[75865] trunk/dports/cross/mipsel-linux-binutils

jmr at macports.org jmr at macports.org
Thu Feb 10 21:12:33 PST 2011


Revision: 75865
          http://trac.macports.org/changeset/75865
Author:   jmr at macports.org
Date:     2011-02-10 21:12:33 -0800 (Thu, 10 Feb 2011)
Log Message:
-----------
mipsel-linux-binutils: fix buffer overflow in ar (#22756)

Modified Paths:
--------------
    trunk/dports/cross/mipsel-linux-binutils/Portfile

Added Paths:
-----------
    trunk/dports/cross/mipsel-linux-binutils/files/spacepad.diff

Modified: trunk/dports/cross/mipsel-linux-binutils/Portfile
===================================================================
--- trunk/dports/cross/mipsel-linux-binutils/Portfile	2011-02-10 23:03:30 UTC (rev 75864)
+++ trunk/dports/cross/mipsel-linux-binutils/Portfile	2011-02-11 05:12:33 UTC (rev 75865)
@@ -4,7 +4,7 @@
 
 name			mipsel-linux-binutils
 version			2.16.1
-revision		2
+revision		3
 categories		cross
 platforms		darwin
 maintainers		nomaintainer
@@ -21,7 +21,8 @@
 				300-001_ld_makefile_patch.patch \
 				300-006_better_file_error.patch \
 				300-012_check_ldrunpath_length.patch \
-				702-binutils-skip-comments.patch
+				702-binutils-skip-comments.patch \
+				spacepad.diff
 
 set target		mipsel-linux-uclibc
 set cprefix		${prefix}/cross/${target}

Added: trunk/dports/cross/mipsel-linux-binutils/files/spacepad.diff
===================================================================
--- trunk/dports/cross/mipsel-linux-binutils/files/spacepad.diff	                        (rev 0)
+++ trunk/dports/cross/mipsel-linux-binutils/files/spacepad.diff	2011-02-11 05:12:33 UTC (rev 75865)
@@ -0,0 +1,321 @@
+===================================================================
+RCS file: /cvs/src/src/bfd/archive.c,v
+retrieving revision 1.36
+retrieving revision 1.37
+diff -u -r1.36 -r1.37
+--- src/bfd/archive.c	2005/03/10 21:26:53	1.36
++++ src/bfd/archive.c	2005/03/11 16:37:17	1.37
+@@ -121,7 +121,7 @@
+ 
+  Regular files with long names (or embedded spaces, for BSD variants):
+  "/18             " - SVR4 style, name at offset 18 in name table.
+- "#1/23           " - Long name (or embedded paces) 23 characters long,
++ "#1/23           " - Long name (or embedded spaces) 23 characters long,
+ 		      BSD 4.4 style, full name follows header.
+ 		      Implemented for reading, not writing.
+  " 18             " - Long name 18 characters long, extended pseudo-BSD.
+@@ -155,7 +155,22 @@
+ 
+ #define arch_eltdata(bfd) ((struct areltdata *) ((bfd)->arelt_data))
+ #define arch_hdr(bfd) ((struct ar_hdr *) arch_eltdata(bfd)->arch_header)
+-
++
++void
++_bfd_ar_spacepad (char *p, size_t n, const char *fmt, long val)
++{
++  static char buf[20];
++  size_t len;
++  snprintf (buf, sizeof (buf), fmt, val);
++  len = strlen (buf);
++  if (len < n)
++    {
++      memcpy (p, buf, len);
++      memset (p + len, ' ', n - len);
++    }
++  else
++    memcpy (p, buf, n);
++}
+ 
+ bfd_boolean
+ _bfd_generic_mkarchive (bfd *abfd)
+@@ -1283,17 +1298,8 @@
+ 	      strptr[thislen + 1] = '\012';
+ 	    }
+ 	  hdr->ar_name[0] = ar_padchar (current);
+-	  /* We know there will always be enough room (one of the few
+-	     cases where you may safely use sprintf).  */
+-	  sprintf ((hdr->ar_name) + 1, "%-d", (unsigned) (strptr - *tabloc));
+-	  /* Kinda Kludgy.  We should just use the returned value of
+-	     sprintf but not all implementations get this right.  */
+-	  {
+-	    char *temp = hdr->ar_name + 2;
+-	    for (; temp < hdr->ar_name + maxname; temp++)
+-	      if (*temp == '\0')
+-		*temp = ' ';
+-	  }
++          _bfd_ar_spacepad (hdr->ar_name + 1, maxname - 1, "%-ld",
++                            strptr - *tabloc);
+ 	  strptr += thislen + 1;
+ 	  if (trailing_slash)
+ 	    ++strptr;
+@@ -1340,7 +1346,6 @@
+   struct stat status;
+   struct areltdata *ared;
+   struct ar_hdr *hdr;
+-  char *temp, *temp1;
+   bfd_size_type amt;
+ 
+   if (member && (member->flags & BFD_IN_MEMORY) != 0)
+@@ -1368,39 +1373,31 @@
+   /* ar headers are space padded, not null padded!  */
+   memset (hdr, ' ', sizeof (struct ar_hdr));
+ 
+-  strncpy (hdr->ar_fmag, ARFMAG, 2);
+-
+-  /* Goddamned sprintf doesn't permit MAXIMUM field lengths.  */
+-  sprintf ((hdr->ar_date), "%-12ld", (long) status.st_mtime);
++  _bfd_ar_spacepad (hdr->ar_date, sizeof (hdr->ar_date), "%-12ld",
++                    status.st_mtime);
+ #ifdef HPUX_LARGE_AR_IDS
+   /* HP has a very "special" way to handle UID/GID's with numeric values
+      > 99999.  */
+   if (status.st_uid > 99999)
+-    hpux_uid_gid_encode (hdr->ar_gid, (long) status.st_uid);
++    hpux_uid_gid_encode (hdr->ar_uid, (long) status.st_uid);
+   else
+ #endif
+-    sprintf ((hdr->ar_uid), "%ld", (long) status.st_uid);
++    _bfd_ar_spacepad (hdr->ar_uid, sizeof (hdr->ar_uid), "%ld",
++                      status.st_uid);
+ #ifdef HPUX_LARGE_AR_IDS
+   /* HP has a very "special" way to handle UID/GID's with numeric values
+      > 99999.  */
+   if (status.st_gid > 99999)
+-    hpux_uid_gid_encode (hdr->ar_uid, (long) status.st_gid);
++    hpux_uid_gid_encode (hdr->ar_gid, (long) status.st_gid);
+   else
+ #endif
+-  sprintf ((hdr->ar_gid), "%ld", (long) status.st_gid);
+-  sprintf ((hdr->ar_mode), "%-8o", (unsigned int) status.st_mode);
+-  sprintf ((hdr->ar_size), "%-10ld", (long) status.st_size);
+-  /* Correct for a lossage in sprintf whereby it null-terminates.  I cannot
+-     understand how these C losers could design such a ramshackle bunch of
+-     IO operations.  */
+-  temp = (char *) hdr;
+-  temp1 = temp + sizeof (struct ar_hdr) - 2;
+-  for (; temp < temp1; temp++)
+-    {
+-      if (*temp == '\0')
+-	*temp = ' ';
+-    }
+-  strncpy (hdr->ar_fmag, ARFMAG, 2);
++    _bfd_ar_spacepad (hdr->ar_gid, sizeof (hdr->ar_gid), "%ld",
++                      status.st_gid);
++  _bfd_ar_spacepad (hdr->ar_mode, sizeof (hdr->ar_mode), "%-8lo",
++                    status.st_mode);
++  _bfd_ar_spacepad (hdr->ar_size, sizeof (hdr->ar_size), "%-10ld",
++                    status.st_size);
++  memcpy (hdr->ar_fmag, ARFMAG, 2);
+   ared->parsed_size = status.st_size;
+   ared->arch_header = (char *) hdr;
+ 
+@@ -1621,7 +1618,6 @@
+   /* If no .o's, don't bother to make a map.  */
+   bfd_boolean hasobjects = FALSE;
+   bfd_size_type wrote;
+-  unsigned int i;
+   int tries;
+ 
+   /* Verify the viability of all entries; if any of them live in the
+@@ -1678,15 +1674,12 @@
+     {
+       struct ar_hdr hdr;
+ 
+-      memset (&hdr, 0, sizeof (struct ar_hdr));
+-      strcpy (hdr.ar_name, ename);
++      memset (&hdr, ' ', sizeof (struct ar_hdr));
++      memcpy (hdr.ar_name, ename, strlen (ename));
+       /* Round size up to even number in archive header.  */
+-      sprintf (&(hdr.ar_size[0]), "%-10d",
+-	       (int) ((elength + 1) & ~(bfd_size_type) 1));
+-      strncpy (hdr.ar_fmag, ARFMAG, 2);
+-      for (i = 0; i < sizeof (struct ar_hdr); i++)
+-	if (((char *) (&hdr))[i] == '\0')
+-	  (((char *) (&hdr))[i]) = ' ';
++      _bfd_ar_spacepad (hdr.ar_size, sizeof (hdr.ar_size), "%-10ld",
++                        (elength + 1) & ~(bfd_size_type) 1);
++      memcpy (hdr.ar_fmag, ARFMAG, 2);
+       if ((bfd_bwrite (&hdr, sizeof (struct ar_hdr), arch)
+ 	   != sizeof (struct ar_hdr))
+ 	  || bfd_bwrite (etable, elength, arch) != elength)
+@@ -1920,25 +1913,22 @@
+   unsigned int count;
+   struct ar_hdr hdr;
+   struct stat statbuf;
+-  unsigned int i;
+ 
+   firstreal = mapsize + elength + sizeof (struct ar_hdr) + SARMAG;
+ 
+   stat (arch->filename, &statbuf);
+-  memset (&hdr, 0, sizeof (struct ar_hdr));
+-  sprintf (hdr.ar_name, RANLIBMAG);
++  memset (&hdr, ' ', sizeof (struct ar_hdr));
++  memcpy (hdr.ar_name, RANLIBMAG, strlen (RANLIBMAG));
+   /* Remember the timestamp, to keep it holy.  But fudge it a little.  */
+   bfd_ardata (arch)->armap_timestamp = statbuf.st_mtime + ARMAP_TIME_OFFSET;
+   bfd_ardata (arch)->armap_datepos = (SARMAG
+ 				      + offsetof (struct ar_hdr, ar_date[0]));
+-  sprintf (hdr.ar_date, "%ld", bfd_ardata (arch)->armap_timestamp);
+-  sprintf (hdr.ar_uid, "%ld", (long) getuid ());
+-  sprintf (hdr.ar_gid, "%ld", (long) getgid ());
+-  sprintf (hdr.ar_size, "%-10d", (int) mapsize);
+-  strncpy (hdr.ar_fmag, ARFMAG, 2);
+-  for (i = 0; i < sizeof (struct ar_hdr); i++)
+-    if (((char *) (&hdr))[i] == '\0')
+-      (((char *) (&hdr))[i]) = ' ';
++  _bfd_ar_spacepad (hdr.ar_date, sizeof (hdr.ar_date), "%ld",
++                    bfd_ardata (arch)->armap_timestamp);
++  _bfd_ar_spacepad (hdr.ar_uid, sizeof (hdr.ar_uid), "%ld", getuid ());
++  _bfd_ar_spacepad (hdr.ar_gid, sizeof (hdr.ar_gid), "%ld", getgid ());
++  _bfd_ar_spacepad (hdr.ar_size, sizeof (hdr.ar_size), "%-10ld", mapsize);
++  memcpy (hdr.ar_fmag, ARFMAG, 2);
+   if (bfd_bwrite (&hdr, sizeof (struct ar_hdr), arch)
+       != sizeof (struct ar_hdr))
+     return FALSE;
+@@ -2003,7 +1993,6 @@
+ {
+   struct stat archstat;
+   struct ar_hdr hdr;
+-  unsigned int i;
+ 
+   /* Flush writes, get last-write timestamp from file, and compare it
+      to the timestamp IN the file.  */
+@@ -2023,11 +2012,9 @@
+   bfd_ardata (arch)->armap_timestamp = archstat.st_mtime + ARMAP_TIME_OFFSET;
+ 
+   /* Prepare an ASCII version suitable for writing.  */
+-  memset (hdr.ar_date, 0, sizeof (hdr.ar_date));
+-  sprintf (hdr.ar_date, "%ld", bfd_ardata (arch)->armap_timestamp);
+-  for (i = 0; i < sizeof (hdr.ar_date); i++)
+-    if (hdr.ar_date[i] == '\0')
+-      (hdr.ar_date)[i] = ' ';
++  memset (hdr.ar_date, ' ', sizeof (hdr.ar_date));
++  _bfd_ar_spacepad (hdr.ar_date, sizeof (hdr.ar_date), "%ld",
++                    bfd_ardata (arch)->armap_timestamp);
+ 
+   /* Write it into the file.  */
+   bfd_ardata (arch)->armap_datepos = (SARMAG
+@@ -2075,7 +2062,6 @@
+   bfd *current = arch->archive_head;
+   unsigned int count;
+   struct ar_hdr hdr;
+-  unsigned int i;
+   int padit = mapsize & 1;
+ 
+   if (padit)
+@@ -2087,19 +2073,17 @@
+ 			     + sizeof (struct ar_hdr)
+ 			     + SARMAG);
+ 
+-  memset (&hdr, 0, sizeof (struct ar_hdr));
++  memset (&hdr, ' ', sizeof (struct ar_hdr));
+   hdr.ar_name[0] = '/';
+-  sprintf (hdr.ar_size, "%-10d", (int) mapsize);
+-  sprintf (hdr.ar_date, "%ld", (long) time (NULL));
++  _bfd_ar_spacepad (hdr.ar_size, sizeof (hdr.ar_size), "%-10ld",
++                    mapsize);
++  _bfd_ar_spacepad (hdr.ar_date, sizeof (hdr.ar_date), "%ld",
++                    time (NULL));
+   /* This, at least, is what Intel coff sets the values to.  */
+-  sprintf ((hdr.ar_uid), "%d", 0);
+-  sprintf ((hdr.ar_gid), "%d", 0);
+-  sprintf ((hdr.ar_mode), "%-7o", (unsigned) 0);
+-  strncpy (hdr.ar_fmag, ARFMAG, 2);
+-
+-  for (i = 0; i < sizeof (struct ar_hdr); i++)
+-    if (((char *) (&hdr))[i] == '\0')
+-      (((char *) (&hdr))[i]) = ' ';
++  _bfd_ar_spacepad (hdr.ar_uid, sizeof (hdr.ar_uid), "%ld", 0);
++  _bfd_ar_spacepad (hdr.ar_gid, sizeof (hdr.ar_gid), "%ld", 0);
++  _bfd_ar_spacepad (hdr.ar_mode, sizeof (hdr.ar_mode), "%-7lo", 0);
++  memcpy (hdr.ar_fmag, ARFMAG, 2);
+ 
+   /* Write the ar header for this item and the number of symbols.  */
+   if (bfd_bwrite (&hdr, sizeof (struct ar_hdr), arch)
+===================================================================
+RCS file: /cvs/src/src/bfd/archive64.c,v
+retrieving revision 1.3
+retrieving revision 1.4
+diff -u -r1.3 -r1.4
+--- src/bfd/archive64.c	2003/06/29 10:06:39	1.3
++++ src/bfd/archive64.c	2005/03/11 16:37:17	1.4
+@@ -156,7 +156,6 @@
+   bfd *current = arch->archive_head;
+   unsigned int count;
+   struct ar_hdr hdr;
+-  unsigned int i;
+   int padding;
+   bfd_byte buf[8];
+ 
+@@ -169,19 +168,17 @@
+ 			     + sizeof (struct ar_hdr)
+ 			     + SARMAG);
+ 
+-  memset (&hdr, 0, sizeof (struct ar_hdr));
+-  strcpy (hdr.ar_name, "/SYM64/");
+-  sprintf (hdr.ar_size, "%-10d", (int) mapsize);
+-  sprintf (hdr.ar_date, "%ld", (long) time (NULL));
++  memset (&hdr, ' ', sizeof (struct ar_hdr));
++  memcpy (hdr.ar_name, "/SYM64/", strlen ("/SYM64/"));
++  _bfd_ar_spacepad (hdr.ar_size, sizeof (hdr.ar_size), "%-10ld",
++                    mapsize);
++  _bfd_ar_spacepad (hdr.ar_date, sizeof (hdr.ar_date), "%ld",
++                    time (NULL));
+   /* This, at least, is what Intel coff sets the values to.: */
+-  sprintf ((hdr.ar_uid), "%d", 0);
+-  sprintf ((hdr.ar_gid), "%d", 0);
+-  sprintf ((hdr.ar_mode), "%-7o", (unsigned) 0);
+-  strncpy (hdr.ar_fmag, ARFMAG, 2);
+-
+-  for (i = 0; i < sizeof (struct ar_hdr); i++)
+-    if (((char *) (&hdr))[i] == '\0')
+-      (((char *) (&hdr))[i]) = ' ';
++  _bfd_ar_spacepad (hdr.ar_uid, sizeof (hdr.ar_uid), "%ld", 0);
++  _bfd_ar_spacepad (hdr.ar_gid, sizeof (hdr.ar_gid), "%ld", 0);
++  _bfd_ar_spacepad (hdr.ar_mode, sizeof (hdr.ar_mode), "%-7lo", 0);
++  memcpy (hdr.ar_fmag, ARFMAG, 2);
+ 
+   /* Write the ar header for this item and the number of symbols */
+ 
+===================================================================
+RCS file: /cvs/src/src/bfd/libbfd.h,v
+retrieving revision 1.138
+retrieving revision 1.139
+diff -u -r1.138 -r1.139
+--- src/bfd/libbfd.h	2005/03/10 00:29:35	1.138
++++ src/bfd/libbfd.h	2005/03/11 16:37:17	1.139
+@@ -183,6 +183,8 @@
+ 
+ extern void *_bfd_generic_read_ar_hdr
+   (bfd *);
++extern void _bfd_ar_spacepad
++  (char *, size_t, const char *, long);
+ 
+ extern void *_bfd_generic_read_ar_hdr_mag
+   (bfd *, const char *);
+===================================================================
+RCS file: /cvs/src/src/bfd/libbfd-in.h,v
+retrieving revision 1.47
+retrieving revision 1.48
+diff -u -r1.47 -r1.48
+--- src/bfd/libbfd-in.h	2005/03/10 00:29:35	1.47
++++ src/bfd/libbfd-in.h	2005/03/11 16:37:17	1.48
+@@ -178,6 +178,8 @@
+ 
+ extern void *_bfd_generic_read_ar_hdr
+   (bfd *);
++extern void _bfd_ar_spacepad
++  (char *, size_t, const char *, long);
+ 
+ extern void *_bfd_generic_read_ar_hdr_mag
+   (bfd *, const char *);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20110210/28bfe299/attachment.html>


More information about the macports-changes mailing list