf). */
+- sprintf ((hdr->ar_name) + 1, "%-d", (unsigned) (strptr - *tabloc));
+- /* Kinda Kludgy. We should just use the returned value of
+- sprintf but not all implementations get this right. */
+- {
+- char *temp = hdr->ar_name + 2;
+- for (; temp < hdr->ar_name + maxname; temp++)
+- if (*temp == '\0')
+- *temp = ' ';
+- }
++ _bfd_ar_spacepad (hdr->ar_name + 1, maxname - 1, "%-ld",
++ strptr - *tabloc);
+ strptr += thislen + 1;
+ if (trailing_slash)
+ ++strptr;
+@@ -1340,7 +1346,6 @@
+ struct stat status;
+ struct areltdata *ared;
+ struct ar_hdr *hdr;
+- char *temp, *temp1;
+ bfd_size_type amt;
+
+ if (member && (member->flags & BFD_IN_MEMORY) != 0)
+@@ -1368,39 +1373,31 @@
+ /* ar headers are space padded, not null padded! */
+ memset (hdr, ' ', sizeof (struct ar_hdr));
+
+- strncpy (hdr->ar_fmag, ARFMAG, 2);
+-
+- /* Goddamned sprintf doesn't permit MAXIMUM field lengths. */
+- sprintf ((hdr->ar_date), "%-12ld", (long) status.st_mtime);
++ _bfd_ar_spacepad (hdr->ar_date, sizeof (hdr->ar_date), "%-12ld",
++ status.st_mtime);
+ #ifdef HPUX_LARGE_AR_IDS
+ /* HP has a very "special" way to handle UID/GID's with numeric values
+ > 99999. */
+ if (status.st_uid > 99999)
+- hpux_uid_gid_encode (hdr->ar_gid, (long) status.st_uid);
++ hpux_uid_gid_encode (hdr->ar_uid, (long) status.st_uid);
+ else
+ #endif
+- sprintf ((hdr->ar_uid), "%ld", (long) status.st_uid);
++ _bfd_ar_spacepad (hdr->ar_uid, sizeof (hdr->ar_uid), "%ld",
++ status.st_uid);
+ #ifdef HPUX_LARGE_AR_IDS
+ /* HP has a very "special" way to handle UID/GID's with numeric values
+ > 99999. */
+ if (status.st_gid > 99999)
+- hpux_uid_gid_encode (hdr->ar_uid, (long) status.st_gid);
++ hpux_uid_gid_encode (hdr->ar_gid, (long) status.st_gid);
+ else
+ #endif
+- sprintf ((hdr->ar_gid), "%ld", (long) status.st_gid);
+- sprintf ((hdr->ar_mode), "%-8o", (unsigned int) status.st_mode);
+- sprintf ((hdr->ar_size), "%-10ld", (long) status.st_size);
+- /* Correct for a lossage in sprintf whereby it null-terminates. I cannot
+- understand how these C losers could design such a ramshackle bunch of
+- IO operations. */
+- temp = (char *) hdr;
+- temp1 = temp + sizeof (struct ar_hdr) - 2;
+- for (; temp < temp1; temp++)
+- {
+- if (*temp == '\0')
+- *temp = ' ';
+- }
+- strncpy (hdr->ar_fmag, ARFMAG, 2);
++ _bfd_ar_spacepad (hdr->ar_gid, sizeof (hdr->ar_gid), "%ld",
++ status.st_gid);
++ _bfd_ar_spacepad (hdr->ar_mode, sizeof (hdr->ar_mode), "%-8lo",
++ status.st_mode);
++ _bfd_ar_spacepad (hdr->ar_size, sizeof (hdr->ar_size), "%-10ld",
++ status.st_size);
++ memcpy (hdr->ar_fmag, ARFMAG, 2);
+ ared->parsed_size = status.st_size;
+ ared->arch_header = (char *) hdr;
+
+@@ -1621,7 +1618,6 @@
+ /* If no .o's, don't bother to make a map. */
+ bfd_boolean hasobjects = FALSE;
+ bfd_size_type wrote;
+- unsigned int i;
+ int tries;
+
+ /* Verify the viability of all entries; if any of them live in the
+@@ -1678,15 +1674,12 @@
+ {
+ struct ar_hdr hdr;
+
+- memset (&hdr, 0, sizeof (struct ar_hdr));
+- strcpy (hdr.ar_name, ename);
++ memset (&hdr, ' ', sizeof (struct ar_hdr));
++ memcpy (hdr.ar_name, ename, strlen (ename));
+ /* Round size up to even number in archive header. */
+- sprintf (&(hdr.ar_size[0]), "%-10d",
+- (int) ((elength + 1) & ~(bfd_size_type) 1));
+- strncpy (hdr.ar_fmag, ARFMAG, 2);
+- for (i = 0; i < sizeof (struct ar_hdr); i++)
+- if (((char *) (&hdr))[i] == '\0')
+- (((char *) (&hdr))[i]) = ' ';
++ _bfd_ar_spacepad (hdr.ar_size, sizeof (hdr.ar_size), "%-10ld",
++ (elength + 1) & ~(bfd_size_type) 1);
++ memcpy (hdr.ar_fmag, ARFMAG, 2);
+ if ((bfd_bwrite (&hdr, sizeof (struct ar_hdr), arch)
+ != sizeof (struct ar_hdr))
+ || bfd_bwrite (etable, elength, arch) != elength)
+@@ -1920,25 +1913,22 @@
+ unsigned int count;
+ struct ar_hdr hdr;
+ struct stat statbuf;
+- unsigned int i;
+
+ firstreal = mapsize + elength + sizeof (struct ar_hdr) + SARMAG;
+
+ stat (arch->filename, &statbuf);
+- memset (&hdr, 0, sizeof (struct ar_hdr));
+- sprintf (hdr.ar_name, RANLIBMAG);
++ memset (&hdr, ' ', sizeof (struct ar_hdr));
++ memcpy (hdr.ar_name, RANLIBMAG, strlen (RANLIBMAG));
+ /* Remember the timestamp, to keep it holy. But fudge it a little. */
+ bfd_ardata (arch)->armap_timestamp = statbuf.st_mtime + ARMAP_TIME_OFFSET;
+ bfd_ardata (arch)->armap_datepos = (SARMAG
+ + offsetof (struct ar_hdr, ar_date[0]));
+- sprintf (hdr.ar_date, "%ld", bfd_ardata (arch)->armap_timestamp);
+- sprintf (hdr.ar_uid, "%ld", (long) getuid ());
+- sprintf (hdr.ar_gid, "%ld", (long) getgid ());
+- sprintf (hdr.ar_size, "%-10d", (int) mapsize);
+- strncpy (hdr.ar_fmag, ARFMAG, 2);
+- for (i = 0; i < sizeof (struct ar_hdr); i++)
+- if (((char *) (&hdr))[i] == '\0')
+- (((char *) (&hdr))[i]) = ' ';
++ _bfd_ar_spacepad (hdr.ar_date, sizeof (hdr.ar_date), "%ld",
++ bfd_ardata (arch)->armap_timestamp);
++ _bfd_ar_spacepad (hdr.ar_uid, sizeof (hdr.ar_uid), "%ld", getuid ());
++ _bfd_ar_spacepad (hdr.ar_gid, sizeof (hdr.ar_gid), "%ld", getgid ());
++ _bfd_ar_spacepad (hdr.ar_size, sizeof (hdr.ar_size), "%-10ld", mapsize);
++ memcpy (hdr.ar_fmag, ARFMAG, 2);
+ if (bfd_bwrite (&hdr, sizeof (struct ar_hdr), arch)
+ != sizeof (struct ar_hdr))
+ return FALSE;
+@@ -2003,7 +1993,6 @@
+ {
+ struct stat archstat;
+ struct ar_hdr hdr;
+- unsigned int i;
+
+ /* Flush writes, get last-write timestamp from file, and compare it
+ to the timestamp IN the file. */
+@@ -2023,11 +2012,9 @@
+ bfd_ardata (arch)->armap_timestamp = archstat.st_mtime + ARMAP_TIME_OFFSET;
+
+ /* Prepare an ASCII version suitable for writing. */
+- memset (hdr.ar_date, 0, sizeof (hdr.ar_date));
+- sprintf (hdr.ar_date, "%ld", bfd_ardata (arch)->armap_timestamp);
+- for (i = 0; i < sizeof (hdr.ar_date); i++)
+- if (hdr.ar_date[i] == '\0')
+- (hdr.ar_date)[i] = ' ';
++ memset (hdr.ar_date, ' ', sizeof (hdr.ar_date));
++ _bfd_ar_spacepad (hdr.ar_date, sizeof (hdr.ar_date), "%ld",
++ bfd_ardata (arch)->armap_timestamp);
+
+ /* Write it into the file. */
+ bfd_ardata (arch)->armap_datepos = (SARMAG
+@@ -2075,7 +2062,6 @@
+ bfd *current = arch->archive_head;
+ unsigned int count;
+ struct ar_hdr hdr;
+- unsigned int i;
+ int padit = mapsize & 1;
+
+ if (padit)
+@@ -2087,19 +2073,17 @@
+ + sizeof (struct ar_hdr)
+ + SARMAG);
+
+- memset (&hdr, 0, sizeof (struct ar_hdr));
++ memset (&hdr, ' ', sizeof (struct ar_hdr));
+ hdr.ar_name[0] = '/';
+- sprintf (hdr.ar_size, "%-10d", (int) mapsize);
+- sprintf (hdr.ar_date, "%ld", (long) time (NULL));
++ _bfd_ar_spacepad (hdr.ar_size, sizeof (hdr.ar_size), "%-10ld",
++ mapsize);
++ _bfd_ar_spacepad (hdr.ar_date, sizeof (hdr.ar_date), "%ld",
++ time (NULL));
+ /* This, at least, is what Intel coff sets the values to. */
+- sprintf ((hdr.ar_uid), "%d", 0);
+- sprintf ((hdr.ar_gid), "%d", 0);
+- sprintf ((hdr.ar_mode), "%-7o", (unsigned) 0);
+- strncpy (hdr.ar_fmag, ARFMAG, 2);
+-
+- for (i = 0; i < sizeof (struct ar_hdr); i++)
+- if (((char *) (&hdr))[i] == '\0')
+- (((char *) (&hdr))[i]) = ' ';
++ _bfd_ar_spacepad (hdr.ar_uid, sizeof (hdr.ar_uid), "%ld", 0);
++ _bfd_ar_spacepad (hdr.ar_gid, sizeof (hdr.ar_gid), "%ld", 0);
++ _bfd_ar_spacepad (hdr.ar_mode, sizeof (hdr.ar_mode), "%-7lo", 0);
++ memcpy (hdr.ar_fmag, ARFMAG, 2);
+
+ /* Write the ar header for this item and the number of symbols. */
+ if (bfd_bwrite (&hdr, sizeof (struct ar_hdr), arch)
+===================================================================
+RCS file: /cvs/src/src/bfd/archive64.c,v
+retrieving revision 1.3
+retrieving revision 1.4
+diff -u -r1.3 -r1.4
+--- src/bfd/archive64.c 2003/06/29 10:06:39 1.3
++++ src/bfd/archive64.c 2005/03/11 16:37:17 1.4
+@@ -156,7 +156,6 @@
+ bfd *current = arch->archive_head;
+ unsigned int count;
+ struct ar_hdr hdr;
+- unsigned int i;
+ int padding;
+ bfd_byte buf[8];
+
+@@ -169,19 +168,17 @@
+ + sizeof (struct ar_hdr)
+ + SARMAG);
+
+- memset (&hdr, 0, sizeof (struct ar_hdr));
+- strcpy (hdr.ar_name, "/SYM64/");
+- sprintf (hdr.ar_size, "%-10d", (int) mapsize);
+- sprintf (hdr.ar_date, "%ld", (long) time (NULL));
++ memset (&hdr, ' ', sizeof (struct ar_hdr));
++ memcpy (hdr.ar_name, "/SYM64/", strlen ("/SYM64/"));
++ _bfd_ar_spacepad (hdr.ar_size, sizeof (hdr.ar_size), "%-10ld",
++ mapsize);
++ _bfd_ar_spacepad (hdr.ar_date, sizeof (hdr.ar_date), "%ld",
++ time (NULL));
+ /* This, at least, is what Intel coff sets the values to.: */
+- sprintf ((hdr.ar_uid), "%d", 0);
+- sprintf ((hdr.ar_gid), "%d", 0);
+- sprintf ((hdr.ar_mode), "%-7o", (unsigned) 0);
+- strncpy (hdr.ar_fmag, ARFMAG, 2);
+-
+- for (i = 0; i < sizeof (struct ar_hdr); i++)
+- if (((char *) (&hdr))[i] == '\0')
+- (((char *) (&hdr))[i]) = ' ';
++ _bfd_ar_spacepad (hdr.ar_uid, sizeof (hdr.ar_uid), "%ld", 0);
++ _bfd_ar_spacepad (hdr.ar_gid, sizeof (hdr.ar_gid), "%ld", 0);
++ _bfd_ar_spacepad (hdr.ar_mode, sizeof (hdr.ar_mode), "%-7lo", 0);
++ memcpy (hdr.ar_fmag, ARFMAG, 2);
+
+ /* Write the ar header for this item and the number of symbols */
+
+===================================================================
+RCS file: /cvs/src/src/bfd/libbfd.h,v
+retrieving revision 1.138
+retrieving revision 1.139
+diff -u -r1.138 -r1.139
+--- src/bfd/libbfd.h 2005/03/10 00:29:35 1.138
++++ src/bfd/libbfd.h 2005/03/11 16:37:17 1.139
+@@ -183,6 +183,8 @@
+
+ extern void *_bfd_generic_read_ar_hdr
+ (bfd *);
++extern void _bfd_ar_spacepad
++ (char *, size_t, const char *, long);
+
+ extern void *_bfd_generic_read_ar_hdr_mag
+ (bfd *, const char *);
+===================================================================
+RCS file: /cvs/src/src/bfd/libbfd-in.h,v
+retrieving revision 1.47
+retrieving revision 1.48
+diff -u -r1.47 -r1.48
+--- src/bfd/libbfd-in.h 2005/03/10 00:29:35 1.47
++++ src/bfd/libbfd-in.h 2005/03/11 16:37:17 1.48
+@@ -178,6 +178,8 @@
+
+ extern void *_bfd_generic_read_ar_hdr
+ (bfd *);
++extern void _bfd_ar_spacepad
++ (char *, size_t, const char *, long);
+
+ extern void *_bfd_generic_read_ar_hdr_mag
+ (bfd *, const char *);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20110210/28bfe299/attachment.html>
More information about the macports-changes
mailing list