Bug 17605

Summary: ar crashes on malformed archive
Product: binutils Reporter: Alexander Cherepanov <cherepan>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: nickc
Priority: P2    
Version: 2.26   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: Check for ctime() returning NULL

Description Alexander Cherepanov 2014-11-16 15:16:25 UTC 
Test:

$ printf '!<arch>\n%16s%-32s%-10s`\n' '' 100000000000000000 0 > test.a
$ ar tv test.a
Segmentation fault

It crashes inside binutils-gdb/binutils/bucomm.c:

   424        if (bfd_stat_arch_elt (abfd, &buf) == 0)
   425          {
   426            char modebuf[11];
   427            char timebuf[40];
   428            time_t when = buf.st_mtime;
   429            const char *ctime_result = (const char *) ctime (&when);
   430            bfd_size_type size;
   431  
   432            /* POSIX format:  skip weekday and seconds from ctime output.  */
   433            sprintf (timebuf, "%.12s %.4s", ctime_result + 4, ctime_result + 20);

'when' is too big, 'ctime' returns 0, which gets derefenced inside sprintf.

Seems not to be exploitable.

Found with American Fuzzy Lop.
Comment 1 Sourceware Commits 2014-11-18 17:36:58 UTC 
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  0593bd3ace3cb64775f4d9e8039da919c26803cd (commit)
      from  8435453b810d8ab0574e509446003d10d04abfd4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0593bd3ace3cb64775f4d9e8039da919c26803cd

commit 0593bd3ace3cb64775f4d9e8039da919c26803cd
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 18 17:35:39 2014 +0000

    Fixes a seg-fault when displaying the time data for a corrupt archive.
    
    	PR binutuls/17605
    	* bucomm.c (print_arelt_descr): Check for ctime returning NULL.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |    5 +++++
 binutils/bucomm.c  |    8 ++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)
Comment 2 Nick Clifton 2014-11-18 17:37:07 UTC 
Created attachment 7946 [details]
Check for ctime() returning NULL
Comment 3 Nick Clifton 2014-11-18 17:38:00 UTC 
Hi Alexander,

  Thanks for the bug report.  I have applied a patch (also uploaded here) to the master sources which should fix this problem.  Please give it a try.

Cheers
  Nick
Comment 4 Alan Modra 2022-08-03 11:04:57 UTC 
.