[avr-binutils/f19] fix CVE-2014-8738: out of bounds memory write

[Michal Hlavinka]

commit 142ef8cebaaa928f8f48dec3269b413176327cae
Author: Michal Hlavinka <mhlavink at redhat.com>
Date:   Thu Nov 13 17:43:51 2014 +0100

    fix CVE-2014-8738: out of bounds memory write

 avr-binutils.spec                 |    7 ++++-
 binutils-2.24-cve_2014_8738.patch |   47 +++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 1 deletions(-)
---
diff --git a/avr-binutils.spec b/avr-binutils.spec
index 55b0287..f8c5955 100644
--- a/avr-binutils.spec
+++ b/avr-binutils.spec
@@ -2,7 +2,7 @@
 
 Name:           %{target}-binutils
 Version:        2.24
-Release:        2%{?dist}
+Release:        3%{?dist}
 Epoch:          1
 Summary:        Cross Compiling GNU binutils targeted at %{target}
 Group:          Development/Tools
@@ -18,6 +18,7 @@ Patch4: binutils-2.24-cve_2014_8502a.patch
 Patch5: binutils-2.24-cve_2014_8503.patch
 Patch6: binutils-2.24-cve_2014_8504.patch
 Patch7: binutils-2.24-dirtravel.patch
+Patch8: binutils-2.24-cve_2014_8738.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u} -n)
 BuildRequires:  gawk texinfo
@@ -41,6 +42,7 @@ pushd binutils-%{version}
 %patch5 -p1 -b .cve_2014_8503
 %patch6 -p2 -b .cve_2014_8504
 %patch7 -p1 -b .dirtravel
+%patch8 -p1 -b .cve_2014_8738
 
 popd 
 cp %{SOURCE1} .
@@ -82,6 +84,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Nov 13 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.24-3
+- fix CVE-2014-8738: out of bounds memory write
+
 * Wed Nov 12 2014 Michal Hlavinka <mhlavink at redhat.com> - 1:2.24-2
 - fix directory traversal vulnerability (#1162657)
 - fix CVE-2014-8501: out-of-bounds write when parsing specially crafted PE executable
diff --git a/binutils-2.24-cve_2014_8738.patch b/binutils-2.24-cve_2014_8738.patch
new file mode 100644
index 0000000..91cbabc
--- /dev/null
+++ b/binutils-2.24-cve_2014_8738.patch
@@ -0,0 +1,47 @@
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Farchive.c;h=b9052135101d864082ec615053891e633f89da0c;hp=40a3395ba09be7cd60bc0220efa7b2ebe563e246;hb=bb0d867169d7e9743d229804106a8fbcab7f3b3f;hpb=ed9e98c214dde25cc9ff54bac7191c3824be3ffa
+
+diff --git a/bfd/archive.c b/bfd/archive.c
+index 40a3395..b905213 100644
+--- a/bfd/archive.c
++++ b/bfd/archive.c
+@@ -1293,6 +1293,9 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+       amt = namedata->parsed_size;
+       if (amt + 1 == 0)
+ 	goto byebye;
++      /* PR binutils/17533: A corrupt archive can contain an invalid size.  */
++      if (amt > (bfd_size_type) bfd_get_size (abfd))
++	goto byebye;
+ 
+       bfd_ardata (abfd)->extended_names_size = amt;
+       bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1);
+@@ -1300,6 +1303,8 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ 	{
+ 	byebye:
+ 	  free (namedata);
++	  bfd_ardata (abfd)->extended_names = NULL;
++	  bfd_ardata (abfd)->extended_names_size = 0;
+ 	  return FALSE;
+ 	}
+ 
+@@ -1308,7 +1313,6 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ 	  if (bfd_get_error () != bfd_error_system_call)
+ 	    bfd_set_error (bfd_error_malformed_archive);
+ 	  bfd_release (abfd, (bfd_ardata (abfd)->extended_names));
+-	  bfd_ardata (abfd)->extended_names = NULL;
+ 	  goto byebye;
+ 	}
+ 
+@@ -1316,11 +1320,12 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ 	 text, the entries in the list are newline-padded, not null
+ 	 padded. In SVR4-style archives, the names also have a
+ 	 trailing '/'.  DOS/NT created archive often have \ in them
+-	 We'll fix all problems here..  */
++	 We'll fix all problems here.  */
+       {
+ 	char *ext_names = bfd_ardata (abfd)->extended_names;
+ 	char *temp = ext_names;
+ 	char *limit = temp + namedata->parsed_size;
++
+ 	for (; temp < limit; ++temp)
+ 	  {
+ 	    if (*temp == ARFMAG[1])