Bug 17512 - libbfd/binutils: crashes on fuzzed samples
Summary: libbfd/binutils: crashes on fuzzed samples
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.24
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
: 19296 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-10-26 22:42 UTC by Hanno Boeck
Modified: 2023-03-27 11:29 UTC (History)
6 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
maxvals.exe (248 bytes, application/x-ms-dos-executable)
2014-10-26 22:42 UTC, Hanno Boeck
Details
dllmaxvals.dll (321 bytes, application/x-sharedlib)
2014-10-26 22:43 UTC, Hanno Boeck
Details
Handle corrupt values for NumberOfRvaAndSizes field (437 bytes, patch)
2014-10-27 14:48 UTC, Nick Clifton
Details | Diff
another crasher (1.64 KB, application/x-executable)
2014-10-27 15:20 UTC, Hanno Boeck
Details
crashes objdump -x (290 bytes, application/x-ms-dos-executable)
2014-10-27 15:21 UTC, Hanno Boeck
Details
More fixes for parsing corrupt binaries (3.64 KB, patch)
2014-10-27 18:07 UTC, Nick Clifton
Details | Diff
another crasher for objdump -x (288 bytes, application/x-ms-dos-executable)
2014-10-28 12:57 UTC, Alexander Cherepanov
Details
address sanitizer trace on objdump-pe-crasher2 (910 bytes, text/plain)
2014-10-28 13:39 UTC, Hanno Boeck
Details
address sanitizer trace on objdump-elf-crasher AND strings-bfd-badfree (1.25 KB, text/plain)
2014-10-28 13:39 UTC, Hanno Boeck
Details
strings-bfd-badfree (171 bytes, application/x-executable)
2014-10-29 10:47 UTC, Hanno Boeck
Details
fuzzed objdump-pe-crasher (328 bytes, application/x-ms-dos-executable)
2014-10-29 23:20 UTC, Hanno Boeck
Details
ihex stack overflow (120 bytes, application/octet-stream)
2014-10-30 16:20 UTC, Hanno Boeck
Details
fuzzed elf out of memory sample (2.22 KB, application/x-executable)
2014-10-31 12:24 UTC, Hanno Boeck
Details
valgrind on dllmaxvals (959 bytes, text/plain)
2014-10-31 12:25 UTC, Hanno Boeck
Details
valgrind on fuzzed elf (2.02 KB, text/plain)
2014-10-31 12:25 UTC, Hanno Boeck
Details
objdump -s hanger (322 bytes, text/x-matlab)
2014-10-31 17:26 UTC, Hanno Boeck
Details
another memory exhaustion sample (elf) (2.19 KB, application/x-executable)
2014-10-31 18:17 UTC, Hanno Boeck
Details
another memory exhaustion sample (pe) (334 bytes, application/x-sharedlib)
2014-10-31 18:17 UTC, Hanno Boeck
Details
another memory exhaustion sample (aout) (944 bytes, application/octet-stream)
2014-10-31 18:17 UTC, Hanno Boeck
Details
Several pe crashers (964 bytes, application/x-gzip)
2014-10-31 22:36 UTC, Alexander Cherepanov
Details
valgrind output for 140849-0.004.exe (1.38 KB, text/plain)
2014-11-03 20:26 UTC, Alexander Cherepanov
Details
More crashers for `objdump -x` (787.39 KB, application/x-gzip)
2014-11-03 21:17 UTC, Alexander Cherepanov
Details
valgrind output for 140849-0.004.exe with --track-origins=yes (1.30 KB, text/plain)
2014-11-04 17:41 UTC, Alexander Cherepanov
Details
Proposed patch to fix valgrind's complaints about using uninitialised memory (536 bytes, patch)
2014-11-05 10:28 UTC, Nick Clifton
Details | Diff
More crashers for `objdump -x` (596.77 KB, application/x-gzip)
2014-11-05 12:06 UTC, Alexander Cherepanov
Details
remaining valgrind warnings (17.70 KB, application/zip)
2014-11-05 18:47 UTC, Hanno Boeck
Details
More crashers for `objdump -x` (364.14 KB, application/x-gzip)
2014-11-05 22:02 UTC, Alexander Cherepanov
Details
More badness for `objdump -x` (1.52 MB, application/x-gzip)
2014-11-06 15:48 UTC, Alexander Cherepanov
Details
elf exposing uninitialized value access with valgrind (2.57 KB, application/x-executable)
2014-11-10 18:21 UTC, Hanno Boeck
Details
More badness for `objdump -x` (329.63 KB, application/x-gzip)
2014-11-11 09:34 UTC, Alexander Cherepanov
Details
Crashers for `objdump -afphxgGWtTrRw --special-syms` (1009.32 KB, application/x-gzip)
2014-11-11 20:57 UTC, Alexander Cherepanov
Details
Aborts in `objdump -afphxgGWtTrRw --special-syms` (534.01 KB, application/x-gzip)
2014-11-11 21:00 UTC, Alexander Cherepanov
Details
More badness for `objdump -afphxgGWtTrRw --special-syms` (1.94 MB, application/x-gzip)
2014-11-13 11:21 UTC, Alexander Cherepanov
Details
Baddness for `objdump -afphxgGtTrRwW --special-syms` (189.26 KB, application/x-gzip)
2014-11-13 19:17 UTC, Alexander Cherepanov
Details
A bit more badness for `objdump -afphxgGtTrRwW --special-syms` (5.68 KB, application/x-gzip)
2014-11-14 11:06 UTC, Alexander Cherepanov
Details
4 samples crashing nm and objdump -x (383 bytes, application/x-xz)
2014-11-14 22:06 UTC, Hanno Boeck
Details
Fresh crashers for `objdump -afphxgGtTrRwW --special-syms` (1005.28 KB, application/x-gzip)
2014-11-16 21:01 UTC, Alexander Cherepanov
Details
And some aborts for `objdump -afphxgGtTrRwW --special-syms` (938.01 KB, application/x-gzip)
2014-11-16 21:02 UTC, Alexander Cherepanov
Details
AFL crashers for `objdump -x` (175.13 KB, application/x-gzip)
2014-11-19 05:23 UTC, Alexander Cherepanov
Details
Patch to fix a crash inside _bfd_coff_read_string_table in bfd/coffgen.c (369 bytes, patch)
2014-11-20 22:20 UTC, Alexander Cherepanov
Details | Diff
First bunch of crashers for multiarch `objdump -afphxgGtTrRwW --special-syms` (140.30 KB, application/x-gzip)
2014-11-21 13:10 UTC, Alexander Cherepanov
Details
objdump-x-fuzzing.tar.xz (2.35 KB, application/x-xz)
2014-11-21 15:35 UTC, Hanno Boeck
Details
Next crashers for multiarch `objdump -afphxgGtTrRwW --special-syms` (163.25 KB, application/x-gzip)
2014-11-22 23:25 UTC, Alexander Cherepanov
Details
More crashes for `objdump -afphxgGtTrRwW --special-syms` (161.22 KB, application/x-gzip)
2014-11-30 23:25 UTC, Alexander Cherepanov
Details
Crashes for `objdump -afphxgGtTrRwW --special-syms` (9.38 KB, application/x-gzip)
2014-12-03 12:56 UTC, Alexander Cherepanov
Details
More crashes for `objdump -afphxgGtTrRwW --special-syms` (712.24 KB, application/x-gzip)
2014-12-04 08:46 UTC, Alexander Cherepanov
Details
More crashers for `objdump -afphxgGtTrRwW --special-syms` (37.69 KB, application/x-gzip)
2014-12-11 16:10 UTC, Alexander Cherepanov
Details
More crashers for multiarch `objdump -afphxgGtTrRwW --special-syms` (202.81 KB, application/x-gzip)
2014-12-21 13:53 UTC, Alexander Cherepanov
Details
Crasher for `size` (3.88 KB, application/x-gzip)
2014-12-25 14:32 UTC, Alexander Cherepanov
Details
Crashers for `nm-new -DClpSs --special-syms --synthetic` (312.89 KB, application/x-gzip)
2014-12-25 15:02 UTC, Alexander Cherepanov
Details
Crashers for `coffdump` (1017.40 KB, application/x-gzip)
2014-12-25 16:05 UTC, Alexander Cherepanov
Details
More problems with `objdump -afphxgGtTrRwW --special-syms` (2.77 KB, application/x-gzip)
2014-12-25 16:34 UTC, Alexander Cherepanov
Details
Problems with `srconv` (111.95 KB, application/x-xz)
2015-01-02 21:14 UTC, Alexander Cherepanov
Details
Problems with `dlltool -e exp.out -l lib.out -z def.out` (10.96 KB, application/x-xz)
2015-01-03 09:37 UTC, Alexander Cherepanov
Details
Problems with `nlmconv` (8.02 KB, application/x-xz)
2015-01-03 09:38 UTC, Alexander Cherepanov
Details
Problems with `sysdump` (312.31 KB, application/x-xz)
2015-01-03 11:22 UTC, Alexander Cherepanov
Details
Problems with `strip-new` (619.04 KB, application/x-xz)
2015-01-03 12:37 UTC, Alexander Cherepanov
Details
Problems with `objdump -afphxgGtTrRwW --special-syms` (16.21 KB, application/x-xz)
2015-01-12 16:47 UTC, Alexander Cherepanov
Details
Problems with `coffdump` (6.80 KB, application/x-xz)
2015-01-16 22:25 UTC, Alexander Cherepanov
Details
Problems with `strip-new` (378.26 KB, application/x-xz)
2015-01-18 22:38 UTC, Alexander Cherepanov
Details
Problems with `nlmconv` (7.11 KB, application/x-xz)
2015-01-19 20:13 UTC, Alexander Cherepanov
Details
Problems with `dlltool -e /dev/null -l /dev/null -z /dev/null` (4.04 KB, application/x-xz)
2015-01-20 23:07 UTC, Alexander Cherepanov
Details
Problems with `dlltool -I` (3.92 KB, application/x-xz)
2015-01-24 18:08 UTC, Alexander Cherepanov
Details
Problems with `addr2line -ie @@ 0` (8.48 KB, application/x-xz)
2015-01-25 21:05 UTC, Alexander Cherepanov
Details
Problems with `windres` (909.23 KB, application/x-xz)
2015-01-25 21:22 UTC, Alexander Cherepanov
Details
Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) (595.55 KB, application/x-xz)
2015-02-02 17:13 UTC, Alexander Cherepanov
Details
Problems with `nm-new -DClpSs --special-syms --synthetic` (32-bit) (168.81 KB, application/x-xz)
2015-02-03 18:50 UTC, Alexander Cherepanov
Details
Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) (947.07 KB, application/x-xz)
2015-02-05 20:24 UTC, Alexander Cherepanov
Details
Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) -- ubsan (11.03 KB, application/x-xz)
2015-02-08 16:56 UTC, Alexander Cherepanov
Details
Problems with `addr2line -ie @@ -- ...` (32-bit) (870.41 KB, application/x-xz)
2015-02-11 23:49 UTC, Alexander Cherepanov
Details
Problems with `srconv @@ /dev/null` (32-bit) (65.31 KB, application/x-xz)
2015-02-12 21:14 UTC, Alexander Cherepanov
Details
Problems with `windres` (32-bit) (211.28 KB, application/x-xz)
2015-02-15 22:30 UTC, Alexander Cherepanov
Details
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms` (32-bit) (7.68 MB, application/x-xz)
2015-02-16 19:38 UTC, Alexander Cherepanov
Details
Problems with `strip-new -o /dev/null` (32-bit) (949.45 KB, application/x-xz)
2015-02-17 20:53 UTC, Alexander Cherepanov
Details
Proposed patch (320 bytes, patch)
2016-07-25 10:00 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Boeck 2014-10-26 22:42:33 UTC
Created attachment 7849 [details]
maxvals.exe

Running strings, nm or objdump on one of the attached files will segfault.

Here is a stack trace from address sanitizer:
==10552== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffb5979be0 at pc 0x5a2d34 bp 0x7fffb5979890 sp 0x7fffb5979888
WRITE of size 8 at 0x7fffb5979be0 thread T0
    #0 0x5a2d33 in _bfd_pei_swap_aouthdr_in /tmp/binutils-2.24.90/bfd/peigen.c:513:0
    #1 0x591bf2 in pe_bfd_object_p /tmp/binutils-2.24.90/bfd/peicode.h:1339:0
    #2 0x41f10b in bfd_check_format_matches /tmp/binutils-2.24.90/bfd/format.c:305:0
    #3 0x41e28f in bfd_check_format /tmp/binutils-2.24.90/bfd/format.c:94:0
    #4 0x4038ed in strings_object_file /tmp/binutils-2.24.90/binutils/strings.c:389:0
    #5 0x403b29 in strings_file /tmp/binutils-2.24.90/binutils/strings.c:432:0
    #6 0x4034f2 in main /tmp/binutils-2.24.90/binutils/strings.c:299:0
    #7 0x7f25477b6a64 in __libc_start_main ??:0:0
    #8 0x402d58 in _start ??:0:0

These samples come from here:
https://github.com/radare/radare2-regressions/tree/master/bins/pe

I tested those after reading this comment:
http://lcamtuf.blogspot.de/2014/10/psa-dont-run-strings-on-untrusted-files.html?showComment=1414290018616&m=1#c6670003407817856261

However I'm not sure if this bug is the same as the one the commenter there is mentioning.
Comment 1 Hanno Boeck 2014-10-26 22:43:05 UTC
Created attachment 7850 [details]
dllmaxvals.dll
Comment 2 Sourceware Commits 2014-10-27 14:47:02 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  7e1e19887abd24aeb15066b141cdff5541e0ec8e (commit)
      from  493a33860c71cac998f1a56d6d87d6faa801fbaa (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e1e19887abd24aeb15066b141cdff5541e0ec8e

commit 7e1e19887abd24aeb15066b141cdff5541e0ec8e
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Oct 27 14:45:06 2014 +0000

    Fix a seg-fault in strings and other binutuils when parsing a corrupt PE
    executable with an invalid value in the NumberOfRvaAndSizes field of the
    AOUT header.
    
    	PR binutils/17512
    	* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
    	with an invalid value for NumberOfRvaAndSizes.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |    4 ++++
 bfd/peXXigen.c |   12 ++++++++++++
 2 files changed, 16 insertions(+), 0 deletions(-)
Comment 3 Nick Clifton 2014-10-27 14:48:01 UTC
Created attachment 7852 [details]
Handle corrupt values for NumberOfRvaAndSizes field

Hi Hanno,

  I have applied the uploaded patch to the mainline sources.  Please try it out and see if it resolves the problem for you.

Cheers
  Nick
Comment 4 Hanno Boeck 2014-10-27 15:20:13 UTC
Created attachment 7853 [details]
another crasher
Comment 5 Hanno Boeck 2014-10-27 15:21:29 UTC
Created attachment 7854 [details]
crashes objdump -x

The last two came from here (by Alexander Cherepanov):
http://seclists.org/oss-sec/2014/q4/451
Michal Zalewski already analyzed their cause:
http://seclists.org/oss-sec/2014/q4/452
Comment 6 Sourceware Commits 2014-10-27 18:07:31 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  bf67003b4567600ed3022a439207ac8f26454f91 (commit)
      from  7e1e19887abd24aeb15066b141cdff5541e0ec8e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bf67003b4567600ed3022a439207ac8f26454f91

commit bf67003b4567600ed3022a439207ac8f26454f91
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Oct 27 18:05:37 2014 +0000

    This fixes more seg-faults in tools like "strings" and "objdump" when
    presented with corrupt binaries.
    
    	PR binutils/17512
    	* elf.c (bfd_section_from_shdr): Detect and warn about ELF
    	binaries with a group of sections linked by the string table
    	indicies.
    	* peXXigen.c (pe_print_edata): Detect out of range rvas and
    	entry counts for the Export Address table, Name Pointer table
    	 and Ordinal table.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |    5 ++
 bfd/elf.c      |  194 +++++++++++++++++++++++++++++++++++++-------------------
 bfd/peXXigen.c |   18 +++++-
 3 files changed, 150 insertions(+), 67 deletions(-)
Comment 7 Nick Clifton 2014-10-27 18:07:57 UTC
Created attachment 7855 [details]
More fixes for parsing corrupt binaries
Comment 8 Nick Clifton 2014-10-27 18:08:38 UTC
Hi Hanno,

  Please try out the latest mainline binutils sources and see if they fix these problems for you.

Cheers
  Nick
Comment 9 Mike Frysinger 2014-10-27 19:01:45 UTC
(In reply to Nick Clifton from comment #8)

for each of the crash fixes, could you post them to the 2.25 branch ?  i imagine there will be a lot of noise if they're not in the 2.25 final release ;).
Comment 10 Hanno Boeck 2014-10-27 19:07:21 UTC
With all patches attached objdump-pe-crasher still causes objdump to crash (attachment 7854 [details] on this bug). To reproduce run
objdump -x objdump-pe-crasher
Comment 11 Nick Clifton 2014-10-28 08:37:04 UTC
(In reply to Hanno Boeck from comment #10)
> With all patches attached objdump-pe-crasher still causes objdump to crash
> (attachment 7854 [details] on this bug). To reproduce run
> objdump -x objdump-pe-crasher

Are you sure ?  In my tests objdump works and does not crash.  The second patch ("More fixes for parsing corrupt binaries") should have taken care of this problem.

Cheers
  Nick
Comment 12 Hanno Boeck 2014-10-28 10:21:39 UTC
It's a bit confusing. When I patch binutils 2.24 with attachment 7855 [details] (and a bunch of other crash fixes for the other issues) then I can still reproduce the crash with objdump-pe-crasher (please note that this only appears with objdump -x).

However if I take binutils git head code I can't reproduce it any more. So it seems there's some other change in the git code that prevents this crash. (please also note that the stackoverflow sample from bug #17510 still crashes strings/objdump/nm on git head code)
Comment 13 Sourceware Commits 2014-10-28 10:52:23 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, binutils-2_25-branch has been updated
       via  b2f93c5011cab00f31669363577b938697752e43 (commit)
      from  a809b386e59dfcb3f4dedd8465975dabc55db5db (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b2f93c5011cab00f31669363577b938697752e43

commit b2f93c5011cab00f31669363577b938697752e43
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Oct 28 10:50:17 2014 +0000

    Import patches from the master branch which prevent seg-faults when parsing
    corrupt binaries.
    
    	2014-10-28  Andreas Schwab  <schwab@suse.de>
    		    Nick Clifton  <nickc@redhat.com>
    	PR binutils/17510
    	* srec.c (srec_bad_byte): Increase size of buf to allow for
    	negative values.
    	(srec_scan): Use an unsigned char buffer to hold header bytes.
    
    	2014-10-27  Nick Clifton  <nickc@redhat.com>
    	PR binutils/17512
    	* elf.c (bfd_section_from_shdr): Detect and warn about ELF
    	binaries with a group of sections linked by the string table
    	indicies.
    	* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries
    	with an invalid value for NumberOfRvaAndSizes.
    	(pe_print_edata): Detect out of range rvas and entry counts for
    	the Export Address table, Name Pointer table and Ordinal table.
    
    	PR binutils/17510
    	* elf.c (setup_group): Improve handling of corrupt group
    	sections.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |   25 ++++++
 bfd/elf.c      |  226 +++++++++++++++++++++++++++++++++++++++-----------------
 bfd/peXXigen.c |   29 +++++++-
 bfd/srec.c     |    4 +-
 4 files changed, 212 insertions(+), 72 deletions(-)
Comment 14 Nick Clifton 2014-10-28 11:04:30 UTC
Hi Mike,

> for each of the crash fixes, could you post them to the 2.25 branch ?

Done. :-)

Cheers
  Nick
Comment 15 Nick Clifton 2014-10-28 11:06:24 UTC
Hi Hanno,

> It's a bit confusing. When I patch binutils 2.24 with attachment 7855 [details]
> [details] (and a bunch of other crash fixes for the other issues) then I can
> still reproduce the crash with objdump-pe-crasher (please note that this
> only appears with objdump -x).
> 
> However if I take binutils git head code I can't reproduce it any more.

Ah - my bad then - I must have fixed something else and forgotten to include it in the uploaded patch.  Silly me.  Still at least the mainline code works now.

Cheers
  Nick 

> (please also note that the stackoverflow sample from bug #17510 still
> crashes strings/objdump/nm on git head code)

This should be fixed now...
Comment 16 Alexander Cherepanov 2014-10-28 12:57:50 UTC
Created attachment 7857 [details]
another crasher for objdump -x

Seems to be different from the previous crasher. Sorry, I cannot test git head right now so I cannot be sure it's not yet fixed.
Comment 17 Hanno Boeck 2014-10-28 13:37:03 UTC
okay, things are getting a little bit compilcated, but here are my test results:

objdump-pe-crasher2 gives a heap overflow on latest git head with address sanitizer enabled (will attach symbolized output / trace).

For the other samples individually they all are now fine. However if I pass both objdump-elf-crasher and strings-bfd-badfree to objdump -x asan reports a use-after-free:
objdump -x objdump-elf-crasher strings-bfd-badfree
Comment 18 Hanno Boeck 2014-10-28 13:39:08 UTC
Created attachment 7858 [details]
address sanitizer trace on objdump-pe-crasher2
Comment 19 Hanno Boeck 2014-10-28 13:39:39 UTC
Created attachment 7859 [details]
address sanitizer trace on objdump-elf-crasher AND strings-bfd-badfree
Comment 20 Sourceware Commits 2014-10-28 15:44:09 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 (commit)
      from  1df4399f27f8ee817d8eb4c73bba42bb65844303 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5a4b0ccc20ba30caef53b01bee2c0aaa5b855339

commit 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Oct 28 15:42:56 2014 +0000

    More fixes for corrupt binaries crashing the binutils.
    
    	PR binutils/17512
    	* elf.c (bfd_section_from_shdr): Allocate and free the recursion
    	detection table on a per-bfd basis.
    	* peXXigen.c (pe_print_edata): Handle binaries with a truncated
    	export table.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |    8 ++++++++
 bfd/elf.c      |   16 +++++++++++++---
 bfd/peXXigen.c |    9 +++++++++
 3 files changed, 30 insertions(+), 3 deletions(-)
Comment 21 Nick Clifton 2014-10-28 15:45:17 UTC
Hi Hanno,

  Please try the latest git head, which should address both of the problems detected by the address sanitizer.

Cheers
  Nick
Comment 22 Sourceware Commits 2014-10-28 15:48:46 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, binutils-2_25-branch has been updated
       via  acafeb6056bec47d7211cf462a7c211a8c95cf42 (commit)
      from  cc8536de0fb8f40587cf99dad9460237ce9af7a7 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=acafeb6056bec47d7211cf462a7c211a8c95cf42

commit acafeb6056bec47d7211cf462a7c211a8c95cf42
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Oct 28 15:47:13 2014 +0000

    Fixes another couple of memory errors reading corrupt binaries.  This time
    detected by the address sanitizer.
    
    	PR binutils/17512
    	* elf.c (bfd_section_from_shdr): Allocate and free the recursion
    	detection table on a per-bfd basis.
    	* peXXigen.c (pe_print_edata): Handle binaries with a truncated
    	export table.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |    7 +++++++
 bfd/elf.c      |   16 +++++++++++++---
 bfd/peXXigen.c |    9 +++++++++
 3 files changed, 29 insertions(+), 3 deletions(-)
Comment 23 Hanno Boeck 2014-10-28 18:13:28 UTC
The objdump-pe-crasher2 issue is fixed, the use-after-free (when running strings or objdump -x on objdump-elf-crasher and strings-bfd-badfree at the same time) is stillt there.
Comment 24 Nick Clifton 2014-10-29 10:25:42 UTC
Hi Hanno,

  Running objdump -x with multiple arguments is now working for me.  Maybe it is something to do with this strings-bfd-badfree binary that you are using.  Please could you upload it to this issue ?  (Or is strings-bfd-badfree another name for strings-bfd-badptr ?)

Cheers
  Nick
Comment 25 Hanno Boeck 2014-10-29 10:47:09 UTC
Created attachment 7860 [details]
strings-bfd-badfree
Comment 26 Nick Clifton 2014-10-29 13:32:13 UTC
Hi Hanno,

  Thanks for the upload.  Unfortunately objdump (and nm and strings) all continue to work with single and multiple arguments.  And this is definitely with address sanitization enabled as well, and with the very latest FSF master sources, with no local patches applied. :-(

  If the problem still exists with you, would you mind doing a little investigation please ?  The use-after-free is almost certainly happening at line 1610 or 1616 of bfd/elf.c.  Could you confirm this ?

  Also can you etll me the exact command line you are using to reproduce the problem, and also how you configured and built the toolchain that you are using ?

Cheers
  Nick
Comment 27 Hanno Boeck 2014-10-29 16:43:48 UTC
Okay, here's the super-step-by-step-instruction to reproduce the UAF:
git clone git://sourceware.org/git/binutils-gdb.git
cd binutils-gdb/
./configure --disable-shared CFLAGS="-fsanitize=address -g"
make
binutils/objdump -x [path_to]/objdump-elf-crasher [path_to]/strings-bfd-badfree

According to asan the use-after-free happens in line 2110/elf.c, this is the code:
    sections_being_created [shindex] = FALSE;
Comment 28 Sourceware Commits 2014-10-29 21:00:34 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  e5b470e24ce448a56230137a37d3b17299593041 (commit)
      from  f60325bea599bab4cb721c6e797bc6b908fa616c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e5b470e24ce448a56230137a37d3b17299593041

commit e5b470e24ce448a56230137a37d3b17299593041
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Oct 29 20:58:13 2014 +0000

    Fixes another memory corruption bug introduced by patches for PR 17512.
    
    	* elf.c (bfd_section_from_shdr): Fix heap use after free memory
    	leak.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    7 ++++++-
 bfd/elf.c     |    2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)
Comment 29 Nick Clifton 2014-10-29 21:03:09 UTC
    Hi Hanno,

      Thanks for the step by step guide.  With that I was able to reproduce the problem.  I do not know why it did not show for me in my original tests, but at least now I can report that the latest git head sources should work for you as well as for me.

    Cheers
      Nick
Comment 30 Hanno Boeck 2014-10-29 23:20:11 UTC
Created attachment 7862 [details]
fuzzed objdump-pe-crasher

Hi Nick, thanks for the fixes.

However, further fuzzing turned up another asan-detected issue. This is actually a fuzzed version of the objdump-pe-crasher binary (attachment 7854 [details]):

==2937== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60080000b834 at pc 0x4d0c67 bp 0x7fffdd272be0 sp 0x7fffdd272bd8
READ of size 1 at 0x60080000b834 thread T0
    #0 0x4d0c66 in bfd_getl32 /data/binutils/binutils-gdb-asan/bfd/libbfd.c:619:0
    #1 0x650684 in _bfd_pei_swap_aux_in /data/binutils/binutils-gdb-asan/bfd/peigen.c:314:0
    #2 0x4c9ab1 in coff_get_normalized_symtab /data/binutils/binutils-gdb-asan/bfd/coffgen.c:1781:0
    #3 0x64c021 in coff_slurp_symbol_table /data/binutils/binutils-gdb-asan/bfd/coffcode.h:4663:0
    #4 0x4c0b5c in coff_get_symtab_upper_bound /data/binutils/binutils-gdb-asan/bfd/coffgen.c:410:0
    #5 0x4044ab in slurp_symtab /data/binutils/binutils-gdb-asan/binutils/./objdump.c:563:0
    #6 0x4123ee in dump_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3227:0
    #7 0x41285d in display_object_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3315:0
    #8 0x412b85 in display_any_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3389:0
    #9 0x412bf6 in display_file /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3410:0
    #10 0x41370e in main /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3692:0
    #11 0x7f0eb1633a64 in __libc_start_main ??:0:0
    #12 0x402f78 in _start ??:0:0
0x60080000b834 is located 0 bytes to the right of 36-byte region [0x60080000b810,0x60080000b834)
allocated by thread T0 here:
    #0 0x7f0eb1de4dda in malloc ??:0:0
    #1 0x4d01ed in bfd_malloc /data/binutils/binutils-gdb-asan/bfd/libbfd.c:181:0
    #2 0x4c8d02 in _bfd_coff_get_external_symbols /data/binutils/binutils-gdb-asan/bfd/coffgen.c:1619:0
    #3 0x4c973f in coff_get_normalized_symtab /data/binutils/binutils-gdb-asan/bfd/coffgen.c:1752:0
    #4 0x64c021 in coff_slurp_symbol_table /data/binutils/binutils-gdb-asan/bfd/coffcode.h:4663:0
    #5 0x4c0b5c in coff_get_symtab_upper_bound /data/binutils/binutils-gdb-asan/bfd/coffgen.c:410:0
    #6 0x4044ab in slurp_symtab /data/binutils/binutils-gdb-asan/binutils/./objdump.c:563:0
    #7 0x4123ee in dump_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3227:0
    #8 0x41285d in display_object_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3315:0
    #9 0x412b85 in display_any_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3389:0
    #10 0x412bf6 in display_file /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3410:0
    #11 0x41370e in main /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3692:0
    #12 0x7f0eb1633a64 in __libc_start_main ??:0:0
Comment 31 Nick Clifton 2014-10-30 15:56:28 UTC
Hi Hanno,

  OK, the head/master branch sources have been updated again.  Please give this new version a go.

Cheers
  Nick

PS.  I think that the difference between my address sanitized build and yours was that you configured with CFLAGS="-fsanitize=address -g" whereas I just configured with CFLAGS="-faddress=sanitize"...
Comment 32 Sourceware Commits 2014-10-30 15:57:31 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  7e760b06b212f01b3819d5b37e8f5b613e0db34c (commit)
      from  3bdff46b67a527886f49735a5d192c05a332a131 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e760b06b212f01b3819d5b37e8f5b613e0db34c

commit 7e760b06b212f01b3819d5b37e8f5b613e0db34c
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Oct 30 15:52:10 2014 +0000

    Closes another memory corruption, this time due to heap overrun.
    
    	PR binutils/17512
    	* coffgen.c (coff_get_normalized_symtab): Prevent buffer overrun.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    5 +++++
 bfd/coffgen.c |    8 ++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)
Comment 33 Hanno Boeck 2014-10-30 16:20:01 UTC
Created attachment 7869 [details]
ihex stack overflow

Hi Nick, thanks. One fixed, one more fuzzed :-)

==25054== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffdcc2b2d8 at pc 0x4fa49a bp 0x7fffdcc2b1e0 sp 0x7fffdcc2b1d8
READ of size 1 at 0x7fffdcc2b2d8 thread T0
    #0 0x4fa499 in ihex_scan /data/binutils/binutils-gdb-asan/bfd/ihex.c:324:0
    #1 0x4fc449 in ihex_object_p /data/binutils/binutils-gdb-asan/bfd/ihex.c:526:0
    #2 0x4cf130 in bfd_check_format_matches /data/binutils/binutils-gdb-asan/bfd/format.c:305:0
    #3 0x41284d in display_object_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3313:0
    #4 0x412b85 in display_any_bfd /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3389:0
    #5 0x412bf6 in display_file /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3410:0
    #6 0x41370e in main /data/binutils/binutils-gdb-asan/binutils/./objdump.c:3692:0
    #7 0x7f7d7cc57a64 in __libc_start_main ??:0:0
    #8 0x402f78 in _start ??:0:0
Address 0x7fffdcc2b2d8 is located at offset 104 in frame <ihex_scan> of T0's stack:
  This frame has 3 object(s):
    [32, 36) 'error'
    [96, 104) 'hdr'
    [160, 180) 'secbuf'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
  0x10007b97d600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b97d610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b97d620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b97d630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b97d640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
=>0x10007b97d650: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00[f4]f4 f4 f2 f2
  0x10007b97d660: f2 f2 00 00 04 f4 00 00 00 00 00 00 00 00 00 00
  0x10007b97d670: 00 00 00 00 f1 f1 f1 f1 00 01 f4 f4 00 00 00 00
  0x10007b97d680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b97d690: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
  0x10007b97d6a0: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==25054== ABORTING
Comment 34 Sourceware Commits 2014-10-30 17:18:24 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  0102ea8cec5fc509bba6c91df61b7ce23a799d32 (commit)
      from  7e760b06b212f01b3819d5b37e8f5b613e0db34c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0102ea8cec5fc509bba6c91df61b7ce23a799d32

commit 0102ea8cec5fc509bba6c91df61b7ce23a799d32
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Oct 30 17:16:17 2014 +0000

    Fixes a seg-fault in the ihex parser when it encounters a malformed ihex file.
    
    	PR binutils/17512
    	* ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    1 +
 bfd/ihex.c    |    2 +-
 2 files changed, 2 insertions(+), 1 deletions(-)
Comment 35 Nick Clifton 2014-10-30 17:21:23 UTC
Hi Hanno,

  [Queues up Queen's Another One Bites The Dust...]

  Try head again - the ihex fix is in.

Cheers
  Nick
Comment 36 Sourceware Commits 2014-10-31 10:26:34 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, binutils-2_25-branch has been updated
       via  5278f3dd9f3bfa44af7348fd6687a78692aafbfb (commit)
      from  b0b93f3592f3d165896e8dc8186a7ba285f0f3e4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5278f3dd9f3bfa44af7348fd6687a78692aafbfb

commit 5278f3dd9f3bfa44af7348fd6687a78692aafbfb
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Oct 31 10:24:58 2014 +0000

    Import a patch from the mainline to fix a seg-fault in the BFD library:
    
    	PR binutils/17512
    	* ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte.
    	* coffgen.c (coff_get_normalized_symtab): Prevent buffer overrun.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    9 +++++++++
 bfd/ihex.c    |    2 +-
 2 files changed, 10 insertions(+), 1 deletions(-)
Comment 37 Hanno Boeck 2014-10-31 12:23:18 UTC
Hi Nick,

You'll be happy to hear that even with lots of fuzzing samples I wasn't able to create another address sanitizer error. But I'll keep trying.

However I still experience some warnings that I think would deserver a fix. They allocate too much memory.

One is triggered by the dllmaxvals.dll (attachment 7850 [details]). I think what is happening here is that libbfd is just allocating space for the executable segments with whatever values are given in the header. A check to verify if the executable is that large should stop this.

The other is in the elf parser and I haven't analzed further. I'll attach the fuzzing sample exposing it and also the valgrind output (with non-asan binaries, because valgrind and asan don't mix well). Address Sanitizer doesn't give that much output for these, but valgrind does and this should give a clue what's going on.

cu, Hanno
Comment 38 Hanno Boeck 2014-10-31 12:24:43 UTC
Created attachment 7873 [details]
fuzzed elf out of memory sample
Comment 39 Hanno Boeck 2014-10-31 12:25:08 UTC
Created attachment 7874 [details]
valgrind on dllmaxvals
Comment 40 Hanno Boeck 2014-10-31 12:25:27 UTC
Created attachment 7875 [details]
valgrind on fuzzed elf
Comment 41 Sourceware Commits 2014-10-31 16:38:26 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  f54498b45795194df671207c6ef3d6cd6d0c0ebb (commit)
      from  fe06005387223e8a8b37e49036efe06b4062c7f4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f54498b45795194df671207c6ef3d6cd6d0c0ebb

commit f54498b45795194df671207c6ef3d6cd6d0c0ebb
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Oct 31 16:36:31 2014 +0000

    Avoid allocating over-large buffers when parsing corrupt binaries.
    
    	PR binutils/17512
    	* coffgen.c (_bfd_coff_get_external_symbols): Do not try to load a
    	symbol table bigger than the file.
    	* elf.c (bfd_elf_get_str_section): Do not try to load a string
    	table bigger than the file.
    
    	* readelf.c (process_program_headers): Avoid memory exhaustion due
    	to corrupt values in a dynamis segment header.
    	(get_32bit_elf_symbols): Do not attempt to read an over-large
    	section.
    	(get_64bit_elf_symbols): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |    8 ++++++++
 bfd/coffgen.c      |    5 +++++
 bfd/elf.c          |    5 +++++
 binutils/ChangeLog |    9 +++++++++
 binutils/readelf.c |   32 ++++++++++++++++++++++++++++----
 5 files changed, 55 insertions(+), 4 deletions(-)
Comment 42 Nick Clifton 2014-10-31 16:39:51 UTC
Hi Hanno,

  OK, head has been updated again.  Please give it a respin.

Cheers
  Nick
Comment 43 Hanno Boeck 2014-10-31 17:26:14 UTC
Created attachment 7877 [details]
objdump -s hanger

It's not over yet. This one will cause objdump -s to hang forever, likely an endless loop.
Comment 44 Sourceware Commits 2014-10-31 18:02:19 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  690725fa0d98ae52c991f4b3ea58b6b47b4fbc80 (commit)
      from  f54498b45795194df671207c6ef3d6cd6d0c0ebb (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=690725fa0d98ae52c991f4b3ea58b6b47b4fbc80

commit 690725fa0d98ae52c991f4b3ea58b6b47b4fbc80
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Oct 31 18:00:55 2014 +0000

    Fix an (almost) infinite loop in the tekhex parser.
    
    	PR binutils/17512
    	* tekhex.c (first_phase): Check that the section range is sane.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    1 +
 bfd/tekhex.c  |    3 +++
 2 files changed, 4 insertions(+), 0 deletions(-)
Comment 45 Nick Clifton 2014-10-31 18:03:30 UTC
Hi Hanno,

  The loop would have ended eventually - when your machine ran out of memory. :-)

  Anyway it is fixed now, so bring on the next one.

Cheers
  Nick
Comment 46 Hanno Boeck 2014-10-31 18:17:22 UTC
Created attachment 7878 [details]
another memory exhaustion sample (elf)
Comment 47 Hanno Boeck 2014-10-31 18:17:37 UTC
Created attachment 7879 [details]
another memory exhaustion sample (pe)
Comment 48 Hanno Boeck 2014-10-31 18:17:58 UTC
Created attachment 7880 [details]
another memory exhaustion sample (aout)
Comment 49 Alexander Cherepanov 2014-10-31 22:36:18 UTC
Created attachment 7881 [details]
Several pe crashers

all different according to valgrind
Comment 50 Sourceware Commits 2014-11-03 17:46:00 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  5a3f568b70bdfb91aacdfb66657b56d8c6d242f1 (commit)
      from  ba241f2d5a6f1ac57e746d230892e27a70def4a6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5a3f568b70bdfb91aacdfb66657b56d8c6d242f1

commit 5a3f568b70bdfb91aacdfb66657b56d8c6d242f1
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Nov 3 17:44:00 2014 +0000

    More fixes for buffer overruns instigated by corrupt binaries.
    
    	PR binutils/17512
    	* objdump.c (slurp_symtab): Fail gracefully if the table could not
    	be read.
    	(dump_relocs_in_section): Likewise.
    
    	* aoutx.h (slurp_symbol_table): Check that computed table size is
    	not bigger than the file from which is it being read.
    	(slurp_reloc_table): Likewise.
    	* coffcode.h (coff_slurp_line_table): Remove unneeded local
    	'warned'.  Do not try to print the details of a symbol with an
    	invalid index.
    	* coffgen.c (make_a_sectiobn_from_file): Check computed string
    	index against length of string table.
    	(bfd_coff_internal_syment_name): Check read in string offset
    	against length of string table.
    	(build_debug_section): Return a pointer to the section used.
    	(_bfd_coff_read_string_table): Store the length of the string
    	table in the coff_tdata structure.
    	(bfd_coff_free_symbols): Set the length of the string table to
    	zero when it is freed.
    	(coff_get_normalized_symtab): Check offsets against string table
    	or data table lengths as appropriate.
    	* cofflink.c (_bfd_coff_link_input_bfd): Check offset against
    	length of string table.
    	* compress.c (bfd_get_full_section_contents): Check computed size
    	against the size of the file.
    	* libcoff-in.h (obj_coff_strings_len): Define.
    	(struct coff_tdata): Add strings_len field.
    	* libcoff.h: Regenerate.
    	* peXXigen.c (pe_print_debugdata): Do not attempt to print the
    	data if the debug section is too small.
    	* xcofflink.c (xcoff_link_input_bfd):  Check offset against
    	length of string table.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |   32 +++++++++++++++++++++++
 bfd/aoutx.h        |    7 +++++
 bfd/coffcode.h     |   11 +++-----
 bfd/coffgen.c      |   72 +++++++++++++++++++++++++++++++++++++--------------
 bfd/cofflink.c     |    5 +++-
 bfd/compress.c     |    7 +++++
 bfd/libcoff-in.h   |    3 ++
 bfd/libcoff.h      |    3 ++
 bfd/peXXigen.c     |    9 ++++++-
 bfd/xcofflink.c    |    5 +++-
 binutils/ChangeLog |    7 +++++
 binutils/objdump.c |   11 ++++++-
 12 files changed, 140 insertions(+), 32 deletions(-)
Comment 51 Nick Clifton 2014-11-03 17:47:26 UTC
Hi Hanno, Hi Alexander,

  Please try the latest master binutils sources.  They should be able to handle the new test files gracefully.

Cheers
  Nick
Comment 52 Hanno Boeck 2014-11-03 18:30:28 UTC
Nick, have you seen bug #17533 ? (ar archive crasher) That's still unfixed, all others seem fine now.
I'll do a re-run on my large fuzzing samples collection.
Comment 53 Alexander Cherepanov 2014-11-03 20:26:36 UTC
Created attachment 7885 [details]
valgrind output for 140849-0.004.exe

Shows a bunch of error of the following types:
- Use of uninitialised value of size ...
- Conditional jump or move depends on uninitialised value(s)
Comment 54 Alexander Cherepanov 2014-11-03 21:17:35 UTC
Created attachment 7886 [details]
More crashers for `objdump -x`

list.txt inside the archive lists various errors from valgrind (with distinct backtraces) and an example of sample which hit it.
Comment 55 Sourceware Commits 2014-11-04 16:01:50 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  79f2a78e76fae1885163027f843e1bafde984b4c (commit)
      from  e0a31db1b16fe0a010aa46185e4a31a08e7fd97f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=79f2a78e76fae1885163027f843e1bafde984b4c

commit 79f2a78e76fae1885163027f843e1bafde984b4c
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 4 16:00:10 2014 +0000

    Fix problem with linker created sections being mistakenly flagged
    as corrupt by the new error checking code in bfd_get_full_section_contents.
    
    	PR binutils/17512
    	* compress.c (bfd_get_full_section_contents): Improve test for
    	linker created objects.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |    4 ++++
 bfd/compress.c |    3 ++-
 2 files changed, 6 insertions(+), 1 deletions(-)
Comment 56 Nick Clifton 2014-11-04 16:20:28 UTC
(In reply to Alexander Cherepanov from comment #53)
> Created attachment 7885 [details]
> valgrind output for 140849-0.004.exe
> 
> Shows a bunch of error of the following types:
> - Use of uninitialised value of size ...
> - Conditional jump or move depends on uninitialised value(s)

I am not seeing these problems in the avlgrind output when I run the command locally.  Are you using any command line options to valgrind ?  (I also note that you are using version 3.10 but I only have version 3.9, so perhaps that is the problem).
Comment 57 Alexander Cherepanov 2014-11-04 17:41:09 UTC
Created attachment 7893 [details]
valgrind output for 140849-0.004.exe with --track-origins=yes

(In reply to Nick Clifton from comment #56)
> (In reply to Alexander Cherepanov from comment #53)
> > Created attachment 7885 [details]
> > valgrind output for 140849-0.004.exe
> > 
> > Shows a bunch of error of the following types:
> > - Use of uninitialised value of size ...
> > - Conditional jump or move depends on uninitialised value(s)
> 
> I am not seeing these problems in the avlgrind output when I run the command
> locally.  Are you using any command line options to valgrind ?  (I also note
> that you are using version 3.10 but I only have version 3.9, so perhaps that
> is the problem).

No, I run valgrind without any options. I've now run it with --track-origins=yes, like this:

valgrind --log-file=140849-0.004.exe.2.txt --track-origins=yes binutils-gdb/binutils/objdump -x 140849-0.004.exe

Perhaps this could help.

binutils is built with `./configure && make`.
Comment 58 Sourceware Commits 2014-11-05 10:14:40 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  20ad5e2842911039a60b6bdf9880cee895179e43 (commit)
      from  1ae1b8cc656639e18715829cbcd72916e86f3324 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=20ad5e2842911039a60b6bdf9880cee895179e43

commit 20ad5e2842911039a60b6bdf9880cee895179e43
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Nov 5 10:13:16 2014 +0000

    More fixes for processing corrupt files.
    
    	PR binutils/17512
    	* coffcode.h (coff_set_alignment_hook): Warn if the file lies
    	about the number of relocations it contains.
    	(coff_sort_func_alent): Return 0 if the pointers are NULL.
    	(coff_slurp_line_table): Add more range checks.  Do not free new
    	tables created when sorting line numbers.
    	* peXXigen.c (pe_print_idata): Add range checks.
    	(pe_print_edata): Likewise.
    	(rsrc_print_resource_entries): Likewise.  Avoid printing control
    	characters.  Terminate priniting if corruption is detected.
    	(rsrc_print_resource_directory): Terminate printing if an unknown
    	directory type is encountered.
    	(pe_print_debugdata): Fix off-by-one error.
    	(rsrc_count_entries): Add range checking.
    	(rsrc_parse_entry): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |   18 ++++++++
 bfd/coffcode.h |   28 +++++++++++--
 bfd/peXXigen.c |  122 ++++++++++++++++++++++++++++++++++++++++----------------
 3 files changed, 129 insertions(+), 39 deletions(-)
Comment 59 Nick Clifton 2014-11-05 10:17:10 UTC
(In reply to Alexander Cherepanov from comment #54)

> More crashers for `objdump -x`

Ok - I have updated the master branch with patches for all of these problems.  Please try it out and let me know if you find any more issues.

Cheers
  Nick
Comment 60 Nick Clifton 2014-11-05 10:28:04 UTC
Created attachment 7898 [details]
Proposed patch to fix valgrind's complaints about using uninitialised memory

(In reply to comment #57)

Hi Alexnder,

  I still cannot reproduce the valgrind problem, but the log you provided does give me a clue.  Please could you try out the uploaded patch (which has *not* been applied to the master branch) and see if it works for you ?

Cheers
  Nick
Comment 61 Alexander Cherepanov 2014-11-05 12:06:29 UTC
Created attachment 7900 [details]
More crashers for `objdump -x`

objdump is definitely getting harder to crash. Keep up the good work!

It still crashes though.
Comment 62 Alexander Cherepanov 2014-11-05 12:07:49 UTC
(In reply to Alexander Cherepanov from comment #61)
> Created attachment 7900 [details]
> More crashers for `objdump -x`
> 
> objdump is definitely getting harder to crash. Keep up the good work!
> 
> It still crashes though.

Files: 10
Errors:
     29 Conditional jump or move depends on uninitialised value(s)
     30 Invalid read of size ...
      2 Process terminating with default action of signal 11 (SIGSEGV)
      4 Use of uninitialised value of size ...
Comment 63 Sourceware Commits 2014-11-05 17:59:30 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e (commit)
      from  74e1a04b9787c02ba0fa9b93e3dae691bb44ed96 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e

commit a6f921c87700c2349cf6fa35fbc8ec9d3e3fb88e
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Nov 5 17:57:54 2014 +0000

    More fixes for memory problems uncovered by file fuzzers.
    
    	PR binutils/17512
    	* coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT.
    	Replace another abort with an error message.
    	(coff_slurp_line_table): Add more range checking.
    	* peXXigen.c (pe_print_debugdata): Add range checking.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |    8 ++++++++
 bfd/coffcode.h |   21 ++++++++++++++-------
 bfd/peXXigen.c |    6 ++++++
 3 files changed, 28 insertions(+), 7 deletions(-)
Comment 64 Nick Clifton 2014-11-05 18:00:10 UTC
Hi Alexander,

  I have checked another patch in.  Please update your sources and try again.

Cheers
  Nick
Comment 65 Hanno Boeck 2014-11-05 18:46:58 UTC
Hi Nick,

If I use latest head and apply 7989 patch for valgrind warnings the number of uninitialized memory issues valgrind reports is reduced, but they don't disappear. I still get some valgrind warnings on these files:
070-7883-0.004
078-11867-0.004
078-12277-0.004
078-2394-0.004
079-8998-0.004
093-3968-0.004
1315-linux-omagic
205-7526-0.004

I will attach valgrind logs.

cu, Hanno
Comment 66 Hanno Boeck 2014-11-05 18:47:43 UTC
Created attachment 7904 [details]
remaining valgrind warnings
Comment 67 Alexander Cherepanov 2014-11-05 22:02:19 UTC
Created attachment 7905 [details]
More crashers for `objdump -x`

Files: 9
Errors:
     29 Conditional jump or move depends on uninitialised value(s)
      3 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
      4 Use of uninitialised value of size ...
Comment 68 Alexander Cherepanov 2014-11-06 15:48:35 UTC
Created attachment 7910 [details]
More badness for `objdump -x`

Files: 11
Errors:
      1 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
     63 Conditional jump or move depends on uninitialised value(s)
     16 Invalid read of size ...
      2 Invalid write of size ...
      1 Syscall param write(buf) contains uninitialised byte(s)
     17 Use of uninitialised value of size ...
Comment 69 Nick Clifton 2014-11-10 14:23:21 UTC
Hi Hanno, Hi Alexander,

  Right - please update your master branch sources and try again.  In theory all of the test cases that you have posted to this issue should now run without generating any valgrind or address sanitizer problems...

Cheers
  Nick
Comment 70 Alexander Cherepanov 2014-11-10 16:50:45 UTC
FTR: It seems the number of the bug in the commit is mistyped as PR binutils/17521. The commit is here:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=36e9d67b868c85232ab630514260f0d9c9c6b27b
Comment 71 Hanno Boeck 2014-11-10 18:20:45 UTC
I still see some odd things.

Three files cause severe ressource usage and long loops:
079-116340-0.004 (part of attachment 7910 [details])
078-13914-0.004 (part of attachment 7886 [details])
1315-linux-omagic (attachment 7880 [details])

Also I think I haven't uploaded this file before, I have one elf sample here that exposes more uninitialized values in valgrind (will upload in a minute, 0_001_1604-hello-debug-cflags ).
Comment 72 Hanno Boeck 2014-11-10 18:21:18 UTC
Created attachment 7918 [details]
elf exposing uninitialized value access with valgrind
Comment 73 Nick Clifton 2014-11-11 09:16:50 UTC
Hi Hanno,

(In reply to Hanno Boeck from comment #71)
> I still see some odd things.
> 
> Three files cause severe ressource usage and long loops:
> 079-116340-0.004 (part of attachment 7910 [details])
> 078-13914-0.004 (part of attachment 7886 [details])
> 1315-linux-omagic (attachment 7880 [details])

Yeah - I don't see these as being serious.  An infinite loop would be a problem, but a long loop is, well not brilliant, but OK for now.  At some point in the future I will investigate and fix them, but right now I am concentrating on possible security flaws.

> Also I think I haven't uploaded this file before, I have one elf sample here
> that exposes more uninitialized values in valgrind (will upload in a minute,
> 0_001_1604-hello-debug-cflags ).

I tried that file, but I could not find a fault.  Either with valgrind or address sanitizer.  I have recently updated the readelf sources though, so maybe that fixes the problem that you encountered.

Cheers
  Nick
Comment 74 Alexander Cherepanov 2014-11-11 09:34:12 UTC
Created attachment 7919 [details]
More badness for `objdump -x`

Files: 18
Errors:
     10 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
     33 Conditional jump or move depends on uninitialised value(s)
      5 Invalid read of size ...
      4 Invalid write of size ...
      6 Process terminating with default action of signal 11 (SIGSEGV)
      2 Use of uninitialised value of size ...
Comment 75 Hanno Boeck 2014-11-11 10:27:38 UTC
(In reply to Nick Clifton from comment #73)
> I tried that file, but I could not find a fault.  Either with valgrind or
> address sanitizer.  I have recently updated the readelf sources though, so
> maybe that fixes the problem that you encountered.

That's odd... This is what valgrind tells me (just re-did with latest git updates, compiled with CFLAGS="-g"):

==30798== Conditional jump or move depends on uninitialised value(s)
==30798==    at 0x492661: _bfd_elf_print_private_bfd_data (elf.c:1408)
==30798==    by 0x4082E6: dump_bfd_private_header (objdump.c:2648)
==30798==    by 0x409781: dump_bfd (objdump.c:3223)
==30798==    by 0x409B36: display_object_bfd (objdump.c:3322)
==30798==    by 0x409D58: display_any_bfd (objdump.c:3396)
==30798==    by 0x409DC9: display_file (objdump.c:3417)
==30798==    by 0x40A643: main (objdump.c:3699)
==30798== 
  required from <corrupt>:
==30798== Conditional jump or move depends on uninitialised value(s)
==30798==    at 0x492730: _bfd_elf_print_private_bfd_data (elf.c:1410)
==30798==    by 0x4082E6: dump_bfd_private_header (objdump.c:2648)
==30798==    by 0x409781: dump_bfd (objdump.c:3223)
==30798==    by 0x409B36: display_object_bfd (objdump.c:3322)
==30798==    by 0x409D58: display_any_bfd (objdump.c:3396)
==30798==    by 0x409DC9: display_file (objdump.c:3417)
==30798==    by 0x40A643: main (objdump.c:3699)
==30798== 
==30798== Conditional jump or move depends on uninitialised value(s)
==30798==    at 0x49274C: _bfd_elf_print_private_bfd_data (elf.c:1404)
==30798==    by 0x4082E6: dump_bfd_private_header (objdump.c:2648)
==30798==    by 0x409781: dump_bfd (objdump.c:3223)
==30798==    by 0x409B36: display_object_bfd (objdump.c:3322)
==30798==    by 0x409D58: display_any_bfd (objdump.c:3396)
==30798==    by 0x409DC9: display_file (objdump.c:3417)
==30798==    by 0x40A643: main (objdump.c:3699)
==30798==
Comment 76 Sourceware Commits 2014-11-11 11:45:25 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  fcfa62408aec326a54765a6fd8895349fb41eb7c (commit)
      from  4de1599bcf044a5396ec588f90b8f475be657d4f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fcfa62408aec326a54765a6fd8895349fb41eb7c

commit fcfa62408aec326a54765a6fd8895349fb41eb7c
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Nov 11 21:36:37 2014 +1030

    Avoid coff OOM
    
    bfd_zalloc/bfd_zmalloc to fix uninitialized memory reads is too big a
    hammer, when the size allocated depends on user input.  A typical
    bfd_alloc, bfd_seek, bfd_bread sequence will give an error or warning
    at the point the file read fails when some enormous item as described
    by headers is not actually present in the file.  Nice operating system
    allow memory overcommit.  But not if you write to the memory.  So
    bfd_zalloc can cause an OOM, thrashing, or system hangs.
    
    The patch also fixes a recently introduced endless loop on bad input.
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Don't bfd_zalloc, just
    	memset the particular bits we need.  Update src after hitting loop
    	"continue".  Don't count lineno omitted due to invalid symbols in
    	nbr_func, and update lineno_count.  Init entire terminating
    	lineno.  Don't both allocating terminator in n_lineno_cache.
    	Redirect sym->lineno pointer to where n_lineno_cache will be
    	copied, and free n_lineno_cache.
    	* pe-mips.c (NUM_HOWTOS): Typo fix.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |   12 +++++++++++
 bfd/coffcode.h |   61 ++++++++++++++++++++++++++++---------------------------
 bfd/pe-mips.c  |    2 +-
 3 files changed, 44 insertions(+), 31 deletions(-)
Comment 77 Sourceware Commits 2014-11-11 12:16:29 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  0ac2337434968896a6393fdd8c0624bd2945bbea (commit)
      from  fcfa62408aec326a54765a6fd8895349fb41eb7c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0ac2337434968896a6393fdd8c0624bd2945bbea

commit 0ac2337434968896a6393fdd8c0624bd2945bbea
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Nov 11 22:42:03 2014 +1030

    coff coff
    
    I missed this use of the loop induction variable outside the loop.
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Use updated lineno_count
    	when building func_table.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |    7 +++++++
 bfd/coffcode.h |    2 +-
 2 files changed, 8 insertions(+), 1 deletions(-)
Comment 78 Sourceware Commits 2014-11-11 15:36:32 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  201159ecec7e17600df4153e5d4e7a145f0c7cfe (commit)
      from  015de6884f6fdebaffd4b7d4c7f14fb4d5fc0bb1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=201159ecec7e17600df4153e5d4e7a145f0c7cfe

commit 201159ecec7e17600df4153e5d4e7a145f0c7cfe
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 11 15:34:27 2014 +0000

    More fixes for invalid memory accesses, uncovered by valgrind and binary fuzzers.
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Initialise the parts of the
    	line number cache that would not be initialised by the copy from
    	the new line number table.
    	(coff_classify_symbol): Allow for _bfd_coff_internal_syment_name
    	returning NULL.
    	* coffgen.c (coff_get_normalized_symbols): Get the external
    	symbols before allocating space for the internal symbols, in case
    	the get fails.
    	* elf.c (_bfd_elf_slurp_version_tables): Only allocate a verref
    	array if one is needed.  Likewise with the verdef array.
    	* peXXigen.c (_bfd_XXi_swap_sym_in): Replace abort()'s with error
    	messages.
    	(_bfd_XXi_swap_aux_in): Make sure that all fields of the aux
    	structure are initialised.
    	(pe_print_edata): Avoid reading off the end of the data buffer.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog  |   19 +++++++++++++++++++
 bfd/coffcode.h |   31 +++++++++++++++++++------------
 bfd/coffgen.c  |    6 +++---
 bfd/elf.c      |   22 +++++++++++++---------
 bfd/peXXigen.c |   31 ++++++++++++++++++++++++-------
 5 files changed, 78 insertions(+), 31 deletions(-)
Comment 79 Nick Clifton 2014-11-11 15:38:24 UTC
Hi Alexander,

  Please try again :-)

Cheers
  Nick
Comment 80 Alexander Cherepanov 2014-11-11 20:57:43 UTC
Created attachment 7924 [details]
Crashers for `objdump -afphxgGWtTrRw --special-syms`

Files: 26
Errors:
      6 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
     26 Conditional jump or move depends on uninitialised value(s)
     29 Invalid read of size ...
      3 Invalid write of size ...
      7 Process terminating with default action of signal 11 (SIGSEGV)
Comment 81 Alexander Cherepanov 2014-11-11 21:00:05 UTC
Created attachment 7925 [details]
Aborts in `objdump -afphxgGWtTrRw --special-syms`

3 cases of abort() in `objdump -afphxgGWtTrRw --special-syms`
Comment 82 Sourceware Commits 2014-11-12 22:41:37 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  f41e4712a7b7ac60f181e7dfc984ca35c222f0d7 (commit)
      from  40e91bc71f7993f2064cec4ffd007f2c814a1b29 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f41e4712a7b7ac60f181e7dfc984ca35c222f0d7

commit f41e4712a7b7ac60f181e7dfc984ca35c222f0d7
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Nov 12 22:39:58 2014 +0000

    Fix more memory faults uncovered by fuzzing various executables.
    
    	PR binutils/17512
    	* dwarf.c (read_and_display_attr_value): Check that we do not read
    	past end.
    	(display_debug_pubnames_worker): Add range checks.
    	(process_debug_info): Check for invalid pointer sizes.
    	(display_loc_list): Likewise.
    	(display_loc_list_dwo): Likewise.
    	(display_debug_ranges): Likewise.
    	(display_debug_aranges): Check for invalid address size.
    	(read_cie): Add range checks.  Replace call strchr with while loop.
    	* objdump.c (dump_dwarf): Replace abort with a warning message.
    	(print_section_stabs): Improve range checks.
    	* rdcoff.c (coff_get_slot): Use long for indx parameter type.
    	Add check for an excesively large index.
    	* rddbg.c (read_section_stabs_debugging_info): Zero terminate the
    	string table.  Avoid walking off the end of the stabs data.
    	* stabs.c (parse_stab_string): Add check for a NULL name.
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Set the line number of
    	corrupt entries to -1.
    	(coff_slurp_symbol_table): Alway initialise the value of the
    	symbol.
    	* coffgen.c (coff_print_symbol): Check that the combined pointer
    	is valid.
    	(coff_print_symbol): Do not print negative line numbers.
    	* peXXigen.c (pe_print_idata): Add range checking displaying
    	member names.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |   13 +++++
 bfd/coffcode.h     |   14 ++++-
 bfd/coffgen.c      |   15 +++++-
 bfd/peXXigen.c     |   25 ++++++---
 binutils/ChangeLog |   20 +++++++
 binutils/dwarf.c   |  144 +++++++++++++++++++++++++++++++++++++++-------------
 binutils/objdump.c |   16 ++++--
 binutils/rdcoff.c  |    9 +++-
 binutils/rddbg.c   |   40 +++++++++-----
 binutils/stabs.c   |   30 +++++++----
 10 files changed, 244 insertions(+), 82 deletions(-)
Comment 83 Nick Clifton 2014-11-12 22:42:45 UTC
Hi Alexander,

  Once more into the breech dear friends...

Cheers
  Nick
Comment 84 Alexander Cherepanov 2014-11-13 11:21:23 UTC
Created attachment 7928 [details]
More badness for `objdump -afphxgGWtTrRw --special-syms`

Files: 18
Errors:
      5 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
     33 Conditional jump or move depends on uninitialised value(s)
      1 Invalid read of size ...
      3 Invalid write of size ...
      4 Process terminating with default action of signal 11 (SIGSEGV)
      1 Use of uninitialised value of size ...
Comment 85 Sourceware Commits 2014-11-13 17:48:10 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  a5c71af8d3c7c535f27614947f72883233658706 (commit)
      from  09bc6c722493047fb50e8a7e70e028023eff8f32 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a5c71af8d3c7c535f27614947f72883233658706

commit a5c71af8d3c7c535f27614947f72883233658706
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Nov 13 17:46:11 2014 +0000

    More fixes for memory access violations whilst scanning corrupt binaries.
    
    	PR binutils/17512
    	* config/obj-coff.c (coff_obj_symbol_new_hook): Set the is_sym
    	field.
    
    	* coffcode.h (coff_ptr_struct): Add is_sym field.
    	(coff_new_section_hook): Set the is_sym field.
    	(coff_pointerize_aux_hook): Check the is_sym field.
    	(coff_print_aux): Likewise.
    	(coff_compute_section_file_positions): Likewise.
    	(coff_write_object_contents): Likewise.
    	(coff_slurp_line_table): Likewise.
    	(coff_slurp_symbol_table): Likewise.
    	(CALC_ADDEND): Likewise.
    	* coffgen.c (coff_renumber_symbols): Likewise.
    	(coff_mangle_symbols): Likewise.
    	(coff_fix_symbol_name): Likewise.
    	(coff_write_symbol): Likewise.
    	(coff_write_alien_symbol): Likewise.
    	(coff_write_native_symbol): Likewise.
    	(coff_write_symbols): Likewise.
    	(coff_write_linenumbers): Likewise.
    	(coff_pointerize_aux): Likewise.
    	(coff_get_normalized_symtab): Likewise.
    	(coff_get_symbol_info): Likewise.
    	(bfd_coff_get_syment): Likewise.
    	(bfd_coff_get_auxent): Likewise.
    	(coff_print_symbol): Likewise.
    	(coff_find_nearest_line_with_names): Likewise.
    	(bfd_coff_set_symbol_class): Likewise.
    	(coff_make_empty_symbol): Set the is_sym field.
    	(coff_bfd_make_debug_symbol): Likewise.
    	* peicode.h (pe_ILF_make_a_symbol): Likewise.
    	* libcoff.h: Regenerate.
    	* libcoff-in.h: Regenerate.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog         |   34 ++++++++++++++++++++++
 bfd/archive.c         |    1 +
 bfd/coffcode.h        |   42 +++++++++++++++++++++------
 bfd/coffgen.c         |   74 ++++++++++++++++++++++++++++++++++++++----------
 bfd/libcoff.h         |   13 +++++---
 bfd/peicode.h         |    1 +
 gas/ChangeLog         |    6 ++++
 gas/config/obj-coff.c |    1 +
 8 files changed, 141 insertions(+), 31 deletions(-)
Comment 86 Nick Clifton 2014-11-13 17:48:54 UTC
Hi Alexander,

  That one was tricky, but it should be resolved now,

Cheers
  Nick
Comment 87 Alexander Cherepanov 2014-11-13 19:17:20 UTC
Created attachment 7930 [details]
Baddness for `objdump -afphxgGtTrRwW --special-syms`

Messed with option in the previous run, readelf now seems to really process debugging info.

Files: 10
Errors:
      5 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
      5 Invalid read of size ...
      2 Invalid write of size ...
      3 Process terminating with default action of signal 11 (SIGSEGV)
Comment 88 Alexander Cherepanov 2014-11-14 11:06:54 UTC
Created attachment 7934 [details]
A bit more badness for `objdump -afphxgGtTrRwW --special-syms`

Files: 3
Errors:
      1 Invalid read of size ...
      1 Invalid write of size ...
      2 Process terminating with default action of signal 11 (SIGSEGV)
      1 Use of uninitialised value of size ...
Comment 89 Sourceware Commits 2014-11-14 12:31:36 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  041830e03cca866f12be18198898139e558ad31e (commit)
      from  646da0594c91719ef591d8736865a1d58fbbfc34 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=041830e03cca866f12be18198898139e558ad31e

commit 041830e03cca866f12be18198898139e558ad31e
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Nov 14 12:30:00 2014 +0000

    More fixes for invalid memory accesses triggered by corrupt binaries.
    
    	PR binutils/17512
    	* dwarf.c (get_encoded_value): Add an 'end' parameter.  Change the
    	'data' parameter to a double pointer and return the updated value.
    	(decode_location_expression): Update call to get_encoded_value.
    	(frame_need_space): Handle the case where one or both of the
    	mallocs fails.
    	(read_cie): Initialise the cie pointer, even if the read fails.
    	(display_debug_frames): Warn if the calculated block_end is before
    	the start of the block.  Break the loop if the CIE could not be
    	read.  Update call to get_encoded_value.  Warn if the read CFA
    	expressions are too big.
    
    	* ieee.c (ieee_archive_p) Skip processing if no bytes are read at
    	all.
    	(ieee_object_p): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |    7 +++++
 bfd/ieee.c         |    6 +++-
 binutils/ChangeLog |   14 +++++++++++
 binutils/dwarf.c   |   65 +++++++++++++++++++++++++++++++++++++++------------
 4 files changed, 74 insertions(+), 18 deletions(-)
Comment 90 Nick Clifton 2014-11-14 12:34:40 UTC
Hi Alexander,

  Several improvements to the dwarf reader later and the latest round of test cases should be fixed.

Cheers
  Nick
Comment 91 Hanno Boeck 2014-11-14 22:06:40 UTC
Created attachment 7937 [details]
4 samples crashing nm and objdump -x

I join in again. 4 crash samples, this time created with american fuzzy lop.
Comment 92 Alexander Cherepanov 2014-11-16 21:01:06 UTC
Created attachment 7940 [details]
Fresh crashers for `objdump -afphxgGtTrRwW --special-syms`

Added several samples to the fuzzing...

Files: 26
Errors:
      4 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
     56 Invalid read of size ...
      7 Invalid write of size ...
     13 Process terminating with default action of signal 11 (SIGSEGV)
Comment 93 Alexander Cherepanov 2014-11-16 21:02:40 UTC
Created attachment 7941 [details]
And some aborts for `objdump -afphxgGtTrRwW --special-syms`

Files: 17
Errors:
     17 No assertion info in gdb backtrace.
Comment 94 Alexander Cherepanov 2014-11-16 21:12:55 UTC
(In reply to Alexander Cherepanov from comment #93)
> Created attachment 7941 [details]
> And some aborts for `objdump -afphxgGtTrRwW --special-syms`
> 
> Files: 17
> Errors:
>      17 No assertion info in gdb backtrace.

Sorry, crashes with SIGSEGV were also included among abort()s.
Comment 95 Sourceware Commits 2014-11-17 17:06:14 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, binutils-2_25-branch has been updated
       via  8f66a6af276d17c0e386cd2409873f2e3e0b8a37 (commit)
       via  32a9d621c3c480aa093a089a36e36c35f68a4010 (commit)
      from  ff67f476b9907b9fddfbafff52caa4cce6a6f58c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8f66a6af276d17c0e386cd2409873f2e3e0b8a37

commit 8f66a6af276d17c0e386cd2409873f2e3e0b8a37
Merge: 32a9d62 ff67f47
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Nov 17 17:04:16 2014 +0000

    Merge branch 'binutils-2_25-branch' of ssh://sourceware.org/git/binutils-gdb into binutils-2_25-branch
    
    Conflicts:
    	gas/ChangeLog

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=32a9d621c3c480aa093a089a36e36c35f68a4010

commit 32a9d621c3c480aa093a089a36e36c35f68a4010
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Nov 17 16:59:09 2014 +0000

    Applies a series of patches for PR 17512 and 17533 which fix invalid memory accesses.
    
    	2014-11-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* config/obj-coff.c (coff_obj_symbol_new_hook): Set the is_sym
    	field.
    
    	2014-11-14  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (get_encoded_value): Add an 'end' parameter.  Change the
    	'data' parameter to a double pointer and return the updated value.
    	(decode_location_expression): Update call to get_encoded_value.
    	(frame_need_space): Handle the case where one or both of the
    	mallocs fails.
    	(read_cie): Initialise the cie pointer, even if the read fails.
    	(display_debug_frames): Warn if the calculated block_end is before
    	the start of the block.  Break the loop if the CIE could not be
    	read.  Update call to get_encoded_value.  Warn if the read CFA
    	expressions are too big.
    
    	2014-11-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (process_version_sections): If the read of the version
    	def information fails, make sure that the external verdef data is
    	not used.
    	(get_dynamic_data): Do not attempt to allocate memory for more
    	dynamic data than there is in the file.  If the read fails, free
    	the allocated buffer.
    	(process_symbol_table): Do not print dynamic information if we
    	were unable to read the dynamic symbol table.
    	(print_gnu_note): Do not print the note if the descsz is too
    	small.
    
    	2014-11-12  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (read_and_display_attr_value): Check that we do not read
    	past end.
    	(display_debug_pubnames_worker): Add range checks.
    	(process_debug_info): Check for invalid pointer sizes.
    	(display_loc_list): Likewise.
    	(display_loc_list_dwo): Likewise.
    	(display_debug_ranges): Likewise.
    	(display_debug_aranges): Check for invalid address size.
    	(read_cie): Add range checks.  Replace call strchr with while loop.
    	* objdump.c (dump_dwarf): Replace abort with a warning message.
    	(print_section_stabs): Improve range checks.
    	* rdcoff.c (coff_get_slot): Use long for indx parameter type.
    	Add check for an excesively large index.
    	* rddbg.c (read_section_stabs_debugging_info): Zero terminate the
    	string table.  Avoid walking off the end of the stabs data.
    	* stabs.c (parse_stab_string): Add check for a NULL name.
    
    	2014-11-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* binutils/readelf.c (dynamic_nent): Change type to size_t.
    	(slurp_rela_relocs): Use size_t type for nrelas.
    	(slurp_rel_relocs): Likewise.
    	(get_program_headers): Improve out of memory error message.
    	(get_32bit_section_headers): Likewise.
    	(get_32bit_section_headers): Likewise.
    	(get_64bit_section_headers): Likewise.
    	(get_32bit_elf_symbols): Likewise.
    	(get_64bit_elf_symbols): Likewise.
    	(process_section_groups): Likewise.
    	(get_32bit_dynamic_section): Likewise.
    	(get_64bit_dynamic_section): Likewise.
    	(process_dynamic_section): Likewise.
    	(process_version_sections): Likewise.
    	(get_symbol_index_type): Likewise.
    	(process_mips_specific): Likewise.
    	(process_corefile_note_segment): Likewise.
    	(process_version_sections): Use size_t type for total.
    	(get_dynamic_data): Change type of number parameter to size_t.
    	Improve out of memory error messages.
    	(process_symbol_table): Change type of nbuckets and nchains to
    	size_t.  Skip processing of sections headers if there are none.
    	Improve out of memory error messages.
    
    	2014-11-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (display_arm_attribute): Avoid reading off the end of
    	the buffer when processing a Tag_nodefaults.
    
    	2014-11-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (ia64_process_unwind): Replace assertion with an error
    	message.  Add range checking for group section indicies.
    	(hppa_process_unwind): Replace assertion with an error message.
    	(process_syminfo): Likewise.
    	(decode_arm_unwind_bytecode): Add range checking.
    	(dump_section_as_strings): Add more string range checking.
    	(display_tag_value): Likewise.
    	(display_arm_attribute): Likewise.
    	(display_gnu_attribute): Likewise.
    	(display_tic6x_attribute): Likewise.
    	(display_msp430x_attribute): Likewise.
    
    	2014-11-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17552
    	* objcopy.c (copy_archive): Clean up temporary files even if an
    	error occurs.
    
    	2014-11-07  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_data): Avoid allocating memory when we know that
    	the read will fail.
    	(find_section_by_type): New function.
    	(get_unwind_section_word): Check for invalid symbol indicies.
    	Check for invalid reloc types.
    	(get_32bit_dynamic_section): Add range checks.
    	(get_64bit_dynamic_section): Add range checks.
    	(process_dynamic_section): Check for a corrupt time value.
    	(process_symbol_table): Add range checks.
    	(dump_section_as_strings): Add string length range checks.
    	(display_tag_value): Likewise.
    	(display_arm_attribute): Likewise.
    	(display_gnu_attribute): Likewise.
    	(display_tic6x_attribute): Likewise.
    	(display_msp430x_attribute): Likewise.
    	(process_mips_specific): Add range check.
    
    	2014-11-06  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17552, binutils/17533
    	* bucomm.c (is_valid_archive_path): New function.  Returns false
    	for absolute pathnames and pathnames that include /../.
    	* bucomm.h (is_valid_archive_path): Add prototype.
    	* ar.c (extract_file): Use new function to check for valid
    	pathnames when extracting files from an archive.
    	* objcopy.c (copy_archive): Likewise.
    	* doc/binutils.texi: Update documentation to mention the
    	limitation on pathname of archive members.
    
    	2014-11-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (printable_section_name): New function.
    	(printable_section_name_from_index): New function.
    	(dump_relocations): Use new function.
    	(process_program_headers, get_32bit_elf_symbols,
    	(get_64bit_elf_symbols, process_section_headers,
    	(process_section_groups, process_relocs, ia64_process_unwind,
    	(hppa_process_unwind, get_unwind_section_word, decode_arm_unwind,
    	(arm_process_unwind, process_version_sections,
    	(process_symbol_table, apply_relocations, get_section_contents,
    	(dump_section_as_strings, dump_section_as_bytes,
    	(display_debug_section, process_attributes, process_mips_specific,
    	(process_mips_specific process_gnu_liblist): Likewise.
    	(get_unwind_section_word): Check for a missing symbol table.
    	Replace aborts with error messages.
    	(arm_process_unwind): Check for a missing string table.
    	(process_attributes): Check for an attribute length that is too
    	small.
    	(process_mips_specific): Check for a corrupt GOT symbol offset.
    
    	2014-11-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17533
    	* bucomm.c (is_valid_archive_path): New function.
    	* bucomm.h (is_valid_archive_path): Prototype it.
    	* ar.c (extract_file): Call is_valid_archive_path to verify a
    	member filename before extracting it.
    	* objcopy.c (copy_archive): Likewise.
    
    	2014-11-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_data): If the reason parameter is null, do not
    	print any error messages.
    	(get_32bit_section_headers): Verify section header entry size
    	before reading in the section headers.
    	(get_64bit_section_headers): Likewise.
    	(process_section_headers): Pass FALSE to get_section_headers.
    	(get_file_header): Pass TRUE to get_section_headers.
    	(process_dynamic_section): Change an assert to an error message.
    	(process_symbol_table): Handle corrupt histograms.
    	(get_32bit_program_headers): Verify program header entry size
    	before reading in the program headers.
    	(get_64bit_program_headers): Likewise.
    	(get_unwind_section_word): Do nothing if no section was provided.
    	Fail if the offset is outside of the section.
    	(print_dynamic_symbol): Catch out of range symbol indicies.
    	(process_mips_specific): Likewise.
    	(process_attributes): Make sure that there is enough space left in
    	the section before attempting to read the length of the next
    	attribute.
    
    	2014-11-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* objdump.c (slurp_symtab): Fail gracefully if the table could not
    	be read.
    	(dump_relocs_in_section): Likewise.
    
    	2014-11-14  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17597
    	* opncls.c (bfd_get_debug_link_info): Avoid reading off the end of
    	the section.
    	(bfd_get_alt_debug_link_info): Likewise.
    
    	2014-11-14  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* ieee.c (ieee_archive_p) Skip processing if no bytes are read at
    	all.
    	(ieee_object_p): Likewise.
    
    	2014-11-13  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* coffcode.h (coff_slurp_line_table): Add cast to unsigned int.
    
    	2014-11-13  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* coffcode.h (coff_pointerize_aux_hook): Fix a typo.
    
    	2014-11-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_ptr_struct): Add is_sym field.
    	(coff_new_section_hook): Set the is_sym field.
    	(coff_pointerize_aux_hook): Check the is_sym field.
    	(coff_print_aux): Likewise.
    	(coff_compute_section_file_positions): Likewise.
    	(coff_write_object_contents): Likewise.
    	(coff_slurp_line_table): Likewise.
    	(coff_slurp_symbol_table): Likewise.
    	(CALC_ADDEND): Likewise.
    	* coffgen.c (coff_renumber_symbols): Likewise.
    	(coff_mangle_symbols): Likewise.
    	(coff_fix_symbol_name): Likewise.
    	(coff_write_symbol): Likewise.
    	(coff_write_alien_symbol): Likewise.
    	(coff_write_native_symbol): Likewise.
    	(coff_write_symbols): Likewise.
    	(coff_write_linenumbers): Likewise.
    	(coff_pointerize_aux): Likewise.
    	(coff_get_normalized_symtab): Likewise.
    	(coff_get_symbol_info): Likewise.
    	(bfd_coff_get_syment): Likewise.
    	(bfd_coff_get_auxent): Likewise.
    	(coff_print_symbol): Likewise.
    	(coff_find_nearest_line_with_names): Likewise.
    	(bfd_coff_set_symbol_class): Likewise.
    	(coff_make_empty_symbol): Set the is_sym field.
    	(coff_bfd_make_debug_symbol): Likewise.
    	* peicode.h (pe_ILF_make_a_symbol): Likewise.
    	* libcoff.h: Regenerate.
    	* libcoff-in.h: Regenerate.
    
    	2014-11-12  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Set the line number of
    	corrupt entries to -1.
    	(coff_slurp_symbol_table): Alway initialise the value of the
    	symbol.
    	* coffgen.c (coff_print_symbol): Check that the combined pointer
    	is valid.
    	(coff_print_symbol): Do not print negative line numbers.
    	* peXXigen.c (pe_print_idata): Add range checking displaying
    	member names.
    
    	2014-11-12  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Drop line number info
    	not preceded by a valid function entry.  Revert last change.
    
    	2014-11-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Initialise the parts of the
    	line number cache that would not be initialised by the copy from
    	the new line number table.
    	(coff_classify_symbol): Allow for _bfd_coff_internal_syment_name
    	returning NULL.
    	* coffgen.c (coff_get_normalized_symbols): Get the external
    	symbols before allocating space for the internal symbols, in case
    	the get fails.
    	* elf.c (_bfd_elf_slurp_version_tables): Only allocate a verref
    	array if one is needed.  Likewise with the verdef array.
    	* peXXigen.c (_bfd_XXi_swap_sym_in): Replace abort()'s with error
    	messages.
    	(_bfd_XXi_swap_aux_in): Make sure that all fields of the aux
    	structure are initialised.
    	(pe_print_edata): Avoid reading off the end of the data buffer.
    
    	2014-11-11  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Use updated lineno_count
    	when building func_table.
    
    	2014-11-11  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Don't bfd_zalloc, just
    	memset the particular bits we need.  Update src after hitting loop
    	"continue".  Don't count lineno omitted due to invalid symbols in
    	nbr_func, and update lineno_count.  Init entire terminating
    	lineno.  Don't both allocating terminator in n_lineno_cache.
    	Redirect sym->lineno pointer to where n_lineno_cache will be
    	copied, and free n_lineno_cache.
    	* pe-mips.c (NUM_HOWTOS): Typo fix.
    
    	2014-11-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17521
    	* coff-i386.c (NUM_HOWTOS): New define.
    	(RTYPE2HOWTO): Use it.
    	(coff_i386_rtype_to_howto): Likewise.
    	(coff_i386_reloc_name_lookup): Likewise.
    	(CALC_ADDEND): Check that reloc r_type field is valid.
    	* coff-x86_64.c (NUM_HOWTOS): New define.
    	(RTYPE2HOWTO): Use it.
    	(coff_amd64_rtype_to_howto): Likewise.
    	(coff_amd64_reloc_name_lookup): Likewise.
    	(CALC_ADDEND): Check that reloc r_type field is valid.
    	* coffcode.h (coff_slurp_line_table): Check for symbol table
    	indexing underflow.
    	(coff_slurp_symbol_table): Use zalloc to ensure that all table
    	entries are initialised.
    	* coffgen.c (_bfd_coff_read_string_table): Initialise unused bits
    	in the string table.  Also ensure that the table is 0 terminated.
    	(coff_get_normalized_symtab): Check for symbol table indexing
    	underflow.
    	* opncls.c (bfd_alloc): Catch the case where a small negative size
    	can result in only 1 byte being allocated.
    	(bfd_alloc2): Use bfd_alloc.
    	* pe-mips.c (NUM_HOWTOS): New define.
    	(coff_mips_reloc_name_lookup): Use it.
    	(CALC_ADDEND): Check that reloc r_type field is valid.
    	* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Initialise unused entries
    	in the DataDirectory.
    	(pe_print_idata): Avoid reading beyond the end of the data block
    	wen printing strings.
    	(pe_print_edata): Likewise.
    	Check for table indexing underflow.
    	* peicode.h (pe_mkobject): Initialise the pe_opthdr field.
    	(pe_bfd_object_p): Allocate and initialize enough space to hold a
    	PEAOUTHDR, even if the opt_hdr field specified less.
    
    	2014-11-08  Alan Modra  <amodra@gmail.com>
    
    	* peXXigen.c (pe_print_idata): Revert last patch, cast lhs instead.
    
    	2014-11-07  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* peXXigen.c (pe_print_idata): Cast to unsigned long in range
    	checks.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* tekhex.c (tekhex_set_arch_mach): Ignore unknown arch errors.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* tekhex.c (CHUNK_SPAN): Define.
    	(struct data_struct <chunk_init>): Use one byte per span, update
    	all code accessing this field.
    	(find_chunk): Add create param, don't create new entry unless set.
    	(insert_byte): Don't save zeros.
    	(first_phase): Set section SEC_CODE or SEC_DATA flag depending
    	on symbol type.  Create an alternate section if both types of
    	symbol are given.  Attach type '2' and '6' symbols to absolute
    	section.
    	(move_section_contents): Fix caching of chunk.  Don't create chunk
    	when reading, or for writing zeros.
    	(tekhex_set_section_contents): Don't create initial chunks.
    	(tekhex_write_object_contents): Use CHUNK_SPAN.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* aoutx.h (aout_get_external_symbols): Tidy allocation of symbol buffer.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* archive.c (_bfd_slurp_extended_name_table): Revert bfd_get_size check.
    	* coffcode.h (coff_set_alignment_hook): Likewise.
    	(coff_slurp_line_table): Likewise.
    	* coffgen.c (coff_get_normalized_symtab): Likewise.
    	(_bfd_coff_get_external_symbols): Likewise.
    	* elf.c (bfd_elf_get_str_section): Likewise.
    	* tekhex.c (first_phase): Likewise.
    
    	2014-11-06  Nick Clifton  <nickc@redhat.com>
    
    	* aoutx.h (slurp_symbol_table): Revert previous delta.
    	(slurp_reloc_table): Likewise.
    	* compress.c (bfd_get_full_section_contents): Remove file size
    	test.
    	* coffgen.c (coff_get_normalized_symtab): Allow zero-sized symtabs
    	and do not complain about linker generated files.
    
    	2014-11-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT.
    	Replace another abort with an error message.
    	(coff_slurp_line_table): Add more range checking.
    	* peXXigen.c (pe_print_debugdata): Add range checking.
    
    	2014-11-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_set_alignment_hook): Warn if the file lies
    	about the number of relocations it contains.
    	(coff_sort_func_alent): Return 0 if the pointers are NULL.
    	(coff_slurp_line_table): Add more range checks.  Do not free new
    	tables created when sorting line numbers.
    	* peXXigen.c (pe_print_idata): Add range checks.
    	(pe_print_edata): Likewise.
    	(rsrc_print_resource_entries): Likewise.  Avoid printing control
    	characters.  Terminate priniting if corruption is detected.
    	(rsrc_print_resource_directory): Terminate printing if an unknown
    	directory type is encountered.
    	(pe_print_debugdata): Fix off-by-one error.
    	(rsrc_count_entries): Add range checking.
    	(rsrc_parse_entry): Likewise.
    
    	2014-11-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* compress.c (bfd_get_full_section_contents): Improve test for
    	linker created objects.
    
    	PR binutils/17533
    	* archive.c (_bfd_slurp_extended_name_table): Handle archives with
    	corrupt extended name tables.
    
    	2014-11-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* aoutx.h (slurp_symbol_table): Check that computed table size is
    	not bigger than the file from which is it being read.
    	(slurp_reloc_table): Likewise.
    	* coffcode.h (coff_slurp_line_table): Remove unneeded local
    	'warned'.  Do not try to print the details of a symbol with an
    	invalid index.
    	* coffgen.c (make_a_sectiobn_from_file): Check computed string
    	index against length of string table.
    	(bfd_coff_internal_syment_name): Check read in string offset
    	against length of string table.
    	(build_debug_section): Return a pointer to the section used.
    	(_bfd_coff_read_string_table): Store the length of the string
    	table in the coff_tdata structure.
    	(bfd_coff_free_symbols): Set the length of the string table to
    	zero when it is freed.
    	(coff_get_normalized_symtab): Check offsets against string table
    	or data table lengths as appropriate.
    	* cofflink.c (_bfd_coff_link_input_bfd): Check offset against
    	length of string table.
    	* compress.c (bfd_get_full_section_contents): Check computed size
    	against the size of the file.
    	* libcoff-in.h (obj_coff_strings_len): Define.
    	(struct coff_tdata): Add strings_len field.
    	* libcoff.h: Regenerate.
    	* peXXigen.c (pe_print_debugdata): Do not attempt to print the
    	data if the debug section is too small.
    	* xcofflink.c (xcoff_link_input_bfd):  Check offset against
    	length of string table.
    
    	2014-10-31  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffgen.c (_bfd_coff_get_external_symbols): Do not try to load a
    	symbol table bigger than the file.
    	* elf.c (bfd_elf_get_str_section): Do not try to load a string
    	table bigger than the file.
    	* tekhex.c (first_phase): Check that the section range is sane.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog              |  282 ++++++++++++
 bfd/aoutx.h                |   24 +-
 bfd/archive.c              |    5 +-
 bfd/coff-i386.c            |   17 +-
 bfd/coff-x86_64.c          |   11 +-
 bfd/coffcode.h             |  170 +++++---
 bfd/coffgen.c              |  168 ++++++--
 bfd/cofflink.c             |    5 +-
 bfd/elf.c                  |   24 +-
 bfd/ieee.c                 |    6 +-
 bfd/libcoff-in.h           |    3 +
 bfd/libcoff.h              |   16 +-
 bfd/opncls.c               |   41 +-
 bfd/pe-mips.c              |    9 +-
 bfd/peXXigen.c             |  220 +++++++---
 bfd/peicode.h              |   15 +-
 bfd/tekhex.c               |  112 +++--
 bfd/xcofflink.c            |    5 +-
 binutils/ChangeLog         |  199 +++++++++
 binutils/ar.c              |    9 +
 binutils/bucomm.c          |   26 ++
 binutils/bucomm.h          |   12 +-
 binutils/doc/binutils.texi |    3 +-
 binutils/dwarf.c           |  209 +++++++---
 binutils/objcopy.c         |   23 +-
 binutils/objdump.c         |   27 +-
 binutils/rdcoff.c          |    9 +-
 binutils/rddbg.c           |   40 ++-
 binutils/readelf.c         | 1039 ++++++++++++++++++++++++++++++++------------
 binutils/stabs.c           |   30 +-
 gas/ChangeLog              |   10 +
 gas/config/obj-coff.c      |    1 +
 32 files changed, 2109 insertions(+), 661 deletions(-)
Comment 96 Sourceware Commits 2014-11-18 14:41:49 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  6937bb54a9c3ddc7ba330bc18af76f8dbe856ac3 (commit)
      from  de84aee38c50fd306876cdbf92007afaacbfab4d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6937bb54a9c3ddc7ba330bc18af76f8dbe856ac3

commit 6937bb54a9c3ddc7ba330bc18af76f8dbe856ac3
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Nov 18 14:40:05 2014 +0000

    More fixes for illegal memory accesses exposed by fuzzed binaries.
    
    	PR binutils/17512
    	* peXXIgen.c (pe_print_pdata): Fail if the section's virtual size
    	is larger than its real size.
    	(rsrc_print_section): Fix off-by-one error checking for overflow.
    	* pei-x86_64.c (pex64_bfd_print_pdata): Handle empty unwind
    	sections.
    
    	* dwarf.c (get_encoded_value): Warn and return if the encoded
    	value is more than 64-bits long.
    	(SAFE_BYTE_GET): Do not attempt to read more than 64-bits.
    	(process_extended_line_op): Add more range checks.
    	(decode_location_expression): Use the return value from
    	display_block.  Add more range checks.
    	(read_debug_line_header): Add range check.
    	(display_debug_lines_raw): Add range checks.
    	(display_debug_frames): Silently skip multiple zero terminators.
    	Add range checks.
    	(process_cu_tu_index): Check for non-existant or empty sections.
    	Use SAFE_BYTE_GET instead of byte_get.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |    9 +++
 bfd/peXXigen.c     |   10 +++-
 bfd/pei-x86_64.c   |    7 ++
 binutils/ChangeLog |   16 +++++
 binutils/dwarf.c   |  162 +++++++++++++++++++++++++++++++++++++++------------
 5 files changed, 165 insertions(+), 39 deletions(-)
Comment 97 Nick Clifton 2014-11-18 14:42:46 UTC
Alright - the bugs exposed by those latest fuzzed binaries should be fixed now.
Comment 98 Hanno Boeck 2014-11-19 00:31:22 UTC
Nick, did you see attachment 7937 [details]? Still crashes nm with latest git, this is in the ihex parser.
Comment 99 Alexander Cherepanov 2014-11-19 05:23:08 UTC
Created attachment 7947 [details]
AFL crashers for `objdump -x`

With AFL...

Files: 3
Errors:
      3 Invalid write of size ...
      3 Process terminating with default action of signal 11 (SIGSEGV)
Comment 100 Nick Clifton 2014-11-19 12:41:57 UTC
Hi Hanno,

> did you see attachment 7937 [details]? Still crashes nm with latest git, this 
> is in the ihex parser.

I did. but I cannot make nm fail locally.  What command line are you using to invoke nm ?  Also for which target have you compiled the binutils ?

Cheers
  Nick
Comment 101 Hanno Boeck 2014-11-19 12:45:03 UTC
(In reply to Nick Clifton from comment #100)
> I did. but I cannot make nm fail locally.  What command line are you using
> to invoke nm ?  Also for which target have you compiled the binutils ?

Nothing special at all. 64 bit system, "./configure --disable-shared"

What's different: The buffer overflow is detected by default (no asan/valgrind/etc. probably normal gcc-fortify-source):

*** buffer overflow detected ***: nm-plain terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x73ceb)[0x7fdd416a8ceb]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fdd4172dae7]
/lib64/libc.so.6(+0xf6b80)[0x7fdd4172bb80]
/lib64/libc.so.6(+0xf6039)[0x7fdd4172b039]
/lib64/libc.so.6(_IO_default_xsputn+0x81)[0x7fdd416abf21]
/lib64/libc.so.6(_IO_vfprintf+0x499e)[0x7fdd4167e48e]
/lib64/libc.so.6(__vsprintf_chk+0x88)[0x7fdd4172b0c8]
/lib64/libc.so.6(__sprintf_chk+0x85)[0x7fdd4172b025]
nm-plain[0x41bd7f]
nm-plain[0x41c4a1]
nm-plain[0x40fe95]
nm-plain[0x404ec7]
nm-plain[0x402f86]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x7fdd41654fa0]
nm-plain[0x403017]
Comment 102 Nick Clifton 2014-11-19 12:50:18 UTC
Hi Alexander,

> Files: 3
> Errors:
>       3 Invalid write of size ...
>       3 Process terminating with default action of signal 11 (SIGSEGV)

I cannot reproduce these failures.  :-(

What host/target are you using ?

Cheers
  Nick
Comment 103 Alexander Cherepanov 2014-11-20 19:25:02 UTC
(In reply to Nick Clifton from comment #60)
> Created attachment 7898 [details]
> Proposed patch to fix valgrind's complaints about using uninitialised memory
> 
> (In reply to comment #57)
> 
> Hi Alexnder,
> 
>   I still cannot reproduce the valgrind problem, but the log you provided
> does give me a clue.  Please could you try out the uploaded patch (which has
> *not* been applied to the master branch) and see if it works for you ?
> 
> Cheers
>   Nick

Sorry for the delay with checking it. FWIW I don't see valgrind problems with the sample 140849-0.004.exe any more. I guess they were fixed in some other way.
Comment 104 Alexander Cherepanov 2014-11-20 22:20:11 UTC
Created attachment 7956 [details]
Patch to fix a crash inside _bfd_coff_read_string_table in bfd/coffgen.c

Hi Nick,

(In reply to Nick Clifton from comment #102)
> > Files: 3
> > Errors:
> >       3 Invalid write of size ...
> >       3 Process terminating with default action of signal 11 (SIGSEGV)
> 
> I cannot reproduce these failures.  :-(
> 
> What host/target are you using ?

I can reproduce it only under valgrind and with ulimit -v 1000000.

Patch attached.
Comment 105 Sourceware Commits 2014-11-21 11:21:14 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  cd11f78f810cf12b04046ac954ceb6528b00956c (commit)
      from  3cfdb7812cda6ca610be8bf65ffaf5138dc0d379 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cd11f78f810cf12b04046ac954ceb6528b00956c

commit cd11f78f810cf12b04046ac954ceb6528b00956c
Author: Alexander Cherepanov <cherepan@mccme.ru>
Date:   Fri Nov 21 11:19:49 2014 +0000

    Fix a snafu setting up the string table read in from a COFF file.
    
    	PR binutils/17512
    	* coffgen.c (_bfd_coff_read_string_table): Test allocation of
    	string table before clearing the first few bytes.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    6 ++++++
 bfd/coffgen.c |    6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)
Comment 106 Nick Clifton 2014-11-21 11:22:02 UTC
Hi Alexander,

> Created attachment 7956 [details]
> Patch to fix a crash inside _bfd_coff_read_string_table in bfd/coffgen.c

Doh!  Thanks for that.  I have applied your patch to the sources.

Cheers
  Nick
Comment 107 Alexander Cherepanov 2014-11-21 12:56:22 UTC
Hi Nick,

(In reply to Nick Clifton from comment #106)
> Doh!  Thanks for that.  I have applied your patch to the sources.

Thanks!
Comment 108 Alexander Cherepanov 2014-11-21 13:10:35 UTC
Created attachment 7959 [details]
First bunch of crashers for multiarch  `objdump -afphxgGtTrRwW --special-syms`

Confugured binutils with --enable-targets=all and generated more samples with objcopy. Crashes are still being sorted out but the first bunch is here. Nick, if you prefer to deal with crashes in multiarch objdump separately or later plese say so. Then I will see which of these crashes affect ordinary objdump.

Files: 60
Errors:
     15 Conditional jump or move depends on uninitialised value(s)
      3 Invalid free() / delete / delete[] / realloc()
     55 Invalid read of size ...
     18 Invalid write of size ...
      2 Jump to the invalid address stated on the next line
     34 Process terminating with default action of signal 11 (SIGSEGV)
      1 Process terminating with default action of signal 8 (SIGFPE)
      2 Source and destination overlap in memcpy...
      5 Use of uninitialised value of size ...
Comment 109 Hanno Boeck 2014-11-21 15:35:52 UTC
Created attachment 7960 [details]
objdump-x-fuzzing.tar.xz

Here are some more results from american fuzzy lop with objdump -x (nm issues from attachmend #7937 seem fixed now).

I grouped them in three directories:
* heap overflows (quick look seems they all trigger similar code, but afl considered them as distinct code paths)
* endless loops (I don't know if they're really endless, but they run at least some minutes, something definitely wrong)
* memory exhaustion (not sure if they qualify as real bugs, but probably something worth fixing anyway)
Comment 110 Sourceware Commits 2014-11-21 21:45:37 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  0a9d414aa114b7b7e609cbcbc285f79031bbe608 (commit)
      from  5974eba65b82912621ac68f2c0ff844efbd02b25 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0a9d414aa114b7b7e609cbcbc285f79031bbe608

commit 0a9d414aa114b7b7e609cbcbc285f79031bbe608
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Nov 21 21:44:04 2014 +0000

    Fixes for memory access violations exposed by fuzzinf various binaries.
    
    	PR binutils/17512
    	* dwarf.c (get_encoded_value): Check for an encoded size of 0.
    	(display_debug_lines_raw): Check for an invalid line range value.
    	(display_debug_frames): Check for corrupt augmentation data.
    
    	* coffgen.c (coff_get_normalized_symtab): Check for an excessive
    	number of auxillary entries.
    	* ieee.c (next_byte): Convert to a function.  Return FALSE if the
    	next byte is beyond the end of the buffer.
    	(parse_int): Test the return value of next_byte.
    	(parse_expression): Convert to boolean.  Return FALSE if the
    	parsing failed.  Test the return value of next_byte.
    	(ieee_seek): Convert to a function.  Return FALSE if the seek goes
    	beyond the end of the buffer.
    	(ieee_slurp_external_symbols): Test the return value of ieee_seek
    	and next_byte.
    	(ieee_slurp_sections): Convert to boolean.  Return FALSE if the
    	operation failed.  Test the return value of ieee_seek and
    	next_byte.
    	(ieee_archive_p): Test the return value of ieee_seek and
    	next_byte.
    	(do_one): Likewise.
    	(ieee_slurp_section_data): Likewise.
    	(ieee_object_p): Likewise.  Store the size of the buffer in the
    	total_amt field in the header.
    	* libieee.h (common_header_type): Add amt field.
    	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the
    	reloc's value is within range.
    	(bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the
    	operation fails.
    	* pei-x86_64.c (pex64_xdata_print_uwd_codes): Replace abort with
    	an error message.
    	(pex64_dump_xdata): Check for buffer overflows.
    	* versados.c (process_otr): Check that the section exists before
    	taking its size.
    	(versados_object_p): Make sure that enough data was read for the
    	header to be checked.
    	* vms-alpha.c (vms_get_remaining_object_record): Change
    	read_so_far parameter to an unsigned int.  Check that the amount
    	read is in range.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |   39 ++++++++
 bfd/coffgen.c      |   17 +++-
 bfd/ieee.c         |  261 +++++++++++++++++++++++++++++++++++-----------------
 bfd/libieee.h      |    1 +
 bfd/mach-o.c       |   22 +++--
 bfd/pei-x86_64.c   |   37 ++++++--
 bfd/versados.c     |   21 ++++-
 bfd/vms-alpha.c    |   15 ++-
 binutils/ChangeLog |    7 ++
 binutils/dwarf.c   |   24 +++++
 10 files changed, 333 insertions(+), 111 deletions(-)
Comment 111 Nick Clifton 2014-11-21 21:47:24 UTC
(In reply to Alexander Cherepanov from comment #108)

> First bunch of crashers for multiarch  `objdump -afphxgGtTrRwW
> --special-syms`

Great - these should be fixed now.

> Nick, if you prefer to deal with crashes in multiarch objdump
> separately or later plese say so.

Nope, here is good.

Cheers
  Nick
Comment 112 Alexander Cherepanov 2014-11-22 23:25:07 UTC
Created attachment 7965 [details]
Next crashers for multiarch `objdump -afphxgGtTrRwW --special-syms`

Files: 37
Errors:
     12 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
     20 Conditional jump or move depends on uninitialised value(s)
     11 Invalid read of size ...
      4 Invalid write of size ...
     11 Process terminating with default action of signal 11 (SIGSEGV)
      2 Use of uninitialised value of size ...
Comment 113 Sourceware Commits 2014-11-26 14:13:35 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  a11652892c18324bf3abb8b25c01475e5a18632a (commit)
      from  0cfd832fc7d4f1b5633248754dcc75fa90b5475b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a11652892c18324bf3abb8b25c01475e5a18632a

commit a11652892c18324bf3abb8b25c01475e5a18632a
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Nov 26 14:11:23 2014 +0000

    More fixes for memory access errors triggered by attemps to examine corrupted binaries.
    
    	PR binutils/17512
    	* dwarf.c (display_block): Do nothing if the block starts after
    	the end of the buffer.
    	(read_and_display_attr_value): Add range checks.
    	(struct Frame_Chunk): Make the ncols and ra fields unsigned.
    	(frame_need_space): Test for an ncols of zero.
    	(read_cie): Fail if the augmentation data extends off the end of
    	the buffer.
    	(display_debug_frames): Add checks for read_cie failing.  Add
    	range checks.
    	* coff-h8300.c (rtype2howto): Replace abort with returning a NULL
    	value.
    	* coff-h8500.c (rtype2howto): Likewise.
    	* coff-tic30.c (rtype2howto): Likewise.
    	* coff-z80.c (rtype2howto): Likewise.
    	* coff-z8k.c (rtype2howto): Likewise.
    	* coff-ia64.c (RTYPE2HOWTO): Always return a valid howto.
    	* coff-m68k.c (m68k_rtype2howto): Return a NULL howto if none
    	could be found.
    	* coff-mcore.c (RTYPE2HOWTO): Add range checking.
    	* coff-w65.c (rtype2howto): Likewise.
    	* coff-we32k.c (RTYPE2HOWTO): Likewise.
    	* pe-mips.c (RTYPE2HOWTO): Likewise.
    	* coff-x86_64.c (coff_amd64_reloc): Likewise.  Replace abort with
    	an error return.
    	* coffcode.h (coff_slurp_reloc_table): Allow the rel parameter to
    	be unused.
    	* coffgen.c (make_a_section_from_file): Check the length of a
    	section name before testing to see if it is a debug section name.
    	(coff_object_p): Zero out any uninitialised bytes in the opt
    	header.
    	* ecoff.c (_bfd_ecoff_slurp_symbolic_info): Test for the raw
    	source being empty when there are values to be processed.
    	(_bfd_ecoff_slurp_symbol_table): Add range check.
    	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Likewise.
    	(bfd_mach_o_mangle_sections): Move test for too many sections to
    	before the allocation of the section table.
    	(bfd_mach_o_read_symtab_strtab): If the read fails, free the
    	memory and nullify the symbol pointer.
    	* reloc.c (bfd_generic_get_relocated_section_contents): Add
    	handling of a bfd_reloc_notsupported return value.
    	* versados.c (EDATA): Add range checking.
    	(get_record): Likewise.
    	(process_otr): Check for contents being available before updating
    	them.
    	(versados_canonicalize_reloc): Add range check.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |   40 +++++++++++++++++++++++
 bfd/coff-h8300.c   |    2 +-
 bfd/coff-h8500.c   |    2 +-
 bfd/coff-ia64.c    |    2 +-
 bfd/coff-m68k.c    |    1 +
 bfd/coff-mcore.c   |   16 +++++----
 bfd/coff-tic30.c   |    2 +-
 bfd/coff-w65.c     |   29 ++++++++++-------
 bfd/coff-we32k.c   |    9 ++++-
 bfd/coff-x86_64.c  |   13 +++++++-
 bfd/coff-z80.c     |    2 +-
 bfd/coff-z8k.c     |    2 +-
 bfd/coffcode.h     |    2 +-
 bfd/coffgen.c      |    7 +++-
 bfd/ecoff.c        |    8 ++++
 bfd/mach-o.c       |   26 +++++++++++----
 bfd/pe-mips.c      |    7 +++-
 bfd/reloc.c        |    9 +++++
 bfd/versados.c     |   45 ++++++++++++++++---------
 binutils/ChangeLog |   13 +++++++
 binutils/dwarf.c   |   91 ++++++++++++++++++++++++++++++++++++++-------------
 21 files changed, 250 insertions(+), 78 deletions(-)
Comment 114 Sourceware Commits 2014-11-27 12:20:38 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  1036838a771b96ad9428e8fc7ecc45d3d8e056ce (commit)
      from  608ce2f3c8b1fb309f50b6426389282ec6031323 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1036838a771b96ad9428e8fc7ecc45d3d8e056ce

commit 1036838a771b96ad9428e8fc7ecc45d3d8e056ce
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Nov 27 12:19:10 2014 +0000

    Fixes a few more memory access violations exposed by fuzzed binaries.
    
    	PR binutils/17512
    	* ecoff.c (_bfd_ecoff_slurp_symbol_table): Warn about and correct
    	a discrepancy between the isymMax and ifdMax values in the
    	symbolic header.
    	* elf.c (_bfd_elf_print_private_bfd_data): Fix the range check
    	scanning the external dynamic entries.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    9 +++++++++
 bfd/ecoff.c   |   15 +++++++++++++++
 bfd/elf.c     |    4 +++-
 3 files changed, 27 insertions(+), 1 deletions(-)
Comment 115 Alexander Cherepanov 2014-11-30 23:25:01 UTC
Created attachment 7978 [details]
More crashes for `objdump -afphxgGtTrRwW --special-syms`

Files: 41
Errors:
     20 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
     18 Conditional jump or move depends on uninitialised value(s)
     47 Invalid read of size ...
      5 Invalid write of size ...
     10 Process terminating with default action of signal 11 (SIGSEGV)
      4 Source and destination overlap in memcpy...
      4 Use of uninitialised value of size ...
Comment 116 Sourceware Commits 2014-12-01 16:45:28 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  06614111d1be94b43ea8dd83805184d4e177bcea (commit)
      from  30b5e341f3bcb219718ad32cd0065670fd37e637 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=06614111d1be94b43ea8dd83805184d4e177bcea

commit 06614111d1be94b43ea8dd83805184d4e177bcea
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Dec 1 16:43:46 2014 +0000

    More fixes for memory access violations exposed by fuzzed binaries.
    
    	PR binutils/17512
    	* dwarf.h (struct dwarf_section): Add user_data field.
    	* dwarf.c (frame_need_space): Check for an over large register
    	number.
    	(display_debug_frames): Check the return value from
    	frame_need_space.  Check for a CFA expression that is so long the
    	start address wraps around.
    	(debug_displays): Initialise the user_data field.
    	* objdump.c (load_specific_debug_section): Save the BFD section
    	pointer in the user_data field of the dwarf_section structure.
    	(free_debug_section): Update BFD section data when freeing section
    	contents.
    	* readelf.c (load_specific_debug_section): Initialise the
    	user_data field.
    
    	* archive.c (do_slurp_coff_armap): Add range checks to prevent
    	running off the end of the string table.
    	* compress.c (bfd_get_full_section_contents): Return a NULL
    	pointer for zero sized sections.  Do not attempt to copy a buffer
    	onto itself.
    	* elf-attrs.c (_bfd_elf_parse_attributes): Check for an empty
    	header.  Add range checks to avoid running off the end of the
    	section.
    	* elf.c (bfd_elf_get_str_section): Seek before allocating so that
    	if the seek fails, no memory is allocated.
    	(bfd_elf_string_from_elf_section): Do not allocate a string from a
    	non string section.  It only leads to trouble later on.
    	(_bfd_elf_print_private_bfd_data): Check for there being too
    	little external dynamic data.
    	(bfd_section_from_shdr): Replace assertion with a failure mode.
    	(bfd_section_from_shdr): When walking a loaded group section use
    	the internal structure size, not the external size.  Check for the
    	group section being empty.
    	* elf32-i386.c (elf_i386_rtype_to_howto): Replace assertion with a
    	failure mode.
    	* elfcode.h (elf_slurp_reloc_table): Likewise.
    	* reloc.c (bfd_perform_relocation): Avoid seg-fault if the howto
    	parameter is NULL.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |   27 ++++++++++++
 bfd/archive.c      |   11 ++++-
 bfd/compress.c     |   13 ++++-
 bfd/elf-attrs.c    |   16 ++++++-
 bfd/elf.c          |   36 ++++++++++++----
 bfd/elf32-i386.c   |    4 +-
 bfd/elfcode.h      |    4 +-
 bfd/reloc.c        |    4 ++
 binutils/ChangeLog |   17 +++++++
 binutils/dwarf.c   |  118 ++++++++++++++++++++++++++++++++--------------------
 binutils/dwarf.h   |    2 +
 binutils/objdump.c |   17 +++++++
 binutils/readelf.c |    1 +
 13 files changed, 207 insertions(+), 63 deletions(-)
Comment 117 Nick Clifton 2014-12-01 16:49:02 UTC
Hi Alexander,

  Thanks for the continued testing.

  In case it is not obvious, I am not too concerned by the "silly argument to malloc" warnings from valgrind.  I night fix them one day, but for now they do not represent actual memory access violations, so I am ignoring them.

Cheers
  Nick
Comment 118 Alexander Cherepanov 2014-12-03 12:56:46 UTC
Created attachment 7990 [details]
Crashes for `objdump -afphxgGtTrRwW --special-syms`

Files: 11
Errors:
      9 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
      2 Invalid read of size ...
      2 Process terminating with default action of signal 11 (SIGSEGV)
Comment 119 Alexander Cherepanov 2014-12-03 13:16:15 UTC
(In reply to Nick Clifton from comment #117)
>   In case it is not obvious, I am not too concerned by the "silly argument
> to malloc" warnings from valgrind.  I night fix them one day, but for now
> they do not represent actual memory access violations, 

Such warnings can point to places of possible integer overflow which could lead to actual buffer overruns with other (not yet found) samples. But I haven't looked into specific cases.

> so I am ignoring them.

It's up to you. I've included them in the today's bunch because it was easier than to filter them out. They are probably dupes with the previous ones so please ignore them.
Comment 120 Sourceware Commits 2014-12-03 19:52:31 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  db6b071a97893d5c7bf34e7fb171a0b710ea736d (commit)
      from  4759c34e128035e57b06a7b3d7c58f135061c6da (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=db6b071a97893d5c7bf34e7fb171a0b710ea736d

commit db6b071a97893d5c7bf34e7fb171a0b710ea736d
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Dec 3 19:50:48 2014 +0000

    Fix memory access problems exposed by fuzzed binaries.
    
    	PR binutils/17512
    	* objdump.c (free_debug_section): Reset the compress_status as
    	well.
    
    	* compress.c (bfd_get_full_section_contents): Fail if there are no
    	section contents available when the compress_status is
    	COMPRESS_SECTION_DONE.
    	* libbfd.c (bfd_malloc): Refuse to allocate a negative size.
    	(bfd_malloc2): Use bfd_malloc.
    	(bfd_realloc): Refuse to reallocate a negative size.
    	(bfd_realloc2): Use bfd_realloc.
    	(bfd_realloc_or_free): Use bfd_realloc.
    	(bfd_zmalloc): Use bfd_malloc.
    	(bfd_zmalloc): Use bfd_malloc2.
    	* opncls.c (bfd_alloc): Refuse to allocate a negative size.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |   15 ++++++
 bfd/compress.c     |    2 +
 bfd/libbfd.c       |  127 +++++++++++----------------------------------------
 bfd/opncls.c       |   14 ++++--
 binutils/ChangeLog |    6 +++
 binutils/objdump.c |    1 +
 6 files changed, 61 insertions(+), 104 deletions(-)
Comment 121 Nick Clifton 2014-12-03 19:53:16 UTC
Hi Alexander,

> Errors:
>       9 Argument 'size' of function malloc has a fishy (possibly negative)
> value: ...
>       2 Invalid read of size ...
>       2 Process terminating with default action of signal 11 (SIGSEGV)

These should all be fixed now.

Cheers
  Nick
Comment 122 Alexander Cherepanov 2014-12-04 08:46:50 UTC
Created attachment 7993 [details]
More crashes for `objdump -afphxgGtTrRwW --special-syms`

elfutils seems to have a nice tests...

Files: 4
Errors:
      1 Conditional jump or move depends on uninitialised value(s)
     45 Invalid read of size ...
      2 Invalid write of size ...
      3 Process terminating with default action of signal 11 (SIGSEGV)
Comment 123 Sourceware Commits 2014-12-09 12:43:43 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  f64e188b58f4aab4cbd03aa6e9fc1aa602546e26 (commit)
      from  137d1369ac054744d27f19e95aa8a739e6c0068d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f64e188b58f4aab4cbd03aa6e9fc1aa602546e26

commit f64e188b58f4aab4cbd03aa6e9fc1aa602546e26
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Dec 9 12:42:18 2014 +0000

    More fixes for memory access violations triggered by fuzzed binaries.
    
    	PR binutils/17512
    	* objdump.c (display_any_bfd): Avoid infinite loop closing and
    	opening the same archive again and again.
    
    	* archive64.c (bfd_elf64_archive_slurp_armap): Add range checks.
    	* libbfd.c (safe_read_leb128): New function.
    	* libbfd-in.h (safe_read_leb128): Add prototype.
    	* libbfd.h: Regenerate.
    	* elf-attrs.c (_bfd_elf_parse_attributes): Use safe_read_leb128.
    	Check for an over-long subsection length.
    	* elf.c (elf_parse_notes): Check that the namedata is long enough
    	for the string comparison that is about to be performed.
    	(elf_read_notes): Zero-terminate the note buffer.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |   13 ++++++++++++
 bfd/archive64.c    |   11 +++++++++-
 bfd/elf-attrs.c    |   15 ++++++++-----
 bfd/elf.c          |   53 ++++++++++++++++++++++++++++-----------------------
 bfd/libbfd-in.h    |    2 +
 bfd/libbfd.c       |   39 ++++++++++++++++++++++++++++++++++++++
 bfd/libbfd.h       |    2 +
 binutils/ChangeLog |    6 +++++
 binutils/objdump.c |   10 ++++++++-
 9 files changed, 119 insertions(+), 32 deletions(-)
Comment 124 Nick Clifton 2014-12-09 12:44:20 UTC
(In reply to Alexander Cherepanov from comment #122)

> Errors:
>       1 Conditional jump or move depends on uninitialised value(s)
>      45 Invalid read of size ...
>       2 Invalid write of size ...
>       3 Process terminating with default action of signal 11 (SIGSEGV)

Fixed...

Cheers
  Nick
Comment 125 Alexander Cherepanov 2014-12-11 16:10:33 UTC
Created attachment 8003 [details]
More crashers for `objdump -afphxgGtTrRwW --special-syms`

crashes

Files: 7
Errors:
     26 Invalid read of size ...
      4 Process terminating with default action of signal 11 (SIGSEGV)

----------------------------------------------------------------------

catchsegv

Files: 3
Errors:
      3 *** Segmentation fault
Comment 126 Sourceware Commits 2014-12-11 20:26:33 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  acff96643eb25bc425d108b0576d393ab398f1c5 (commit)
      from  05a6c3c813d617d9900c5de056f40f958a6c71a5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=acff96643eb25bc425d108b0576d393ab398f1c5

commit acff96643eb25bc425d108b0576d393ab398f1c5
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Dec 11 20:25:05 2014 +0000

    Fix a few moere memory access violations.
    
    	PR binutils/17512
    	* dwarf.c (display_gdb_index): Add more range checks.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |    5 +++++
 binutils/dwarf.c   |   20 +++++++++++++++-----
 2 files changed, 20 insertions(+), 5 deletions(-)
Comment 127 Nick Clifton 2014-12-11 20:28:16 UTC
(In reply to Alexander Cherepanov from comment #125)
 
> Files: 3
> Errors:
>       3 *** Segmentation fault

Fixed. Next. :-)
Comment 128 Alexander Cherepanov 2014-12-11 21:47:16 UTC
(In reply to Nick Clifton from comment #127)
> (In reply to Alexander Cherepanov from comment #125)
>  
> > Files: 3
> > Errors:
> >       3 *** Segmentation fault
> 
> Fixed. Next. :-)

fe3b9a79 still crashes `objdump -afphxgGtTrRwW --special-syms` for me (others are fixed). Perhaps the form of my new stats was confusing...
Comment 129 Sourceware Commits 2014-12-16 14:18:43 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  033539e2685156ad6ad60e5925bc61cef5ced483 (commit)
      from  beed38b8273fa18be574a7e84d5d2ee1f563ed48 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033539e2685156ad6ad60e5925bc61cef5ced483

commit 033539e2685156ad6ad60e5925bc61cef5ced483
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Dec 16 14:17:15 2014 +0000

    Fix a memory access violation triggeed by a fuzzed binary.
    
    	PR binutils/17512
    	* format.c (bfd_check_format_matches): Check for a matching vector
    	before using match priorities.
    	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Fix off-by-one
    	errors with previous delta.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    8 ++++++++
 bfd/format.c  |    2 +-
 bfd/mach-o.c  |    6 ++++--
 3 files changed, 13 insertions(+), 3 deletions(-)
Comment 130 Nick Clifton 2014-12-16 14:21:30 UTC
Hi Alexander,

> fe3b9a79 still crashes `objdump -afphxgGtTrRwW --special-syms` for me
> (others are fixed). Perhaps the form of my new stats was confusing...

Intriguing - the fault only happens with an x86_66-pc-linux-gnu toolchain.  I was using one configured for all targets (including x86_64-pc-linux-gnu), and for some reason the fault was not triggered there.

Anyway I have checked a patch to fix the fault for real this time, so please have another try.

Cheers
  Nick
Comment 131 Alexander Cherepanov 2014-12-18 18:54:25 UTC
(In reply to Nick Clifton from comment #130)
> Intriguing - the fault only happens with an x86_66-pc-linux-gnu toolchain. 
> I was using one configured for all targets (including x86_64-pc-linux-gnu),
> and for some reason the fault was not triggered there.

Sorry for the confusion, it turned out I mistyped the option to ./configure and lost multiarchness. Thanks for mentioning it!

> Anyway I have checked a patch to fix the fault for real this time, so please
> have another try.

Ok, I've found several more non-multiarch crashes meantime. I'll upload them shortly and will come back to multiarch.
Comment 132 Alexander Cherepanov 2014-12-21 13:53:37 UTC
Created attachment 8022 [details]
More crashers for multiarch `objdump -afphxgGtTrRwW --special-syms`

crashes (valgrind)

Files: 13
Errors:
      4 Conditional jump or move depends on uninitialised value(s)
     39 Invalid read of size ...
      4 Invalid write of size ...
      9 Process terminating with default action of signal 11 (SIGSEGV)

----------------------------------------------------------------------

aborts (gdb)

Files: 1
Errors:
      1 No assertion info in gdb backtrace.
Comment 133 Sourceware Commits 2014-12-22 21:00:26 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  5860e3f883597cf6b8a937547015394edc1e8784 (commit)
      from  e30880c2eeee3b43897161344bbbffd03f3a1c91 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5860e3f883597cf6b8a937547015394edc1e8784

commit 5860e3f883597cf6b8a937547015394edc1e8784
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Dec 22 20:59:00 2014 +0000

    More fixes for memory access violations exposed by fuzzed binaries.
    
    	PR binutils/17512
    	* archive.c (do_slurp_bsd_armap): Return if the parsed_size is
    	zero.
    	(bfd_slurp_armap): Zero terminate the name.
    	(bfd_generic_stat_arch_elt): If there is no header, fail.
    	* elf32-arc.c (arc_info_to_howto_rel): Replace BFD_ASSERT with
    	error message.
    	* elf32-avr.c (avr_info_to_howto_rela): Likewise.
    	* elf32-cr16c.c (elf_cr16c_info_to_howto_rel): Likewise.
    	* elf32-cris.c (cris_info_to_howto_rela): Likewise.
    	* elf32-d10v.c (d10v_info_to_howto_rel): Likewise.
    	* elf32-d30v.c (d30v_info_to_howto_rel): Likewise.
    	* elf32-dlx.c (dlx_rtype_to_howto): Likewise.
    	* elf32-epiphany.c (epiphany_info_to_howto_rela): Likewise.
    	* elf32-fr30.c (fr30_info_to_howto_rela): Likewise.
    	* elf32-frv.c (frv_info_to_howto_rela): Likewise.
    	* elf32-i960.c (elf32_i960_info_to_howto_rel): Likewise.
    	* elf32-ip2k.c (ip2k_info_to_howto_rela): Likewise.
    	* elf32-iq2000.c (iq2000_info_to_howto_rela): Likewise.
    	* elf32-lm32.c (lm32_info_to_howto_rela): Likewise.
    	* elf32-m32c.c (m32c_info_to_howto_rela): Likewise.
    	* elf32-m32r.c (m32r_info_to_howto_rel): Likewise.
    	* elf32-m68hc11.c (m68hc11_info_to_howto_rel): Likewise.
    	* elf32-m68hc12.c (m68hc11_info_to_howto_rel): Likewise.
    	* elf32-mep.c (mep_info_to_howto_rela): Likewise.
    	* elf32-metag.c (metag_info_to_howto_rela): Likewise.
    	* elf32-moxie.c (moxie_info_to_howto_rela): Likewise.
    	* elf32-msp430.c (msp430_info_to_howto_rela): Likewise.
    	* elf32-mt.c (mt_info_to_howto_rela): Likewise.
    	* elf32-nds32.c (nds32_info_to_howto_rel): Likewise.
    	* elf32-or1k.c (or1k_info_to_howto_rela): Likewise.
    	* elf32-rl78.c (rl78_info_to_howto_rela): Likewise.
    	* elf32-rx.c (rx_info_to_howto_rela): Likewise.
    	* elf32-v850.c (v850_elf_info_to_howto_rel): Likewise.
    	* elf32-visium.c (visium_info_to_howto_rela): Likewise.
    	* elf32-xgate.c (xgate_info_to_howto_rel): Likewise.
    	* elf32-xtensa.c (elf_xtensa_info_to_howto_rela): Likewise.
    	* elf64-mmix.c (mmix_info_to_howto_rela): Likewise.
    	* elf64-x86-64.c (elf_x86_64_reloc_type_lookup): Likewise.
    	* elfnn-aarch64.c (elfNN_aarch64_bfd_reloc_from_type): Likewise.
    	* elf64-sparc.c (elf64_sparc_slurp_one_reloc_table): Add range
    	checking of reloc symbol index.
    	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): If no symbols have
    	been provided then set the reloc's symbol to undefined.
    	* reloc.c (bfd_generic_get_relocated_section_contents): Add range
    	checking of the reloc to be applied.
    	* versados.c (process_otr): Add more range checks.
    	(versados_canonicalize_reloc): If the section is unknown, set the
    	symbol to undefined.
    	* vms-alpha.c (_bfd_vms_slurp_eisd): Add range checks.
    	(alpha_vms_object_p): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog        |   54 ++++++++++++++++++++++++++++++++++++++++++++++++++
 bfd/archive.c        |    9 ++++++-
 bfd/elf32-arc.c      |    6 ++++-
 bfd/elf32-avr.c      |    6 ++++-
 bfd/elf32-cr16c.c    |    6 ++++-
 bfd/elf32-cris.c     |    6 ++++-
 bfd/elf32-d10v.c     |    6 ++++-
 bfd/elf32-d30v.c     |   12 +++++++++-
 bfd/elf32-dlx.c      |    6 ++++-
 bfd/elf32-epiphany.c |    5 ++++
 bfd/elf32-fr30.c     |    6 ++++-
 bfd/elf32-frv.c      |    5 ++++
 bfd/elf32-i960.c     |    8 ++++++-
 bfd/elf32-ip2k.c     |    5 ++++
 bfd/elf32-iq2000.c   |    5 ++++
 bfd/elf32-lm32.c     |    6 ++++-
 bfd/elf32-m32c.c     |    6 ++++-
 bfd/elf32-m32r.c     |    6 ++++-
 bfd/elf32-m68hc11.c  |    6 ++++-
 bfd/elf32-m68hc12.c  |    6 ++++-
 bfd/elf32-mep.c      |    5 ++++
 bfd/elf32-metag.c    |    6 ++++-
 bfd/elf32-moxie.c    |    6 ++++-
 bfd/elf32-msp430.c   |   12 +++++++++-
 bfd/elf32-mt.c       |    5 ++++
 bfd/elf32-nds32.c    |    6 ++++-
 bfd/elf32-or1k.c     |    6 ++++-
 bfd/elf32-rl78.c     |    6 ++++-
 bfd/elf32-rx.c       |    6 ++++-
 bfd/elf32-v850.c     |    6 ++++-
 bfd/elf32-visium.c   |    5 ++++
 bfd/elf32-xgate.c    |    6 ++++-
 bfd/elf32-xtensa.c   |    6 ++++-
 bfd/elf64-mmix.c     |    6 ++++-
 bfd/elf64-sparc.c    |    4 ++-
 bfd/elf64-x86-64.c   |    2 +-
 bfd/elfnn-aarch64.c  |    8 +++++++
 bfd/mach-o.c         |    2 +
 bfd/reloc.c          |    4 +++
 bfd/versados.c       |   30 ++++++++++++++++++++-------
 bfd/vms-alpha.c      |    7 +++++-
 41 files changed, 279 insertions(+), 40 deletions(-)
Comment 134 Nick Clifton 2014-12-22 21:06:02 UTC
Hi Alexander,

> Files: 13
> Errors:
>       4 Conditional jump or move depends on uninitialised value(s)
>      39 Invalid read of size ...
>       4 Invalid write of size ...
>       9 Process terminating with default action of signal 11 (SIGSEGV)

These should all be fixed now.

Cheers
  Nick
Comment 135 Sourceware Commits 2014-12-25 00:46:12 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The annotated tag, hjl/linux/release/2.25.51.0.1 has been created
        at  02458b5b7894e10794a1e1b87e4f8e36b3198b10 (tag)
   tagging  a0890eb04228a6b921697b1192285b57e5f46e97 (commit)
  replaces  hjl/linux/release/2.24.51.0.4
 tagged by  H.J. Lu
        on  Wed Dec 24 16:43:46 2014 -0800

- Log -----------------------------------------------------------------
Linux binutils 2.25.51.0.1

Ajit Kumar Agarwal (2):
      Microblaze: Reject invalid target descriptions
      Microblaze: Replace microblaze-expedite from pc to rpc

Alan Modra (122):
      daily update
      Regen gold POTFILES.in
      daily update
      daily update
      daily update
      Do away with hash table line lookup in dwarf2dbg.c
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      Discard zero address range eh_frame FDEs
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      Run eh_frame optimisation for relocatable link
      daily update
      sparc-aout and sparc-coff breakage
      Correct fscanf char field count
      Avoid undefined behaviour with signed expressions
      daily update
      ChangeLog typo fix
      Define bfd_find_line entry of BFD_JUMP_TABLE_SYMBOLS using NAME.
      Merge bfd_find_nearest_line variants
      daily update
      PR17488, powerpc64-linux-ld segfault
      Fix 17492, ld segfault with --oformat=binary
      daily update
      daily update
      Fix PR17493, attempted output of *GAS `reg' section* symbol
      PowerPC64 ELFv1 function symbol definition vs LTO and discarded sections
      daily update
      daily update
      daily update
      Add gcc-4.9 libgomp symbols requiring --plt-thread-safe for power7
      Relax ppc64_elf_tls_optimize assertion
      [GOLD] Add gcc-4.9 libgomp symbols requiring --plt-thread-safe for power7
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      daily update
      Provide stat function for spu overlay manager iovec
      Regenerate spu overlay and icache manager files
      Use frag_now_fix_octets in gas d10v, d30v
      Don't use register keyword
      daily update
      Use obstack_blank_fast to shrink obstacks
      Cast result of obstack_next_free
      daily update
      daily update
      Revert bfd_get_size checks
      aoutx.h tidy
      tekhex buffer management and symbol types
      tekhex architecure
      daily update
      Correct buffer overrun test
      daily update
      daily update
      daily update
      ld -r abort in _bfd_elf_write_section_eh_frame
      Avoid coff OOM
      coff coff
      daily update
      Fix x86 non-ELF build breakage
      Fix z80-coff build breakage
      Throw away dodgy coff line number info earlier
      daily update
      daily update
      Default powerpc64 to --plt-thread-safe for Go
      ppc476 workaround sizing
      PPC gold doesn't check for overflow properly
      PPC gold doesn't check for overflow properly
      PowerPC64 --plt-align
      [GOLD] PowerPC relaxation corner case
      Retry powerpc gold stub grouping when groups prove too large
      _bfd_elf_slurp_version_tables tidy
      Fix build breakage on 32-bit targets with 64-bit bfd
      Don't deprecate powerpc mftb insn
      Sanity checks on version section
      Don't output symbol version definitions for non-DT_NEEDED libs
      Power4 should treat mftb as extended mfspr mnemonic
      ppc64_elf_edit_opd revamp
      powerpc gold, fix pr17566
      powerpc gold, work around pr17670
      Sort relocs output by ld -r
      PowerPC gold, fix 32-bit branch address arithmetic
      ChangeLog typo fix
      ppc64_elf_edit_opd revamp, take 2
      Don't sort ld -r relocs for mips
      Don't access elf tdata in dwarf.c without first checking for an ELF bfd
      Don't return DW_AT_name for function name in C++
      Don't always build coffgen.o
      Use autoconf check for long long in binutils
      Copy relocations against protected symbols
      Set bfd_error in _bfd_elf_adjust_dynamic_copy
      PowerPC register numbers in DWARF
      Move support code for linker script DEFINED to ldexp.c
      Correct logic for "defined by object"
      Don't PROVIDE over top of common symbols
      Use a symbol flag bit to mark linker defined symbols
      Report an error for script multiply defined symbols
      Yet another DEFINED testcase
      Fix generic linker symbol output when weak is overridden by strong
      Don't create .eh_frame_hdr on shared lib bfd

Alexander Cherepanov (2):
      Fix a snafu setting up the string table read in from a COFF file.
      This patch fixes a snafu where the -D and -U short versions of the

Andreas Arnez (58):
      Replace 'core_regset_sections' by iterator method
      Add 'regset' parameter to 'iterate_over_regset_sections_cb'
      Add multi-arch capable 'fbsd_make_corefile_notes' variant
      AARCH64: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      ALPHA: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      ARM: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      FRV: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      HPPA: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      X86: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      M32R: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      M68K: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      IA64: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      M88K: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      MIPS: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      MN10300: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'.
      NIOS2: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      PPC: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      SCORE: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      SH: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      SPARC: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      TILEGX: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      VAX: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      XTENSA: Migrate from 'regset_from_core_section' to 'iterate_over_regset_sections'
      Drop target method 'fbsd_make_corefile_notes'
      Linux targets: drop fall back to target method for 'make_corefile_notes'
      Drop 'regset_from_core_section' gdbarch method
      Remove non-address bits for longjmp resume breakpoint
      Eliminate literal line numbers in so-impl-ld.exp
      Eliminate literal line numbers in dbx.exp
      Eliminate literal line numbers in call-ar-st.exp
      Eliminate literal line numbers in call-rt-st.exp
      Eliminate literal line numbers in ending-run.exp
      Eliminate literal line numbers in foll-exec.exp
      Eliminate literal line numbers in jump.exp
      Eliminate literal line numbers in shlib-call.exp
      Eliminate literal line numbers in mi-console.exp
      'callfuncs' test case: Fixes in conditionally compiled code
      Perform all tests in callfuncs.exp with and without C function prototypes
      callfuncs.exp: Indent perform_all_tests()
      Drop non-prototype C function header variants: solib1.c
      Drop non-prototype C function header variants: 'break' test case
      Drop non-prototype C function header variants: 'list' test case
      Drop non-prototype C function header variants: 'sepdebug' test case
      GDB testsuite: drop non-prototype C function header variants
      GDB testsuite: Fix warnings with -std=gnu11
      Drop remaining references to removed source lines in break1.c and ur1.c
      Eliminate literal line numbers in mi-until.exp
      GDB testsuite: More fixes for warnings with -std=gnu11
      Use 2-byte instead of 4-byte NOP on S390 in 'bp-permanent' test case
      S390: Fix 'expedite' for s390-te-linux64
      execl-update-breakpoints.exp: Move whole segment instead of .text section
      gdbserver: Rephrase loops in regsets_fetch/store_inferior_registers
      gdbserver: Prevent stale/random values in register cache
      gdbserver: Support read-only regsets in linux-low.c
      S390: Fix gdbserver support for TDB
      Add new GDB command "maint print user-registers"
      Provide completer for "info registers"
      Fix indentation of "maint print user-registers"

Andreas From (1):
      Add myself as write after approval maintainer

Andreas Schwab (1):
      * configure.tgt (targ_extra_obj) [aarch64*-*]: Define.

Andrew Bennett (1):
      [MIPS] When calculating a relocation using an undefined weak symbol don't check for overflow.

Andrew Burgess (9):
      When relaxing, update symbols at the very end of the section.
      When relaxing, update size of symbols.
      Merge include/* files from GCC commit 77cab4753.
      Merge include/* files from GCC commit 69a2f316d3.
      Add string representation of ELF e_flags for AVR.
      AVR: Only set link-relax elf flag when appropriate.
      AVR/ld: Propagate link-relax elf header flag correctly.
      AVR: Assembler now prepares for linker relaxation by default.
      AVR: Document linker relaxation related options.

Andrew Pinski (2):
      [AARCH64] Add thunderx support to gas
      Add forgotten changelog entry.

Andrew Stubbs (1):
      Clarify strip docs.

Anthony Green (4):
      Add zex instructions for moxie port
      Add zex instruction support for moxie port
      Add mul.x and umul.x instructions to moxie port
      Add support for moxie's mul.x and umul.x instructions

Cary Coutant (12):
      Fix race condition causing assert in Eh_frame_hdr::do_sized_write().
      Add PR reference to ChangeLog entry.
      Fix problem where TLS common symbols are not allocated properly during LTO.
      Fix handling of relocations against TLS section symbols.
      Fix error from previous patch where tosize and tovalue were redefined
      Add "typename" keyword to satisfy GCC 4.2.
      Fix corrupted .eh_frame section with LTO and --gc-sections.
      Add file size to ELF symbol labelling start of a binary file.
      Update list of debug sections for --strip-debug-xxx options.
      Fix extraneous warning about executable stack.
      Fix internal error in gold when -Map and --compress-debug-sections are used
      gold/

Catalin Udma (2):
      Fix info mem command for 32 bits host/64 bits target
      aarch64/gdbserver: fix floating point registers display

Chen Gang (3):
      Fix memory overflow issue about strncat
      Ensure zero termination of tic4x insn buffer
      Fix windres memory leak

Daniel Colascione (1):
      Warn users about mismatched PID namespaces

Denis Chertykov (5):
      * avrtiny.sc: Apply avr.sc fixes.
      * MAINTAINERS: Fix my email address.
      * configure.ac: Add od-elf32_avr to build.
      * od-elf32_avr.c: Forgot to add a new file.
      * od-elf32_avr.c (elf32_avr_dump_mem_usage): Fix device initialization.

Dennis Brueni (1):
      Thix fixes an obvious coding error that led to a GDB crash on AIX or HPUX.

Dmitriy Ivanov (1):
      Add support for -z global.

Don Breazeal (2):
      Refactor native follow-fork.
      Follow-fork message printing improvements

Doug Evans (104):
      gdb.base/structs.c (main): Don't run forever.
      Remove some code duplication in py-objfile.c, py-progspace.c.
      fix file paths in previous commit
      Fix dw2-op-out-param.S CU offset values.
      Change name of file name test in py-objfile.exp.
      PR python/17364
      Add gdb.Objfile.progspace attribute.
      New python event "clear_objfiles".
      linux-nat.c (linux_nat_wait_1): Make local prev_mask non-static.
      Fix some comments to say minus_one_ptid instead of PID == -1.
      Remove second (nested) copy of local var child_die.
      symtab.c (lookup_symbol_aux_quick): Set block_found upon success.
      symtab.c: forward decl cleanup
      Clean up some function comments in symtab.[ch].
      Move block_found decl to symtab.h.
      block.c (allocate_block): Use OBSTACK_ZALLOC instead of obstack_alloc.
      * block.h (ALL_BLOCK_SYMBOLS): Fix comment.
      Rename parameter "kind" to "block_index" in quick lookup functions.
      symtab.c (lookup_symbol_aux_local): Fix typo in comment.
      Add ability to add attributes to gdb.Objfile and gdb.Progspace objects.
      valops.c: Fix some whitespace.
      objfiles.h: Remove some unused macros.
      xcoffread.c (process_linenos): Delete unnecessary code.
      mdebugread.c (parse_procedure): Delete unnecessary forward decl.
      Update description of ownership of files in include/
      solib_global_lookup: Fetch arch from objfile, not target_gdbarch.
      Delete TYPE_CODE_CLASS, it's just an alias of TYPE_CODE_STRUCT.
      Forgotten ChangeLog entry for previous commit.
      Use ALL_PRIMARY_SYMTABS instead of ALL_SYMTABS in some places.
      Move lookup_block_symbol to block.c, rename to block_lookup_symbol.
      New macro ALL_BLOCK_SYMBOLS_WITH_NAME.
      Rename lookup_symbol_static to lookup_symbol_in_static_block,
      lookup_symbol_in_block: Renamed from lookup_symbol_aux_block.
      Rename some "aux" functions.
      symtab.c (basic_lookup_symbol_nonlocal): Add comment.
      Rename lookup_symbol_global to lookup_global_symbol.
      symtab.h (lookup_global_symbol): Improve function comment.
      PR 17564: Fix objfile search order for static symbols.
      source.c (select_source_symtab): Rewrite to use ALL_SYMTABS.
      symmisc.c: Remove trailing whitespace.
      dwarf2read.c (update_enumeration_type_from_children): Avoid infinite loop.
      PR symtab/17591
      expand_symtab_containing_pc: Renamed from find_pc_sect_symtab_via_partial.
      PR symtab/17559
      Add copyright headers.
      The result of symtab expansion is always a primary symtab.
      Split up end_symtab_from_static_block into two.
      Use SYMBOL_OBJFILE more.
      Fix memory leak in watch_main_source_file_lossage.
      SYMTAB_OBJFILE: New macro.
      SYMTAB_DIRNAME: New macro.
      symtab.h (SYMTAB_LINETABLE): Renamed from LINETABLE.  All uses updated.
      buildsym API cleanup
      symtab.h (SYMTAB_BLOCKVECTOR): Renamed from BLOCKVECTOR.  All uses updated.
      Split struct symtab into two: struct symtab and compunit_symtab.
      psymtab.c (psymtab_search_name): Fix whitespace.
      cp-namespace.c (cp_lookup_symbol_nonlocal): Fix comment.
      symtab.c: Comment and whitespace improvements.
      Fix dumping of function arguments.
      gdb.dwarf2/dw2-op-out-param.S: Fix comment.
      python/py-infthread.c: Whitespace fixes.
      New python events: infcall, register/memory changed.
      revert previous patch so that I can re-commit with correct author
      Remove remnant of Chill support.
      dwarf2read.c (peek_die_abbrev): Improve error message text.
      PR symtab/17591
      PR symtab/17602
      Remove cplus_specific from general_symbol_info.
      New python attribute gdb.Objfile.build_id.
      New python method gdb.Objfile.add_separate_debug_file.
      Revert: linespec.c (iterate_name_matcher): Fix arguments to symbol_name_cmp.
      New "owner" attribute for gdb.Objfile.
      python/py-objfile.c (objfpy_get_owner): Increment refcount of result.
      cp_lookup_symbol_imports: Make static.
      cp-namespace.c (lookup_symbol_file): Move next to only caller.
      cp_lookup_symbol_nonlocal: Move definition closer to its subroutines.
      symtab.c (domain_name) <MODULE_DOMAIN>: Add missing case.
      (lookup_global_symbol_from_objfile): Simplify.
      cp-namespace.c (cp_lookup_nested_symbol): Fix comments.
      New python function gdb.lookup_objfile.
      Give quick_symbol_functions "methods" a consistent naming scheme.
      Rename cp_is_anonymous to cp_is_in_anonymous.
      value_maybe_namespace_elt: Remove unnecessary test of result != NULL.
      utils.c (make_hex_string): Fix off-by-one error.
      symtab.h (struct symbol_search) <symtab>: Delete, unnecessary.
      cp_find_type_baseclass_by_name: Renamed from find_type_baseclass_by_name.
      cp_lookup_symbol_via_imports: Renamed from cp_lookup_symbol_imports.
      boards/stabs.exp: New file.
      Make buildsym set-up/tear-down more consistent, and document it.
      New parameter "debug symbol-lookup".
      value_maybe_namespace_elt: Remove redundant call to lookup_static_symbol.
      Fix file name in earlier entry.
      language_lookup_primitive_type: Renamed from language_lookup_primitive_type_by_name.
      infcmd.c (jump_command): Minor simplification.
      cp-namespace.c: Whitespace cleanup.
      cp-namespace.c (cp_lookup_symbol_in_namespace): Simplify.
      cp-namespace.c (cp_lookup_nested_symbol_1): New function.
      cp-namespace.c (cp_lookup_symbol_via_imports): New arg "search_scope_first".
      cp-namespace.c (cp_lookup_symbol_via_all_imports): New function.
      Replace some symbol accessor macros with functions.
      Add langdef arg to la_lookup_symbol_nonlocal.
      initialize_objfile_symbol: Renamed from initialize_symbol.
      symtab.h (SYMBOL_DOMAIN_BITS): New macro.
      Look up primitive types as symbols.

Dr Philipp Tomsich (1):
      Remove the artificial limit on code alignment through the use of the

Eric Botcazou (6):
      Update from upstream config repo
      Add Visium support to opcodes
      Add Visium support to bfd
      Add Visium support to binutils
      Add Visium support to gas
      Add Visium support to ld

Espen Grindhaug (1):
      Fixes an infinite loop in readelf parsing a corrupt binary, and other minor corrections.

Evgeniy Dushistov (1):
      Fix race condition when using --threads with linker plugins.

GDB Administrator (36):
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in
      Automatic date update in version.in

Gary Benson (4):
      Remove spurious exceptions.h inclusions
      Include cleanups.h in common-defs.h
      Include common-exceptions.h in common-defs.h
      Do not include unnecessary files in fbsd-tdep.c

H.J. Lu (100):
      Fix build for OLD_FREEBSD_ABI_LABEL
      Convert mov to lea only if r_offset >= 2
      X32: Add REX prefix to encode R_X86_64_GOTTPOFF
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Cast to unsigned long in range checks
      Cast time value to unsigned long to print
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Fix a typo in gas/ChangeLog
      Add assembler support for @gotplt
      Mark R_X86_64_GOTPLT64 obsolete
      Rename symbbol to symbol
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Add cast to unsigned int
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Correct x86 assembler manual
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Don't make PLT entry for R_X86_64_GOTPLT64
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Always run mpx3 and mpx4 tests in 64-bit
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Check PC-relative offset overflow in PLT entry
      Run IFUNC run-time tests only if IFUNC is supported
      Add ifunc-main IFUNC tests
      Always load function pointer into a stack variable
      Add function and function pointer tests
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Update plt-main tests for x32
      Don't run pr17618 test on x32
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Add binutils-pltgot.patch
      Run plt-main test with -pie
      Add function and function pointer tests for i386
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Add i386 .plt.got support
      Check PC-relative offset overflow in PLT entry
      Optimize PC-relative offset overflow check
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Check pointer_equality_needed instead of non_got_ref
      Check branch displacement overflow in x86-64 PLT entry
      Assert size of elf_x86_64_{bnd|legacy}_plt2_entry
      Update libtool.m4 from GCC trunk
      Optimize out i386/x86-64 JUMP_SLOT relocation
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Remove binutils-pltgot.patch
      Update binutils-sharable.patch for master
      Display symbol version when dumping dynrelocs
      Use get_symbol_version_string in BFD_JUMP_TABLE_SYMBOLS
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Remove binutils-pr16496.patch
      Update ld-alpha tests for secureplt
      Update mips tests with symbol version string
      Add tests for PR ld/16452 and PR ld/16457
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Properly check for an out of range row index
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      X86-64: Allow copy relocs for building PIE
      Discard space for relocs against symbols with copy relocs
      Check info->executable for symbols which need copy relocs
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Reformat elf_x86_64_create_dynamic_sections
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Update binutils-sharable.patch against master
      Replace copyreloc-main.c with copyreloc-main.S
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Compile pie_copyrelocs_test.cc with -fno-exceptions -fno-asynchronous-unwind-tables
      Add _bfd_elf_ifunc_get_synthetic_symtab
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Define bfd_elf32_get_synthetic_symtab for x32
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Handle weak alias for PIE with copy reloc
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Update binutils-sharable.patch against master
      Compress debug sections for Linux/x86 by default
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Cast current_group_size to unsigned long
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Mention --compress-debug-sections default in NEWS
      Check corrupt input
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Apply binutils-pr17729.patch
      Apply binutils-pr14675.patch
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Change SometimesInlineFunction to "return i * i * 3;"
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Cast size to long to warn
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Update binutils-pr14675.patch
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Update binutils-pr14675.patch
      Update binutils-lto-mixed.patch against master
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Add cast to unsigned long
      Merge remote-tracking branch 'origin/master' into hjl/linux/master
      Merge remote-tracking branch 'origin/hjl/linux/master' into hjl/linux/applied
      Update binutils-lto-mixed.patch for avrelf.em/ppc32elf.em
      Merge remote-tracking branch 'origin/hjl/linux/master' into hjl/linux/applied
      Fix ld/emultempl/avrelf.em and ld/emultempl/ppc32elf.em
      Update release note for 2.25.51.0.1

Han Shen (3):
      Here we have the patch for gold aarch64 backend to support relaxation.
      Misc about gold for aarch64 backend.
      Fix for gold linking tlsdesc into an executable with -pie.

Hans-Peter Nilsson (10):
      ld.texinfo: Clarify that sysroot affects "=" expansion.
      ld.texinfo: "=" path-prefix forces sysroot in scripts not only SEARCH_DIR
      lib/ld-lib.exp (check_sysroot_available): New proc.
      Add sysroot-prefix ld linker tests.
      If "=" is the first character in a ldscript input file, force a sysroot prefix.
      Allow unquoted = as the first character in ldscript input_list names
      Implement --print-sysroot in ld.
      Implement --print-sysroot in ld.
      Fix ld tests with sysroot=/ and --enable-targets=all and test --print-sysroot
      Fix %lx format used with bfd_size_type mismatch in readelf.c

Iain Buclaw (3):
      Sync libiberty with upstream GCC.
      Remove d-support.c and use gdb_demangle for demangling D symbols.
      Add dlang demangling support to c++filt.

Igor Zamyatin (1):
      Add -z bndplt to generate BND prefix in PLT entries

Ilya Tocar (4):
      Add clwb instruction
      Add pcommit instruction
      Add AVX512IFMA instructions
      Add AVX512VBMI instructions

James Hogan (1):
      Clean up after generated c files for MIPS DSP targets

Jan Beulich (4):
      aarch64: move bogus assertion
      ppc: enable msgclr and msgsnd on Power8
      gas: avoid bogus warnings in false branches of conditional
      aarch64: allow adding/removing just feature flags via .arch_extension

Jan Kratochvil (19):
      Fix library-list.dtd -> library-list-svr4.dtd
      Use gdb_test_sequence in gdb.base/save-bp.exp.
      Fix "save breakpoints" for "disable $bpnum" command.
      Fix "save breakpoints" for "catch" command
      NEWS: Fix typo.
      Reindent code (resolve_dynamic_type_internal).
      Fix add-auto-load-safe-path typo.
      Add add-auto-load-scripts-directory.
      Accelerate lookup_symbol_aux_objfile 85x
      Remove const from many struct objfile *
      Unify lookup_symbol_in_objfile_symtabs
      add dummy frame destructor
      add infcall_mmap and gcc_target_options gdbarch methods
      introduce call_function_by_hand_dummy
      export dwarf2_reg_to_regnum_or_error
      add linux_infcall_mmap
      add s390_gcc_target_options
      Fix 7.8 regression: resolve_dynamic_struct: Assertion `TYPE_NFIELDS (type) > 0' (PR 17642)
      Fix MinGW compilation

Jan-Benedict Glaw (7):
      2014-11-05  Jan-Benedict Glaw  <jbglaw@lug-owl.de>
      Update from upstream Automake
      Update `move-if-change' from gnulib
      Update config.{guess,sub} from upstream config repo
      Sync libiberty from GCC
      Fix signedness warning
      Fix date in ChangeLog entry

Jason Merrill (1):
      * Makefile.in (check-gdb.%): Restore.

Jing Yu (2):
      Add aarch64 to list of targets that support gold.
      Give informative error message for stub-group-size

Jiong Wang (4):
      [AArch64] Cortex-A53 erratum 835769 linker workaround
      treate -specs as both cflags & ldflags
      [AArch64] Warn on load pair to same register
      [AArch64] Cortex-A53 Erratum 835769 -- sort maps

Joel Brobecker (23):
      [Ada] Error adding/subtracting pointer value to/from integral.
      Use strtod instead of strtold in libiberty/d-demangle.c
      ARM: stricter __stack_chk_guard check during prologue analysis
      Document the GDB 7.8.1 release in gdb/ChangeLog
      common-defs.h: include <stdarg.h> before <stdio.h>
      [gdbserver/lynx] spurious failure to write in inferior memory
      varsize-limit error printing element of packed array...
      [Ada] Ignore __XA types when redundant.
      [Ada] gdb.ada/complete.exp failure on x86_64-windows
      [Ada] XA type is not redundant if the ranges' subtypes do not match
      Handling of empty Ada ranges with a negative upper bound.
      Always consider infcall breakpoints as non-permanent.
      gdb_realpath: Rework comment about handling on Windows.
      callback.h:struct host_callback_struct compilation error on Windows hosts.
      Lift DWARF unwinder restriction in dwarf2-frame.c::dwarf2_frame_cfa
      configure gdb/gnulib with --disable-largefile if largefile support disabled.
      Add ChangeLog entries missing from the previous commit.
      Add missing ChangeLog entry for PR backtrace/16215.
      Fix ARI warnings in gdb/compile/compile-object-load.c.
      Avoid use of sprintf in gdb/utils.c:make_hex_string
      Internal error trying to print uninitialized string.
      Use PTRACE_SINGLESTEP_ONE when single-stepping one thread.
      [Linux] Ask kernel to kill inferior when GDB terminates

Joel Sherrill (3):
      s/immediatly/immediately/ in sim/sh/ChangeLog entry.
      sim/igen/: Change immediatly to immediately
      sim/ppc/*: Change immediatly to immediately

Jose E. Marchesi (3):
      This is a series of patches that add support for the SPARC M7 cpu to
      opcodes: fix several misplaced hwcap entries.
      opcodes, elf: annotate instructions with HWCAP2_VIS3B.

Keith Seitz (1):
      This commit causes hundreds of core file regressions in gdb:

Kito Cheng (1):
      Fix SysV-style hash table when --hash-style=both.

Kwok Cheung Yeung (1):
      Fix the gdb.dwarf2/dw2-dir-file-name.exp test on MIPS

Luis Machado (5):
      MIPS bit field failures in gdb.base/store.exp
      Fix mingw32 failures due to incorrect directory separator in pattern
      Fix ARM machine state testcase failures
      Skip tests that use cd for remote hosts
      I caught a few mingw32-specific failures for some of the gdb.reverse

Maciej W. Rozycki (11):
      Avoid software breakpoint's instruction shadow inconsistency
      Also mark ELF solib trampoline minimal symbols special
      MIPS: Correct MUSTBE32 interpretation in delay slot handling
      MIPS: Correct heuristic prologue termination conditions
      MIPS: Rewrite `add_offset_16' to match its name
      gdb.dwarf2: Testsuite 64-bit pointer truncation fixes
      MIPS/GAS: Correct file option settings with `.insn'
      MIPS: Add support for microMIPS Linux signal trampolines
      Correct invalid assumptions made by (mostly) DWARF-2 tests
      MIPS: Keep the ISA bit in compressed code addresses
      MIPS: Define aliases for MSYMBOL_TARGET_FLAG macros

Marcus Shawcroft (2):
      [AArch64] Remove example processors from GAS.
      [AArch64] Enable CRC feature in GAS for cortex-a53 and cortex-a57.

Mark Wielaard (3):
      Recognize new DWARFv5 C11, C++11 and C++14 DW_LANG constants.
      dwarf.c handle new DWARFv5 C11, C++11 and C++14 DW_LANG constants.
      Display DW_LANG_C11 as (C11).

Markus Trippelsdorf (1):
      BFD: Add support for more than one plugin in lib/bfd-plugins

Martin Galvan (1):
      frame.c: Fix the check for FID_STACK_INVALID in frame_id_eq()

Matthew Fortune (12):
      Fix bad @value references in MIPS documentation
      Show information about unknown ASEs and extensions in .MIPS.abiflags
      MIPS Documentation fixes
      Fix -Wshadow warning
      Update .MIPS.abiflags to support MIPS R6
      Fix segfault when creating a dso with discarded .dynsym section.
      Add in a JALRC alias and fix the NAL instruction.
      Fix octeon3 testsuite fallout
      Fix undefined weak symbol reloc tests
      Fix all failing FPXX tests for tx39-elf.
      Fix octeon3 tests for targets with default abi != n32
      Rework the alignment check for BFD_RELOC_MIPS_18_PCREL_S3.

Max Filippov (1):
      Fix trampolines search code for conditional branches

Mihail-Marian Nistor (1):
      gdb/17394: cannot put breakpoint only in selected ASM file.

Naveen H.S (1):
      MIPS: Add Octeon 3 support

Nick Bull (1):
      New python events: inferior call, register/memory changed.

Nick Clifton (61):
      This patch closes a potential security hole in applications that use
      Fix a seg-fault in strings and other binutuils when parsing a corrupt PE
      This fixes more seg-faults in tools like "strings" and "objdump" when
      This patch fixes a flaw in the SREC parser which could cause a stack overflow
      More fixes for corrupt binaries crashing the binutils.
      Updated/new translations provided by the Translations Project.
      Fixes another memory corruption bug introduced by patches for PR 17512.
      Fix error message strings so that they can be translated properly.
      Closes another memory corruption, this time due to heap overrun.
      Fixes a seg-fault in the ihex parser when it encounters a malformed ihex file.
      In response to a public outcry the strings program now defaults to using the
      oops - changelog omitted from previous delta.
      Avoid allocating over-large buffers when parsing corrupt binaries.
      Fix an (almost) infinite loop in the tekhex parser.
      Fixes a snafu checking the size of 20-bit immedaite values.
      Import updated translations supplied by the Translation Project.
      More fixes for buffer overruns instigated by corrupt binaries.
      Fixes for crashes running readelf.
      Fix a seg-fault triggered by reading a mal-formed archive.
      More fixes for memory corruption when readelf processes corrupt files.
      Fix problem with linker created sections being mistakenly flagged
      More fixes for processing corrupt files.
      More fixes for reading corrupt ELF files.
      More fixes for memory problems uncovered by file fuzzers.
      Revert changes in previous deltas that introduced new failures into
      Prevent archive memebers with illegal pathnames from being extracted from an archive.
      Add more fixes for inavlid memory accesses triggered by corrupt files.
      More fixes for problems exposed by valgrind and the address sanitizer
      Fix objcopy and strip so that they remove their temporary files even if an error occurs.
      More fixes for assertion failures and out-of-bounds reads by readelf.
      More fixes for invalid memory accesses, uncovered by valgrind and binary fuzzers.
      Prevent a buffer overrun whilst displaying corrupt ARM tags.
      Updated French and Ukranian translations supplied by the Translation Project.
      oops - missed the French translation.
      Fix invalid memory accesses for more corrupt binary files.
      Fix more memory faults uncovered by fuzzing various executables.
      More fixes for readelf problems reading corrupt files.
      More fixes for memory access violations whilst scanning corrupt binaries.
      More fixes for invalid memory accesses triggered by corrupt binaries.
      Fix a null pointer dereference when reading the debug link info from a corrupt file.
      Fix memort access problems exposed by fuzzed binaries.
      More fixes for illegal memory accesses exposed by fuzzed binaries.
      Fixes a seg-fault when displaying the time data for a corrupt archive.
      Resolve more problems with readelf uncovered by fuzzing binary files.
      Fixes for memory access violations exposed by fuzzinf various binaries.
      More fixes for memory access errors triggered by attemps to examine corrupted binaries.
      Fixes a few more memory access violations exposed by fuzzed binaries.
      Add checks for memory access violations exposed by fuzzed archives.
      More fixes for memory access violations exposed by fuzzed binaries.
      Replace calls to abort (in readelf) with informative error messages.
      Fix memory access problems exposed by fuzzed binaries.
      More fixes for invalid memory accesses triggered by fuzzed binaries.
      More fixes for memory access violations triggered by fuzzed binaries.
      Fix a few moere memory access violations.
      Fix a memory access violation triggeed by a fuzzed binary.
      More fixes for memory access violations exposed by fuzzed binaries.
      More fixes for invalid memory accesses exposed by fuzzed binaries.
      Updated translations for the gas and gprof tools.
      Reformat the objdump.1 man output to avoid overlong lines.
      This patch add support for cpu marvell-whitney.
      Reverts an "enhancement" made in a previous delta which complained of

Oleg Endo (1):
      Correct fabs and fneg insns in simulator

Patrick Palka (4):
      checkpoint: print index of new checkpoint in response message
      Fix the processing of Meta-key commands in TUI
      Specify SA_RESTART when registering the SIGWINCH signal handler
      Add myself as write-after-approval GDB maintainer

Pedro Alves (66):
      infrun.c: comment/typo fixes
      breakpoint.c: debug output when we skip inserting a breakpoint
      infrun.c:user_visible_resume_ptid: Don't check singlestep_breakpoints_inserted_p
      Aarch64: Make CPSR a 32-bit register again in the target description
      Fix features/i386/64bit-avx512.xml
      features/Makefile: Add a "clean" rule.
      gdb/regformats: Don't build .dat files that aren't used by GDBserver
      Regenerate AVX512 target description C files
      features/Makefile: Make 'make cfiles' default to generating all C files
      Add read-only markers to generated gdb/regformats/ .dat files
      Really fail inserting software breakpoints on read-only regions
      Reduce Hg packet (select remote general thread) bouncing
      PR17431: following execs with "breakpoint always-inserted on"
      Fix non-stop regressions caused by "breakpoints always-inserted off" changes
      gdb.threads/manythreads.exp: clean up and add comment
      infrun.c:normal_stop: Fix typo in comment
      Split vDSO range lookup to a gdbarch hook
      PR symtab/14466: Work around PR libc/13097 "linux-vdso.so.1"
      Cache the vsyscall/vDSO range per-inferior
      Delete IRIX support
      Delete gdb/regformats/microblaze.dat
      gdbserver/win32: Rewrite debug registers handling
      Decide whether we may have removed breakpoints based on step_over_info
      Rewrite non-continuable watchpoints handling
      infrun.c: add for_each_just_stopped_thread
      Put single-step breakpoints on the bp_location chain
      Remove deprecated_insert_raw_breakpoint and friends
      thread.c: cleanup breakpoint deletion
      Make single-step breakpoints be per-thread
      Non-stop + software single-step archs: don't force displaced-stepping for all single-steps
      Merge remote thread listing methods
      Push pruning old threads down to the target
      remote: get rid of all the T packets when syncing the thread list
      DEC threads: Simplify updating the thread list
      Fix build without libexpat
      Delete Tru64 support
      Make common code handle target_terminal_* idempotency
      PR gdb/17472: With annotations, input while executing in the foreground crashes readline/GDB
      PR gdb/17300: Input after "c -a" crashes readline/GDB
      PR gdb/17471: Repeating a background command makes it foreground
      NEWS: Clarify removed targets
      Remove Vax Ultrix and VAX BSD support
      stepi/nexti: skip signal handler if "handle nostop" signal arrives
      Workaround remote targets that report an empty list to qfThreadInfo
      update bug numbers (GNATS -> Bugzilla) in a few signal related tests
      gdb.base/sigstep.exp: cleanup and make it easier to extend
      Test for PR gdb/17511, spurious SIGTRAP after stepping into+in signal handler
      PR gdb/12623: non-stop crashes inferior, PC adjustment and 1-byte insns
      PR tui/16138, PR tui/17519, and misc failures to initialize the terminal
      TUI: don't let exceptions escape while handling readline key bindings
      PR tui/16138 is about failure to initialize curses resulting in GDB
      Fix uninitialized value access when very first GDB command entered is <RET>
      PR python/17372 - Python hangs when displaying help()
      PR 17408 - assertion failure in switch_back_to_stepped_thread
      This PR shows that GDB can easily trigger an assertion here, in
      garbage collect gdb/breakpoint.c:breakpoint_thread_match
      Revert old nexti prologue check and eliminate in_prologue
      gdb.base/sigstep.exp: xfail gdb/17511 on i?86 Linux
      add a default method for gdbarch_skip_permanent_breakpoint
      make "permanent breakpoints" per location and disableable
      fix skipping permanent breakpoints
      Garbage collect the infwait_state global
      GDBserver: ctrl-c after leader has exited
      GDBserver: don't resume all threads if the Hc thread disapears
      GDBserver: clean up 'cont_thread' handling
      handle 'iconv's that define EILSEQ to ENOENT

Petr Machata (1):
      dwarf.exp: In 64-bit units, emit also abbrev offset as a 64-bit field

Philipp Tomsich (2):
      [AArch64] Add xgene1.
      [AArch64] Add xgene2.

Pierre Muller (3):
      [RFA] Stabs: Ignore N_BNSYM/N_ENSYM entry types
      Fix amd64 dwarf register number mapping (MMX register and higher)
      This patch adds support for printing out the pdata section of PE objects.

Rainer Orth (1):
      Fix gnu11 fallout on Solaris 10+

Richard Earnshaw (2):
      [AArch64] Fix mis-detection of unpredictable load/store operations with FP regs.
      * config/tc-arm.c (rotate_left): Avoid undefined behaviour when N = 0.

Richard Henderson (1):
      Set ppc COMMONPAGESIZE to 64k

Richard Sandiford (1):
      bfd/

Samuel Thibault (1):
      [Hurd] Fix deallocation after proc_getprocinfo call

Sandra Loosemore (7):
      Refactoring/cleanup of nios2 opcodes and assembler code.
      Update Nios II prologue analysis to remove detection of long-obsolete
      Add mach parameter to nios2_find_opcode_hash.
      Refactor Nios II GDB support to use helper functions for disassembly and
      Fix Nios II GDB epilogue detection to handle multiple stack adjustments.
      Fix Nios II prologue analyzer to handle multiple stack adjustments.
      Remove broken nios2 assembler dwim support.

Sergio Durigan Junior (6):
      PR tdep/9390: Fix typo on xstorxstormy16-tdep.c
      Explicitly use language_c when evaluating a SDT probe argument
      Only call {set,clear}_semaphore probe function if they are not NULL
      Partial fix for PR breakpoints/10737: Make syscall info be per-arch instead of global
      Fix build breakage from previous commit
      Merge dg-extract-results.{sh,py} from GCC upstream

Simon Marchi (18):
      Don't prune program spaces when doing "maintenance info program-spaces"
      Exit code of exited inferiors in -list-thread-groups
      Small fixes to the Python API doc
      tui: Fix newterm call for older ncurses
      Fix test always passing in python/py-linetable.exp
      Fix prints in tests for Python 3
      Fix Python help() test for Python 3
      Remove duplicate comment
      Fix comment typo
      Fix make_cleanup_dtor signature to match declaration
      Restore terminal state in mi_thread_exit (PR gdb/17627)
      Introduce target_is_gdbserver
      Only leave dprintf inserted if it is marked as persistent (PR breakpoints/17012)
      python extended prompt: Use os.getcwd() instead of os.getcwdu()
      Fix build with Python 3.4 (PR python/16784)
      testsuite: expect possible pagination when starting gdb
      Introduce utility function find_inferior_ptid
      A few comment cleanups

Siva Chandra (8):
      Non trivial return value tests.
      Fix gnuv3_pass_by_reference to lookup copy c-tors with qualified args.
      Add new non-trial return value tests.
      Fix gnuv3_pass_by_reference to treat dynamic classes as non-trivial.
      Guard a call to TYPE_TARGET_TYPE in gnuv3_pass_by_reference.
      Fix evaluation of method calls under EVAL_SKIP.
      Enable chained function calls in C++ expressions.
      Check that thread stack temps are not already enabled before enabling them.

Sriraman Tallam (1):
      2014-09-29  Sriraman Tallam  <tmsriram@google.com>

Stan Shebs (1):
      Add Yao Qi as global maintainer

Steve Ellcey (1):
      2014-12-05  Steve Ellcey  <sellcey@mips.com>

Terry Guo (4):
      2014-09-29  Terry Guo  <terry.guo@arm.com>
      Enable to link ARM object file that hasn't attribute section.
      Support ARM Cortex-M7
      Calculate ARM arch attribute after relaxation

Tom Tromey (8):
      introduce ui_file_write_for_put
      add gcc/gdb interface files
      add some missing ops to DWARF assembler
      add make_unqualified_type
      add gnu_triplet_regexp gdbarch method
      split dwarf2_fetch_cfa_info from dwarf2_compile_expr_to_ax
      make dwarf_expr_frame_base_1 public
      the "compile" command

Tristan Gingold (4):
      Add NEWS markers for 2.25.
      src-release.sh: configure using --target.
      Bump bfd version.
      Darwin: sanitize %gs and %fs values.

Ulrich Weigand (4):
      Work around GCC bug 63748
      Remove (dead-code) native core file sniffers on Linux targets
      Use core regset iterators on GNU Hurd
      Use core regset iterators on Sparc Solaris

Victor Kamensky (4):
      ARM: plt_size functions need to read instructions in right byte order
      ARM: extract_arm_insn function need to read instrs correctly in be8 case
      ARM: arm_breakpoint should be little endian form in case for arm BE8
      read_pieced_value do big endian processing only in case of valid gdb_regnum

Will Newton (3):
      include/elf/aarch64.h: Add reloc numbers from ABI release 1.0
      ld/testsuite/ld-unique: Fix running unique tests on ARM
      bfd/elf-attrs.c: Fix possible infinite loop parsing attributes

Yao Qi (66):
      Fix typo in thumb_in_function_epilogue_p
      Skip dlopen-libpthread.exp in cross testing
      Error in build_executable_own_libs for non-native target
      Remove unused local variable
      No longer pull thread list explicitly
      Clean up server-kill.exp
      Get GDBserver pid on remote target
      Enable qTStatus packet in case it is disabled
      Use mi_varobj_update in mi-var-child.exp and mi2-var-child.exp
      Fix fail in mi-var-child.exp and mi-var-display.exp
      Clean up gdb.python/ tests
      Fix file name matching on remote host.
      Fix py-parameter.exp for remote host
      Don't check noargs in remotetimeout.exp
      Don't check target_info exists noargs in commands.exp
      Copy xml files to host
      Skip testing argv[0] on target argv[0] isn't available
      Don't remove files copied to host
      Rename py-objfile-script-gdb.py.in to py-objfile-script-gdb.py
      Fix trace file fails on powerpc64
      Fix skipping stack protector on arm
      Close the file in fileio.exp test
      Prepare directory in case test_system fails
      Don't replace '\' with '\\' in before_prompt_hook
      Match the working directory on remote host
      Add missing changelog entries
      New proc _handle_attribute
      DW attribute macro MACRO_AT_func and MACRO_AT_range
      Get start and end address of main in dwz.exp
      Use Dwarf::assemble in implptr-optimized-out.exp
      Fix implptr-optimized-out.exp fail
      Fix dw2-ifort-parameter.exp fail with clang
      Add missing parenthesis
      Don't set CC in config/i386/go32.mh
      Make IMPORTED_GNULIB_MODULES in alphabetical order
      Import alloca explicitly
      Include alloca.h unconditionally
      Import memchr explicitly
      Import wchar and wctype-h explicitly
      Include wchar.h and wctype.h unconditionally
      Import errno explicitly
      [arm] Fix fails in dw2-compdir-oldgcc.exp
      Use MACRO_AT_func in entry-values.exp
      Refine read_string
      Match library name prefixed with sysroot
      Fix date in changelog
      Import readlink
      Use readlink unconditionally
      Import lstat
      Use lstat unconditionally
      Import canonicalize-lgpl
      Use canonicalize_file_name unconditionally
      Import rename module
      [arm] compute framereg and framesize when needed
      Don't enable gdbtk in testsuite
      Use standard_testfile in i386-bp_permanent.exp
      Fix parallel testing issues in gdb.guile tests
      Revert: Don't enable gdbtk in testsuite
      Don't scan prologue past epilogue
      Improve arm_skip_prologue by using arm_analyze_prologue
      Replace ARG_MAX with ARG_LAST
      Move NEWS entries to the right section
      Remove h8300_print_float_info
      Refactor gdbarch method print_float_info
      MIPS: Provide FPU info and decode FCSR in `info float'
      MIPS SDE OS ABI support

-----------------------------------------------------------------------
Comment 136 Alexander Cherepanov 2014-12-25 14:32:42 UTC
Created attachment 8026 [details]
Crasher for `size`

Files: 2
Errors:
      4 Conditional jump or move depends on uninitialised value(s)
     19 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
Comment 137 Alexander Cherepanov 2014-12-25 15:02:24 UTC
Created attachment 8027 [details]
Crashers for `nm-new -DClpSs --special-syms --synthetic`

valgrind

Files: 33
Errors:
     12 Conditional jump or move depends on uninitialised value(s)
    131 Invalid read of size ...
     24 Invalid write of size ...
      7 Process terminating with default action of signal 11 (SIGSEGV)
      2 Use of uninitialised value of size ...

----------------------------------------------------------------------

gdb

Files: 18
Errors:
     18 No assertion info in gdb backtrace.
Comment 138 Alexander Cherepanov 2014-12-25 16:05:20 UTC
Created attachment 8028 [details]
Crashers for `coffdump`

valgrind

Files: 37
Errors:
     23 Conditional jump or move depends on uninitialised value(s)
     24 Invalid read of size ...
     16 Invalid write of size ...
     25 Process terminating with default action of signal 11 (SIGSEGV)
      7 Use of uninitialised value of size ...

----------------------------------------------------------------------

gdb

Files: 2
Errors:
      2 No assertion info in gdb backtrace.
Comment 139 Alexander Cherepanov 2014-12-25 16:34:51 UTC
Created attachment 8029 [details]
More problems with `objdump -afphxgGtTrRwW --special-syms`

valgrind

Files: 1
Errors:
      1 Invalid read of size ...
      1 Invalid write of size ...

----------------------------------------------------------------------

gdb

Files: 1
Errors:
      1 No assertion info in gdb backtrace.
Comment 140 Alexander Cherepanov 2015-01-02 21:14:28 UTC
Created attachment 8039 [details]
Problems with `srconv`

valgrind

Files: 19
Errors:
      2 Conditional jump or move depends on uninitialised value(s)
     16 Invalid read of size ...
      8 Invalid write of size ...
     16 Process terminating with default action of signal 11 (SIGSEGV)
      2 Use of uninitialised value of size ...

----------------------------------------------------------------------

gdb

Files: 2
Errors:
      2 No assertion info in gdb backtrace.
Comment 141 Alexander Cherepanov 2015-01-03 09:37:45 UTC
Created attachment 8040 [details]
Problems with `dlltool -e exp.out -l lib.out -z def.out`

valgrind

Files: 1
Errors:
    260 Invalid read of size ...
     41 Invalid write of size ...
      1 More than 100 errors detected.  Subsequent errors
      1 More than 1000 different errors detected.  I'm not reporting any more.
      1 Process terminating with default action of signal 11 (SIGSEGV)
Comment 142 Alexander Cherepanov 2015-01-03 09:38:48 UTC
Created attachment 8041 [details]
Problems with `nlmconv`

valgrind

Files: 6
Errors:
      1 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
      8 Invalid read of size ...
      6 Invalid write of size ...
      4 Process terminating with default action of signal 11 (SIGSEGV)

----------------------------------------------------------------------

gdb

Files: 1
Errors:
      1 No assertion info in gdb backtrace.
Comment 143 Alexander Cherepanov 2015-01-03 11:22:37 UTC
Created attachment 8042 [details]
Problems with `sysdump`

valgrind

Files: 4
Errors:
     34 Conditional jump or move depends on uninitialised value(s)
      2 Invalid read of size ...
      2 Process terminating with default action of signal 11 (SIGSEGV)
     16 Use of uninitialised value of size ...

----------------------------------------------------------------------

gdb

Files: 5
Errors:
      5 No assertion info in gdb backtrace.
Comment 144 Alexander Cherepanov 2015-01-03 12:37:00 UTC
Created attachment 8043 [details]
Problems with `strip-new`

valgrind

Files: 20
Errors:
     13 Conditional jump or move depends on uninitialised value(s)
     57 Invalid read of size ...
     56 Invalid write of size ...
     13 Process terminating with default action of signal 11 (SIGSEGV)
      1 Process terminating with default action of signal 8 (SIGFPE)
      4 Syscall param write(buf) points to uninitialised byte(s)
      1 Use of uninitialised value of size ...
Comment 145 Sourceware Commits 2015-01-05 23:15:20 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  896ca0981329171639b1fe0b934393a79ef4fdfb (commit)
      from  82b1b41bcdc6d01fdbd94b246e24a8a8f8c2bddd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=896ca0981329171639b1fe0b934393a79ef4fdfb

commit 896ca0981329171639b1fe0b934393a79ef4fdfb
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jan 5 23:13:50 2015 +0000

    More fixes for invalid memory accesses triggered by fuzzed binaries.
    
    	PR binutils/17512
    	* nm.c (print_symbol): Add 'is_synthetic' parameter.  Use it to
    	help initialize the info.elfinfo field.
    	(print_size_symbols): Add 'synth_count' parameter.  Use it to set
    	the is_synthetic parameter when calling print_symbol.
    	(print_symbols): Likewise.
    	(display_rel_file): Pass synth_count to printing function.
    	(display_archive): Break loop if the last archive displayed
    	matches the current archive.
    	* size.c (display_archive): Likewise.
    
    	* archive.c (do_slurp_bsd_armap): Make sure that the parsed sized
    	is at least big enough for the header to be read.
    	* elf32-i386.c (elf_i386_get_plt_sym_val): Skip unknown relocs.
    	* mach-o.c (bfd_mach_o_get_synthetic_symtab): Add range checks.
    	(bfd_mach_o_read_command): Prevetn duplicate error messages about
    	unrecognized commands.
    	* syms.c (_bfd_stab_section_find_nearest_line): Add range checks
    	when indexing into the string table.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |   12 +++++++++
 bfd/archive.c      |    3 +-
 bfd/elf32-i386.c   |    5 ++-
 bfd/elfcode.h      |    3 +-
 bfd/mach-o.c       |   61 +++++++++++++++++++++++++++++++++++---------
 bfd/syms.c         |   12 +++++++++
 binutils/ChangeLog |   13 +++++++++
 binutils/nm.c      |   71 ++++++++++++++++++++++++++++++++++++---------------
 binutils/size.c    |    9 ++++++-
 9 files changed, 150 insertions(+), 39 deletions(-)
Comment 146 Nick Clifton 2015-01-05 23:18:13 UTC
Hi Alexander,

> Crasher for `size`
> Errors:
>       4 Conditional jump or move depends on uninitialised value(s)
>      19 Invalid read of size ...
>       1 Process terminating with default action of signal 11 (SIGSEGV)

> Crashers for `nm-new -DClpSs --special-syms --synthetic`
> Errors:
>     12 Conditional jump or move depends on uninitialised value(s)
>    131 Invalid read of size ...
>     24 Invalid write of size ...
>      7 Process terminating with default action of signal 11 (SIGSEGV)
>      2 Use of uninitialised value of size ...

These should be fixed now.  I will look at the others tomorrow.

Cheers
  Nick
Comment 147 Sourceware Commits 2015-01-06 01:44:53 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  533d0af0b8a8127b6f189222fc57aa11ce7aab2c (commit)
      from  9c90714c2f94b4486f56fcd9dcb70e27d983f7df (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=533d0af0b8a8127b6f189222fc57aa11ce7aab2c

commit 533d0af0b8a8127b6f189222fc57aa11ce7aab2c
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Jan 5 17:43:34 2015 -0800

    Return NULL on corrupt input
    
    	PR binutils/17512
    	* elf32-i386.c (elf_i386_get_plt_sym_val): Return NULL on corrupt
    	input.
    	* elf64-x86-64.c (elf_x86_64_get_plt_sym_val): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |    7 +++++++
 bfd/elf32-i386.c   |    9 ++++++---
 bfd/elf64-x86-64.c |    3 +++
 3 files changed, 16 insertions(+), 3 deletions(-)
Comment 148 Sourceware Commits 2015-01-06 16:08:21 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  85880250e591a51624d24db653aaace0c5ce5943 (commit)
      from  fce10a8494efa8faec67b718f25e06d3d71694b3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=85880250e591a51624d24db653aaace0c5ce5943

commit 85880250e591a51624d24db653aaace0c5ce5943
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Jan 6 16:06:45 2015 +0000

    Fixes for memory access violations in the coffdump program.
    
    	PR binutils/17512
    	* coffdump.c (dump_coff_section): Check for a symbol being
    	available before printing its name.
    	(main): Check the return value from coff_grok.
    	* coffgrok.c: Reformat and tidy.
    	Add range checks to most functions.
    	(coff_grok): Return NULL if the input bfd is not in a COFF
    	format.
    	* coffgrok.h: Reformat and tidy.
    	(struct coff_section): Change the nrelocs field to unsigned.
    	* srconv.c (main): Check the return value from coff_grok.
    
    	* coff-i860.c (CALC_ADDEND): Always set an addend value.
    	* tekhex.c (getvalue): Add an end pointer parameter.  Use it to
    	avoid reading off the end of the buffer.
    	(getsym): Likewise.
    	(first_phase): Likewise.
    	(pass_over): Pass an end pointer to the invoked function.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog       |   10 ++
 bfd/coff-i860.c     |    5 +-
 bfd/tekhex.c        |   33 +++---
 binutils/ChangeLog  |   14 ++
 binutils/coffdump.c |   20 ++--
 binutils/coffgrok.c |  351 ++++++++++++++++++++++++++++++++++-----------------
 binutils/coffgrok.h |  255 ++++++++++++++++++-------------------
 binutils/srconv.c   |   10 +-
 8 files changed, 421 insertions(+), 277 deletions(-)
Comment 149 Nick Clifton 2015-01-06 16:16:29 UTC
Hi Alexander,

> Crashers for `coffdump`

> Errors:
>      23 Conditional jump or move depends on uninitialised value(s)
>      24 Invalid read of size ...
>      16 Invalid write of size ...
>      25 Process terminating with default action of signal 11 (SIGSEGV)
>       7 Use of uninitialised value of size ...

These should all be fixed now.

Cheers
  Nick
Comment 150 Sourceware Commits 2015-01-06 17:55:29 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  ec93045b400ec68b0c5716d75f27a87533b57058 (commit)
      from  60ebc25751744f54ae5c00d1c9198ab64fcc5b33 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ec93045b400ec68b0c5716d75f27a87533b57058

commit ec93045b400ec68b0c5716d75f27a87533b57058
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Jan 6 17:54:02 2015 +0000

    Fix memory access violations for objdump triggered by fuzzed binaries.
    
    	PR binutils/17512
    	* reloc.c (bfd_get_reloc_size): Handle a reloc size of -1.
    	(bfd_perform_relocation): Include the size of the reloc in the
    	test for an out of range relocation.
    	(bfd_generic_get_relocated_section_contents): Remove reloc range
    	test.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    6 ++++++
 bfd/reloc.c   |   11 ++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)
Comment 151 Sourceware Commits 2015-01-06 22:04:11 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  e7287c7f647870093b8ab5ffea0732ffdb8c4d66 (commit)
      from  e749cab89d976c723ee01a3dfcfd7ec1a883f890 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e7287c7f647870093b8ab5ffea0732ffdb8c4d66

commit e7287c7f647870093b8ab5ffea0732ffdb8c4d66
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Jan 6 22:02:55 2015 +0000

    Another fix for an objdump crash when parsing a corrupt binary.
    
    	PR binutils/17512
    	* mach-o.c (bfd_mach_o_read_symtab_strtab): Zero terminate the
    	string table.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog |    3 +++
 bfd/mach-o.c  |    4 +++-
 2 files changed, 6 insertions(+), 1 deletions(-)
Comment 152 Nick Clifton 2015-01-06 22:05:11 UTC
Hi Alexander,

> More problems with `objdump -afphxgGtTrRwW --special-syms`
> Errors:
>       1 Invalid read of size ...
>       1 Invalid write of size ...

Fixed.

Cheers
  Nick
Comment 153 Sourceware Commits 2015-01-07 00:47:43 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  6f25f22356dcf9ddf6b375c8e967486f10855dfd (commit)
      from  7b496d07dfbb696ea597d3f3ec3a3dfc0646cb86 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6f25f22356dcf9ddf6b375c8e967486f10855dfd

commit 6f25f22356dcf9ddf6b375c8e967486f10855dfd
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Tue Jan 6 16:46:36 2015 -0800

    Skip unknown relocation
    
    	PR binutils/17512
    	* elf32-i386.c (elf_i386_get_plt_sym_val): Skip unknown relocation.
    	* elf64-x86-64.c (elf_x86_64_get_plt_sym_val): Likewise.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |    6 ++++++
 bfd/elf32-i386.c   |    4 ++--
 bfd/elf64-x86-64.c |    3 ++-
 3 files changed, 10 insertions(+), 3 deletions(-)
Comment 154 Sourceware Commits 2015-01-07 16:43:06 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  c88f5b8e495889f5d281a17bd56340d9a0e4cff6 (commit)
      from  ea42d6f8d1e24403e533e5dfea18e94c47ac534b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c88f5b8e495889f5d281a17bd56340d9a0e4cff6

commit c88f5b8e495889f5d281a17bd56340d9a0e4cff6
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jan 7 16:41:25 2015 +0000

    Fix memory access violations exposed by running the srconv tool on fuzzed binaries.
    
    	PR binutils/17512
    	* objdump.c (display_any_bfd): Add a depth limit to nested archive
    	display in order to avoid infinite loops.
    	* srconv.c: Replace calls to abort with calls to fatal with an
    	error message.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |    8 ++++++++
 binutils/objdump.c |    9 ++++++++-
 binutils/srconv.c  |   28 +++++++++++++++-------------
 3 files changed, 31 insertions(+), 14 deletions(-)
Comment 155 Nick Clifton 2015-01-07 16:43:45 UTC
Hi Alexander,

> Problems with `srconv`
> Errors:
>       2 Conditional jump or move depends on uninitialised value(s)
>      16 Invalid read of size ...
>       8 Invalid write of size ...
>      16 Process terminating with default action of signal 11 (SIGSEGV)
>       2 Use of uninitialised value of size ...

These should be fixed now.

Cheers
  Nick
Comment 156 Sourceware Commits 2015-01-07 17:34:45 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  d7b24d2941fd7c99ba5843331989e6023075f0d0 (commit)
      from  c88f5b8e495889f5d281a17bd56340d9a0e4cff6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d7b24d2941fd7c99ba5843331989e6023075f0d0

commit d7b24d2941fd7c99ba5843331989e6023075f0d0
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jan 7 17:33:17 2015 +0000

    Fix memory access violations uncovered by running the dlltool on fuzzed binaries.
    
    	PR binutils/17512
    	* dlltool.c (scan_obj_file): Break loop if the last archive
    	displayed matches the current archive.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |    3 +++
 binutils/dlltool.c |    3 +++
 2 files changed, 6 insertions(+), 0 deletions(-)
Comment 157 Nick Clifton 2015-01-07 17:35:37 UTC
Hi Alexander,

> Problems with `dlltool -e exp.out -l lib.out -z def.out`
> Errors:
>     260 Invalid read of size ...
>      41 Invalid write of size ...
>       1 More than 100 errors detected.  Subsequent errors
>       1 More than 1000 different errors detected.  I'm not reporting any
> more.
>       1 Process terminating with default action of signal 11 (SIGSEGV)

These should be fixed now.

Cheers
  Nick
Comment 158 Sourceware Commits 2015-01-08 12:39:21 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  3565cf8fedf2bae2b383fae66dde62c3bdae51c9 (commit)
      from  025ac41482555f6273dee37988734a9f88633dbc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3565cf8fedf2bae2b383fae66dde62c3bdae51c9

commit 3565cf8fedf2bae2b383fae66dde62c3bdae51c9
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Jan 8 12:37:46 2015 +0000

    Fixes for memory access violations triggered by running nlmconv on
    fuzzed binaries.
    
    	PR binutils/17512
    	* nlmconv.c (i386_mangle_relocs): Skip relocs without an
    	associated symbol.
    	(powerpc_mangle_relocs): Skip unrecognised relocs.  Check address
    	range before applying a reloc.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |    8 ++++++++
 binutils/nlmconv.c |   30 ++++++++++++++++++++++++++++--
 2 files changed, 36 insertions(+), 2 deletions(-)
Comment 159 Nick Clifton 2015-01-08 12:40:06 UTC
Hi Alexander,

> Problems with `nlmconv`
> Errors:
>       1 Argument 'size' of function malloc has a fishy (possibly negative)
> value: ...
>       8 Invalid read of size ...
>       6 Invalid write of size ...
>       4 Process terminating with default action of signal 11 (SIGSEGV)

These should be fixed now.

Cheers
  Nick
Comment 160 Nick Clifton 2015-01-08 13:53:53 UTC
Hi Alexander,

> Problems with `sysdump`
> Errors:
>      34 Conditional jump or move depends on uninitialised value(s)
>       2 Invalid read of size ...
>       2 Process terminating with default action of signal 11 (SIGSEGV)
>      16 Use of uninitialised value of size ...

These should be fixed now.

Cheers
  Nick
Comment 161 Sourceware Commits 2015-01-08 13:53:54 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  848cde35d61874521ad6c88a50f983d5ee7d2307 (commit)
      from  2279a12a44ede7a0a6d7375d90d33676fa8771ad (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=848cde35d61874521ad6c88a50f983d5ee7d2307

commit 848cde35d61874521ad6c88a50f983d5ee7d2307
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Jan 8 13:52:42 2015 +0000

    Fix memory access violations triggered by running sysdump on fuzzed binaries.
    
    	PR binutils/17512
    	* sysdump.c (getINT): Fail if reading off the end of the buffer.
    	Replace call to abort with a call to fatal.
    	(getCHARS): Prevetn reading off the end of the buffer.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |    4 ++++
 binutils/sysdump.c |   14 ++++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)
Comment 162 Sourceware Commits 2015-01-08 15:41:31 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  063bb0250defafcc55544474a2961ecbc153882e (commit)
      from  848cde35d61874521ad6c88a50f983d5ee7d2307 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063bb0250defafcc55544474a2961ecbc153882e

commit 063bb0250defafcc55544474a2961ecbc153882e
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Jan 8 15:39:49 2015 +0000

    Fix memory access violations exposed by running strip on fuzzed binaries.
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_symbol_table): Return false if we failed
    	to load the line table.
    	* elf.c (_bfd_elf_map_sections_to_segments): Enforce a minimum
    	maxpagesize of 1.
    	* peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Fail if
    	the Data Directory Size is too large.
    
    	* objcopy.c (copy_object): Free the symbol table if no symbols
    	could be loaded.
    	(copy_file): Use bfd_close_all_done to close files that could not
    	be copied.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog      |   10 ++++++++++
 bfd/coffcode.h     |    7 ++++---
 bfd/elf.c          |    5 +++++
 bfd/peXXigen.c     |   10 ++++++++++
 binutils/ChangeLog |    5 +++++
 binutils/objcopy.c |   14 +++++++++++++-
 6 files changed, 47 insertions(+), 4 deletions(-)
Comment 163 Nick Clifton 2015-01-08 15:41:58 UTC
Hi Alexander,

> Problems with `strip-new`
> Errors:
>      13 Conditional jump or move depends on uninitialised value(s)
>      57 Invalid read of size ...
>      56 Invalid write of size ...
>      13 Process terminating with default action of signal 11 (SIGSEGV)
>       1 Process terminating with default action of signal 8 (SIGFPE)
>       4 Syscall param write(buf) points to uninitialised byte(s)
>       1 Use of uninitialised value of size ...

These should be fixed now.

Cheers
  Nick
Comment 164 Alexander Cherepanov 2015-01-12 16:47:35 UTC
Created attachment 8062 [details]
Problems with `objdump -afphxgGtTrRwW --special-syms`

valgrind

Files: 8
Errors:
      8 Invalid read of size ...
      4 Invalid write of size ...
      1 Jump to the invalid address stated on the next line
      6 Process terminating with default action of signal 11 (SIGSEGV)
      1 Process terminating with default action of signal 4 (SIGILL)
      1 valgrind: Unrecognised instruction at address 0x565e5e2.

----------------------------------------------------------------------

catchsegv

Files: 1
Errors:
      1 *** Segmentation fault
Comment 165 Sourceware Commits 2015-01-15 16:24:09 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cd21f5daad4335b50366b838664ade64bec29957

commit cd21f5daad4335b50366b838664ade64bec29957
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Jan 15 16:22:55 2015 +0000

    Fix memory access violations triggered by running objdump on fuzzed binaries.
    
    	PR binutils/17512
    	* elf-m10300.c (mn10300_info_to_howto): Replace assertion with an
    	error message.  Never return an invalid howto pointer.
    	* elf32-cr16.c (cr16_info_to_howto): Likewise.
    	* elf32-crx.c (elf_crx_info_to_howto): Likewise.
    	* elf32-i370.c (i370_elf_info_to_howto): Likewise.
    	* elf32-mcore.c (mcore_elf_info_to_howto): Likewise.
    	* elf32-microblaze.c (microblaze_elf_info_to_howto): Likewise.
    	* elf32-mips.c (mips_elf32_rtype_to_howto): Likewise.
    	* elf32-pj.c (pj_elf_info_to_howto): Likewise.
    	* elf32-ppc.c (ppc_elf_info_to_howto): Likewise.
    	* elf32-spu.c (spu_elf_info_to_howto): Likewise.
    	* elf32-v850.c (v850_elf_info_to_howto_rela): Likewise.
    	* elf32-vax.c (rtype_to_howto): Likewise.
    	* elf64-alpha.c (elf64_alpha_info_to_howto): Likewise.
    	* elf64-mips.c (mips_elf64_rtype_to_howto): Likewise.
    	* elfn32-mips.c (sh_elf_info_to_howto): Likewise.
    	* elf32-sh.c (sh_elf_info_to_howto): Likewise.
    	(sh_elf_reloc): Check that the reloc is in range.
    	* reloc.c (bfd_perform_relocation): Check that the section is big
    	enough for the entire reloc.
    	(bfd_generic_get_relocated_section_contents): Report unexpected
    	return values from perform_reloc.
Comment 166 Nick Clifton 2015-01-15 16:25:05 UTC
Hi Alexander,

> Problems with `objdump -afphxgGtTrRwW --special-syms`
> Errors:
>       8 Invalid read of size ...
>       4 Invalid write of size ...
>       1 Jump to the invalid address stated on the next line
>       6 Process terminating with default action of signal 11 (SIGSEGV)
>       1 Process terminating with default action of signal 4 (SIGILL)
>       1 valgrind: Unrecognised instruction at address 0x565e5e2.

Fixed.

Cheers
  Nick
Comment 167 Alexander Cherepanov 2015-01-16 22:25:40 UTC
Created attachment 8067 [details]
Problems with `coffdump`

valgrind

Files: 3
Errors:
      2 Invalid read of size ...
      2 Process terminating with default action of signal 11 (SIGSEGV)
Comment 168 Alexander Cherepanov 2015-01-18 22:38:02 UTC
Created attachment 8069 [details]
Problems with `strip-new`

Files: 3
Errors:
     10 Conditional jump or move depends on uninitialised value(s)
      1 Invalid read of size ...
      2 Process terminating with default action of signal 11 (SIGSEGV)
      1 Syscall param write(buf) points to uninitialised byte(s)
Comment 169 Alexander Cherepanov 2015-01-19 20:13:57 UTC
Created attachment 8070 [details]
Problems with `nlmconv`

Files: 4
Errors:
      1 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
      3 Invalid read of size ...
      3 Process terminating with default action of signal 11 (SIGSEGV)
Comment 170 Alexander Cherepanov 2015-01-20 23:07:06 UTC
Created attachment 8071 [details]
Problems with `dlltool -e /dev/null -l /dev/null -z /dev/null`

Files: 2
Errors:
     21 Invalid read of size ...
Comment 171 Sourceware Commits 2015-01-21 10:34:46 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5b7d62376fc942a803d174789fe4464b26f09a02

commit 5b7d62376fc942a803d174789fe4464b26f09a02
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jan 21 10:33:19 2015 +0000

    This patch fixes some illegal memory accesses triggered by running coffdump on fuzzed binaries.
    
    	PR binutils/17512
    	* coffgrok.c (do_type): Check that computed ref exists.
    	(doit): Add range checks when computing section for scope.
Comment 172 Nick Clifton 2015-01-21 10:36:08 UTC
Hi Alexander,

> Problems with `coffdump`
> Errors:
>       2 Invalid read of size ...
>       2 Process terminating with default action of signal 11 (SIGSEGV)

These should be fixed now.

Cheers
  Nick
Comment 173 Sourceware Commits 2015-01-21 17:38:41 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=86eafac0aad7edbc1ccea6daf53480a36339250a

commit 86eafac0aad7edbc1ccea6daf53480a36339250a
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jan 21 17:37:23 2015 +0000

    Fix memory access violations triggered by running strip on fuzzed binaries.
    
    	PR binutils/17512
    	* coffcode.h (coff_set_arch_mach_hook): Check return value from
    	bfd_malloc.
    	(coff_slurp_line_table): Return FALSE if the line number
    	information was corrupt.
    	(coff_slurp_symbol_table): Return FALSE if the symbol information
    	was corrupt.
    	* mach-o.c (bfd_mach_o_bfd_copy_private_header_data): Always
    	initialise the fields of the dyld_info structure.
    	(bfd_mach_o_build_exec_seg_command): Replace assertion with an
    	error message and a return value.
    	(bfd_mach_o_layout_commands): Change the function to boolean.
    	Return FALSE if the function fails.
    	(bfd_mach_o_build_commands): Fail if bfd_mach_o_layout_commands
    	fails.
    	(bfd_mach_o_read_command): Fail if an unrecognised command is
    	encountered.
    	* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Set bfd_error if the
    	read fails.
    	(slurp_symtab): Check the return from bfd_malloc.
    	(_bfd_XX_bfd_copy_private_bfd_data_common): Fail if the copy
    	encountered an error.
    	(_bfd_XXi_final_link_postscript): Fail if a section could not be
    	copied.
    	* peicode.h (pe_bfd_object_p): Fail if the header could not be
    	swapped in.
    	* tekhex.c (first_phase): Fail if the section is too big.
    	* versados.c (struct esdid): Add content_size field.
    	(process_otr): Use and check the new field.
    	(versados_get_section_contents): Check that the section exists and
    	that the requested data is available.
    
    	PR binutils/17512
    	* addr2line.c (main): Call bfd_set_error_program_name.
    	* ar.c (main): Likewise.
    	* coffdump.c (main): Likewise.
    	* cxxfilt.c (main): Likewise.
    	* dlltool.c (main): Likewise.
    	* nlmconv.c (main): Likewise.
    	* nm.c (main): Likewise.
    	* objdump.c (main): Likewise.
    	* size.c (main): Likewise.
    	* srconv.c (main): Likewise.
    	* strings.c (main): Likewise.
    	* sysdump.c (main): Likewise.
    	* windmc.c (main): Likewise.
    	* windres.c (main): Likewise.
    	* objcopy.c (main): Likewise.
    	(copy_relocations_in_section): Check for relocs without associated
    	symbol pointers.
Comment 174 Nick Clifton 2015-01-21 17:41:53 UTC
Hi Alexander,

> Problems with `strip-new`
> Errors:
>      10 Conditional jump or move depends on uninitialised value(s)
>       1 Invalid read of size ...
>       2 Process terminating with default action of signal 11 (SIGSEGV)
>       1 Syscall param write(buf) points to uninitialised byte(s)

These should be fixed now.

Cheers
  Nick
Comment 175 Nick Clifton 2015-01-21 22:29:48 UTC
Hi Alexander,

> Problems with `nlmconv`
> Errors:
>       1 Argument 'size' of function malloc has a fishy (possibly negative)
> value: ...
>       3 Invalid read of size ...
>       3 Process terminating with default action of signal 11 (SIGSEGV)

These should be fixed now.

Cheers
  Nick
Comment 176 Sourceware Commits 2015-01-22 12:07:34 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4e5cb37e7f3403d5398a323566ff9c995f0c9a81

commit 4e5cb37e7f3403d5398a323566ff9c995f0c9a81
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Jan 22 12:06:04 2015 +0000

    Fixes memory access violations triggered by running dlltool on fuzzed binaries.
    
    	PR binutils/17512
    	* coffcode.h (handle_COMDAT): When searching for the section
    	symbol, make sure that there is space left in the symbol table.
    	* vms-alpha.c (_bfd_vms_slurp_ehdr): Add range checks.
Comment 177 Nick Clifton 2015-01-22 12:08:44 UTC
Hi Alexander,

> Problems with `dlltool -e /dev/null -l /dev/null -z /dev/null`
> Errors:
>      21 Invalid read of size ...

These should be fixed now.

Cheers
  Nick
Comment 178 Alexander Cherepanov 2015-01-24 18:08:59 UTC
Created attachment 8081 [details]
Problems with `dlltool -I`

valgrind

Files: 2
Errors:
     19 Invalid read of size ...
      1 Invalid write of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)

----------------------------------------------------------------------

gdb

Files: 1
Errors:
      1 No assertion info in gdb backtrace.
Comment 179 Alexander Cherepanov 2015-01-25 21:05:37 UTC
Created attachment 8084 [details]
Problems with `addr2line -ie @@ 0`

Files: 7
Errors:
      1 Conditional jump or move depends on uninitialised value(s)
      6 Invalid read of size ...
      6 Process terminating with default action of signal 11 (SIGSEGV)
Comment 180 Alexander Cherepanov 2015-01-25 21:22:22 UTC
Created attachment 8085 [details]
Problems with `windres`

Files: 27
Errors:
      8 Conditional jump or move depends on uninitialised value(s)
     29 Invalid read of size ...
     13 Process terminating with default action of signal 11 (SIGSEGV)
      1 Process terminating with default action of signal 8 (SIGFPE)
      1 Stack overflow in thread ...
      1 Syscall param read(buf) points to unaddressable byte(s)
      2 Use of uninitialised value of size ...
Comment 181 Sourceware Commits 2015-01-27 11:32:49 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=37e3922eed415bbedd2dd6e46308fe9e03417770

commit 37e3922eed415bbedd2dd6e46308fe9e03417770
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Jan 27 11:30:15 2015 +0000

    Fix memory access violations triggered by running dlltool on corrupt binaries.
    
    	PR binutils/17512
    	* dlltool.c (identify_search_archive): If the last archive was the
    	same as the current archive, terminate the loop.
    
    	* pdp11.c (aout_get_external_symbols): Return false if there are
    	no symbols.
Comment 182 Nick Clifton 2015-01-27 11:37:41 UTC
Hi Alexander,

> Problems with `dlltool -I`
> Errors:
>      19 Invalid read of size ...
>       1 Invalid write of size ...
>       1 Process terminating with default action of signal 11 (SIGSEGV)

These should be fixed now.

Cheers
  Nick
Comment 183 Sourceware Commits 2015-01-27 15:53:25 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=877a8638ba563c667eb5358240334c473d0573a1

commit 877a8638ba563c667eb5358240334c473d0573a1
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Jan 27 15:49:12 2015 +0000

    Fixes for memory access violations triggered by running addr2line on fuzzed binaries.
    
    	PR binutils/17512
    	* addr2line.c (slurp_symtab): If the symcount is zero, free the
    	symbol table pointer.
    
    	* dwarf2.c (concat_filename): Check for an empty directory table.
    	(scan_unit_for_symbols): Check for reading off the end of the
    	unit.
    	(parse_comp_unit): Check for a DW_AT_comp_dir attribute with a
    	non-string form.
    	* elf64-ppc.c (opd_entry_value): Fail if there are no relocs
    	available.
Comment 184 Nick Clifton 2015-01-27 15:56:09 UTC
Hi Alexander,

> Problems with `addr2line -ie @@ 0`
> Errors:
>       1 Conditional jump or move depends on uninitialised value(s)
>       6 Invalid read of size ...
>       6 Process terminating with default action of signal 11 (SIGSEGV)

Fixed.

Cheers
  Nick
Comment 185 Sourceware Commits 2015-01-27 17:35:03 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0897ec15810bca3420ea7b8a91e491ed45780202

commit 0897ec15810bca3420ea7b8a91e491ed45780202
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Jan 27 17:32:23 2015 +0000

    Fixes for invalid memory accesses triggered by running windres on corrupt binaries.
    
    	PR binutils/17512
    	* rcparse.y: Add checks to avoid integer divide by zero.
    	* rescoff.c (read_coff_rsrc): Add check on the size of the
    	resource section.
    	(read_coff_res_dir): Add check on the nesting level.
    	Check for resource names overrunning the buffer.
    	* resrc.c (write_rc_messagetable): Update formatting.
    	Add check of 'elen' being zero.
Comment 186 Nick Clifton 2015-01-27 17:43:38 UTC
Hi Alexander,

> Problems with `windres`
> Errors:
>       8 Conditional jump or move depends on uninitialised value(s)
>      29 Invalid read of size ...
>      13 Process terminating with default action of signal 11 (SIGSEGV)
>       1 Process terminating with default action of signal 8 (SIGFPE)
>       1 Stack overflow in thread ...
>       1 Syscall param read(buf) points to unaddressable byte(s)
>       2 Use of uninitialised value of size ...

These should be fixed now.

Cheers
  Nick
Comment 187 Alexander Cherepanov 2015-02-02 17:13:01 UTC
Created attachment 8094 [details]
Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit)

More problems found with 32-bit binutils: built with -m32 on 64-bit host.

----------------------------------------------------------------------

valgrind

Files: 118
Errors:
      2 Argument 'size' of function malloc has a fishy (possibly negative) value: ...
      1 Conditional jump or move depends on uninitialised value(s)
      2 Invalid free() / delete / delete[] / realloc()
    221 Invalid read of size ...
    344 Invalid write of size ...
     59 Process terminating with default action of signal 11 (SIGSEGV)

----------------------------------------------------------------------

gdb

Files: 46
Errors:
     46 No assertion info in gdb backtrace.
Comment 188 Sourceware Commits 2015-02-03 14:36:20 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=64d2901806c171c0d949f8fb1b29b4e5ba8cf04d

commit 64d2901806c171c0d949f8fb1b29b4e5ba8cf04d
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Feb 3 14:34:54 2015 +0000

    More fixes for illegal memory accesses triggered by running objdump on fuzzed binaries.
    
    	PR binutils/17512
    	* objdump.c (display_any_bfd): Fail if archives nest too deeply.
    
    	* ecoff.c: Use bfd_alloc2 to allocate space for structure arrays.
    	(_bfd_ecoff_slurp_symbol_table): Check for a negative symbol
    	index or an out of range fdr index.
    	* elf-m10300.c (mn10300_info_to_howto): Fix typo in error message.
    	* elf32-arc.c (arc_info_to_howto_rel): Likewise.
    	* elf32-avr.c (avr_info_to_howto_rela): Likewise.
    	* elf32-cr16.c (elf_cr16_info_to_howto): Likewise.
    	* elf32-cr16c.c (elf_cr16c_info_to_howto_rel): Likewise.
    	* elf32-cris.c (cris_info_to_howto_rela): Likewise.
    	* elf32-crx.c (elf_crx_info_to_howto): Likewise.
    	* elf32-d10v.c (d10v_info_to_howto_rel): Likewise.
    	* elf32-d30v.c (d30v_info_to_howto_rel): Likewise.
    	* elf32-epiphany.c (epiphany_info_to_howto_rela): Likewise.
    	* elf32-fr30.c (fr30_info_to_howto_rela): Likewise.
    	* elf32-frv.c (frv_info_to_howto_rela): Likewise.
    	* elf32-i370.c (i370_elf_info_to_howto): Likewise.
    	* elf32-i960.c (elf32_i960_info_to_howto_rel): Likewise.
    	* elf32-ip2k.c (ip2k_info_to_howto_rela): Likewise.
    	* elf32-iq2000.c (iq2000_info_to_howto_rela): Likewise.
    	* elf32-lm32.c (lm32_info_to_howto_rela): Likewise.
    	* elf32-m32c.c (m32c_info_to_howto_rela): Likewise.
    	* elf32-m32r.c (m32r_info_to_howto_rel): Likewise.
    	* elf32-m68hc11.c (m68hc11_info_to_howto_rel): Likewise.
    	* elf32-m68hc12.c (m68hc11_info_to_howto_rel): Likewise.
    	* elf32-mcore.c (mcore_elf_info_to_howto): Likewise.
    	* elf32-mep.c (mep_info_to_howto_rela): Likewise.
    	* elf32-metag.c (metag_info_to_howto_rela): Likewise.
    	* elf32-microblaze.c (microblaze_elf_info_to_howto): Likewise.
    	* elf32-moxie.c (moxie_info_to_howto_rela): Likewise.
    	* elf32-msp430.c (msp430_info_to_howto_rela): Likewise.
    	* elf32-mt.c (mt_info_to_howto_rela): Likewise.
    	* elf32-nds32.c (nds32_info_to_howto_rel): Likewise.
    	* elf32-or1k.c (or1k_info_to_howto_rela): Likewise.
    	* elf32-pj.c (pj_elf_info_to_howto): Likewise.
    	* elf32-ppc.c (ppc_elf_info_to_howto): Likewise.
    	* elf32-rl78.c (rl78_info_to_howto_rela): Likewise.
    	* elf32-rx.c (rx_info_to_howto_rela): Likewise.
    	* elf32-sh.c (sh_elf_info_to_howto): Likewise.
    	* elf32-spu.c (spu_elf_info_to_howto): Likewise.
    	* elf32-v850.c (v850_elf_perform_relocation): Likewise.
    	* elf32-vax.c (rtype_to_howto): Likewise.
    	* elf32-visium.c (visium_info_to_howto_rela): Likewise.
    	* elf32-xgate.c (xgate_info_to_howto_rel): Likewise.
    	* elf32-xtensa.c (elf_xtensa_info_to_howto_rela): Likewise.
    	* elf64-alpha.c (elf64_alpha_info_to_howto): Likewise.
    	* elf64-mmix.c (mmix_info_to_howto_rela): Likewise.
    	* mach-o.c: Use bfd_alloc2 to allocate space for structure arrays.
    	(bfd_mach_o_canonicalize_one_reloc): Fix check on out
    	of range symbol indicies.
    	(bfd_mach_o_canonicalize_relocs): Check for out of range alloc.
    	(bfd_mach_o_canonicalize_dynamic_reloc): Likewise.
    	(bfd_mach_o_build_dysymtab): Likewise.
    	(bfd_mach_o_write_symtab_content): Set the string table size to
    	zero upon error.
    	(bfd_mach_o_read_symtab_symbols): Reset the nsyms value if the
    	read fails.
    	* peXXigen.c (pe_print_edata):  Check for numeric overflow in edt
    	fields.
    	* tekhex.c (first_phase): Check for src pointer reaching end of
    	buffer.
Comment 189 Nick Clifton 2015-02-03 14:37:13 UTC
Hi Alexander,

> Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit)
> More problems found with 32-bit binutils: built with -m32 on 64-bit host.

> Errors:
>       2 Argument 'size' of function malloc has a fishy (possibly negative)
> value: ...
>       1 Conditional jump or move depends on uninitialised value(s)
>       2 Invalid free() / delete / delete[] / realloc()
>     221 Invalid read of size ...
>     344 Invalid write of size ...
>      59 Process terminating with default action of signal 11 (SIGSEGV)

These should all be fixed now.

Cheers
  Nick
Comment 190 Alexander Cherepanov 2015-02-03 18:50:07 UTC
Created attachment 8098 [details]
Problems with `nm-new -DClpSs --special-syms --synthetic` (32-bit)

valgrind

Files: 73
Errors:
      2 Invalid free() / delete / delete[] / realloc()
    101 Invalid read of size ...
    220 Invalid write of size ...
     38 Process terminating with default action of signal 11 (SIGSEGV)

----------------------------------------------------------------------

gdb

Files: 33
Errors:
     33 No assertion info in gdb backtrace.
Comment 191 Nick Clifton 2015-02-04 11:30:24 UTC
Hi Alexander,

> Problems with `nm-new -DClpSs --special-syms --synthetic` (32-bit)
> Errors:
>       2 Invalid free() / delete / delete[] / realloc()
>     101 Invalid read of size ...
>     220 Invalid write of size ...
>      38 Process terminating with default action of signal 11 (SIGSEGV)

I could not reproduce these failures. :-{  Maybe they have already been fixed ?  Please could you try again, and if the problems are still there, please could you tell me more about how you configured and built the toolchain that you are using.

Cheers
  Nick
Comment 192 Alexander Cherepanov 2015-02-04 18:06:16 UTC
(In reply to Nick Clifton from comment #191)
> > Problems with `nm-new -DClpSs --special-syms --synthetic` (32-bit)

> I could not reproduce these failures. :-{  Maybe they have already been
> fixed ?

Yes, everything is fixed!
Comment 193 Alexander Cherepanov 2015-02-05 20:24:41 UTC
Created attachment 8104 [details]
Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit)

Several more crashes without valgrind only.

----------------------------------------------------------------------

catchsegv

Files: 7
Errors:
      7 *** Segmentation fault
Comment 194 Sourceware Commits 2015-02-06 11:14:12 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5929c344f957f93253efa4c3495a996789d48ae7

commit 5929c344f957f93253efa4c3495a996789d48ae7
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Feb 6 11:12:02 2015 +0000

    Fixes illegal memory accesses triggereb by running a 32-bit binary version of objdump compiled on a 64-bit host.
    
    	PR binutils/17512
    	* dwarf.c (display_debug_frames): Fix range checks to work on
    	32-bit binaries complied on a 64-bit host.
    
    	* peXXigen.c (rsrc_print_resource_entries): Add range check for
    	addresses that wrap around the address space.
    	(rsrc_parse_entry): Likewise.
Comment 195 Nick Clifton 2015-02-06 11:14:59 UTC
Hi Alexander,

> Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit)
> Several more crashes without valgrind only.

These should be fixed now.

Cheers
  Nick
Comment 196 Alexander Cherepanov 2015-02-08 16:56:56 UTC
Created attachment 8109 [details]
Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) -- ubsan

Similar to https://sourceware.org/bugzilla/show_bug.cgi?id=17531#c82 but for objdump.

----------------------------------------------------------------------

ubsan

Files: 6
Errors:
      1 ../../../source/bfd/coffcode.h:1195:32: runtime error: negation of ... cannot be represented in type 'long int'; cast to an unsigned type to negate this value to itself
      1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable length array bound evaluates to non-positive value ...
      1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int'
      1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable length array bound evaluates to non-positive value ...
      1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable length array bound evaluates to non-positive value ...
      1 peigen.c:2227:22: runtime error: signed integer overflow: ... + ... cannot be represented in type 'long int'
Comment 197 Sourceware Commits 2015-02-10 14:12:23 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77ef86547510cee3a2bff27bea9f19f0b2715bae

commit 77ef86547510cee3a2bff27bea9f19f0b2715bae
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Feb 10 14:11:00 2015 +0000

    Fix memory access violations triggered by running objdump compiled with out-of-bounds sanitization checking.
    
    	PR binutils/17512
    	* dwarf.c (eh_addr_size): Use an unsigned type.
    	(size_of_encoded_value): Return an unsigned type.
    	(read_leb128): Break if the shift becomes too big.
    	(process_extended_line_op): Do not read the address if the length
    	is too long.
    	(read_cie): Warn and fail if the pointer size or segment size are
    	too big.
    	* dwarf.h (DWARF2_External_LineInfo): Delete unused and incorrect
    	structure definition.
    	(DWARF2_External_PubNames): Likewise.
    	(DWARF2_External_CompUnit): Likewise.
    	(DWARF2_External_ARange): Likewise.
    	(DWARF2_Internal_LineInfo): Use dwarf_vma type for
    	li_prologue_length.
    	(eh_addr_size): Update prototype.
    
    	* coffcode.h (styp_to_sec_flags): Use an unsigned long type to
    	hold the flag bits.
    	* peXXigen.c (pe_print_reloc): Use unsigned types to hold the
    	size and number of relocs.
    	(pe_print_debugdata): Use a 32-bit aligned buffer to store the
    	codeview record.
    	* versados.c (process_otr): Check the esdid value before using it
    	to access the EDATA.
Comment 198 Nick Clifton 2015-02-10 14:13:28 UTC
Hi Alexander,

> Problems with `objdump -afphxgGtTrRwW --special-syms` (32-bit) -- ubsan
> Errors:
>       1 ../../../source/bfd/coffcode.h:1195:32: runtime error: negation of
> ... cannot be represented in type 'long int'; cast to an unsigned type to
> negate this value to itself
>       1 ../../../source/binutils/dwarf.c:2771:3: runtime error: variable
> length array bound evaluates to non-positive value ...
>       1 ../../../source/binutils/dwarf.c:279:45: runtime error: shift
> exponent ... is too large for 64-bit type 'long long unsigned int'
>       1 ../../../source/binutils/dwarf.c:451:7: runtime error: variable
> length array bound evaluates to non-positive value ...
>       1 ../../../source/binutils/dwarf.c:5884:6: runtime error: variable
> length array bound evaluates to non-positive value ...
>       1 peigen.c:2227:22: runtime error: signed integer overflow: ... + ...
> cannot be represented in type 'long int'

These should all be fixed now.

Cheers
  Nick
Comment 199 Alexander Cherepanov 2015-02-11 23:49:28 UTC
Created attachment 8123 [details]
Problems with `addr2line -ie @@ -- ...` (32-bit)

The exact (long) command line is in cmd.txt.

----------------------------------------------------------------------

valgrind

Files: 5
Errors:
     28 Invalid read of size ...
      3 Process terminating with default action of signal 11 (SIGSEGV)
      1 Process terminating with default action of signal 8 (SIGFPE)

----------------------------------------------------------------------

catchsegv

Files: 5
Errors:
      5 *** Segmentation fault
Comment 200 Sourceware Commits 2015-02-12 16:46:14 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dbb3fbbb1a3b387a0d33dfd5764cf92bc3da7f41

commit dbb3fbbb1a3b387a0d33dfd5764cf92bc3da7f41
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Feb 12 16:45:11 2015 +0000

    Fix memory access violations triggered by running addr2line on fuzzed binaries.
    
    	PR binutils/17512
    	* dwarf.c (read_1_byte, read_1_signed_byte, read_2_bytes)
    	(read_4_bytes, read_8_bytes, read_n_bytes, read_string)
    	(read_indirect_string, read_alt_indirect_string)
    	(read_alt_indirect_ref, read_address, read_abbrevs)
    	(read_attribute_value, read_attribute, decode_line_info)
    	(find_abstract_instance_name, read_rangelist)
    	(scan_unit_for_symbols, parse_comp_unit)
    	(_bfd_dwarf2_find_nearest_line): Harden DWARF reading code.  Pass
    	end pointers to reading functions and check for offsets taking
    	pointers out of range.  Replace calls to read_*_leb128 with calls
    	to safe_read_leb128.
    
    	(* elf64-ppc.c (opd_entry_value): Add a check for an overlarge
    	offset.
    	* syms.c (_bfd_stab_section_find_nearest_line): Add checks for
    	computed file_name address being before the start of the string
    	table.
Comment 201 Nick Clifton 2015-02-12 16:47:10 UTC
Hi Alexander,

> Problems with `addr2line -ie @@ -- ...` (32-bit)
> Files: 5
> Errors:
>      28 Invalid read of size ...
>       3 Process terminating with default action of signal 11 (SIGSEGV)
>       1 Process terminating with default action of signal 8 (SIGFPE)

Fun - a whole new area of the BFD library that needed hardening...

These problems should be fixed now.

Cheers
  Nick
Comment 202 Alexander Cherepanov 2015-02-12 21:14:03 UTC
Created attachment 8125 [details]
Problems with `srconv @@ /dev/null` (32-bit)

valgrind

Files: 1
Errors:
      1 Invalid read of size ...
      1 Invalid write of size ...

----------------------------------------------------------------------

ubsan

Files: 3
Errors:
      1 ../../../source/binutils/coffgrok.c:431:27: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int'
      1 ../../../source/binutils/coffgrok.c:518:22: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/coffgrok.c:672:36: runtime error: signed integer overflow: ... + ... cannot be represented in type 'int'
Comment 203 Sourceware Commits 2015-02-13 01:18:24 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=451dfd384383160be5bc60f50a7920975e66f593

commit 451dfd384383160be5bc60f50a7920975e66f593
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Feb 13 10:16:16 2015 +1030

    PowerPC64 offset check should test entire 64-bit value is in section
    
    	PR binutils/17512
    	* elf64-ppc.c (opd_entry_value): Tighten offset check.  Remove
    	now redundant assert.
Comment 204 Sourceware Commits 2015-02-13 12:15:12 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=951eaaec17411eba4debe19781f6b8b54306256e

commit 951eaaec17411eba4debe19781f6b8b54306256e
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Feb 13 12:14:05 2015 +0000

    Fix illegal memory access errors triggered by running srconv on fuzzed binaries.
    
    	PR binutils/17512
    	* dwarf.c (read_leb128): Fix test for shift becoming too large.
    
    	* coffgrok.c (do_define): Add check for type size overflow.
    	* srconv.c (walk_tree_sfile): Check that enough sections are
    	available before parsing.
    	(prescan): Likewise.
Comment 205 Nick Clifton 2015-02-13 12:17:46 UTC
Hi Alexander,

> Problems with `srconv @@ /dev/null` (32-bit)
> Files: 1
> Errors:
>       1 Invalid read of size ...
>       1 Invalid write of size ...

Fixed.

Cheers
  Nick
Comment 206 Alexander Cherepanov 2015-02-13 23:31:14 UTC
(In reply to Nick Clifton from comment #205)
> > Problems with `srconv @@ /dev/null` (32-bit)
> > Files: 1
> > Errors:
> >       1 Invalid read of size ...
> >       1 Invalid write of size ...
> 
> Fixed.

Not sure if it is supposed to be fixed but undefined behavior (other 3 samples) is not yet fixed.
Comment 207 Alexander Cherepanov 2015-02-15 22:30:31 UTC
Created attachment 8130 [details]
Problems with `windres` (32-bit)

valgrind

Files: 1
Errors:
      8 Conditional jump or move depends on uninitialised value(s)
      1 Invalid read of size ...
      1 Process terminating with default action of signal 11 (SIGSEGV)
      2 Use of uninitialised value of size ...
Comment 208 Alexander Cherepanov 2015-02-16 19:38:16 UTC
Created attachment 8135 [details]
Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms` (32-bit)

ubsan

Files: 6
Errors:
      1 ../../../source/binutils/dwarf.c:4722:31: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int'
      1 ../../../source/binutils/dwarf.c:5924:6: runtime error: variable length array bound evaluates to non-positive value ...
      1 ../../../source/binutils/dwarf.c:6474:3: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/dwarf.c:6480:29: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/dwarf.c:6503:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/dwarf.c:6512:40: runtime error: signed integer overflow: ... * ... cannot be represented in type 'int'
      1 ../../../source/binutils/dwarf.c:7029:37: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int'
      1 ../../../source/binutils/readelf.c:15081:46: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int'
      1 ../../../source/binutils/readelf.c:15113:38: runtime error: signed integer overflow: ... - ... cannot be represented in type 'int'
Comment 209 Alexander Cherepanov 2015-02-17 20:53:19 UTC
Created attachment 8136 [details]
Problems with `strip-new -o /dev/null` (32-bit)

valgrind

Files: 14
Errors:
      5 Invalid read of size ...
      9 Syscall param write(buf) points to uninitialised byte(s)

----------------------------------------------------------------------

ubsan

Files: 12
Errors:
      1 ../../../source/bfd/coffcode.h:3435:57: runtime error: negation of ... cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
      1 ../../../source/bfd/elf.c:2761:40: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int'
      1 ../../../source/bfd/elf.c:4694:34: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int'
      1 ../../../source/bfd/elf.c:4831:30: runtime error: shift exponent ... is too large for 64-bit type 'long long unsigned int'
      1 ../../../source/bfd/elf.c:5042:10: runtime error: signed integer overflow: ... + ... cannot be represented in type 'long long int'
      1 ../../../source/bfd/elf.c:5045:10: runtime error: signed integer overflow: ... + ... cannot be represented in type 'long long int'
      1 ../../../source/bfd/elf.c:5224:38: runtime error: signed integer overflow: ... - ... cannot be represented in type 'long long int'
      1 ../../../source/bfd/mach-o.c:2695:18: runtime error: shift exponent ... is negative
      1 ../../../source/bfd/mach-o.c:2695:18: runtime error: shift exponent ... is too large for 64-bit type 'long long int'
      1 ../../../source/bfd/mach-o.c:2701:24: runtime error: shift exponent ... is negative
      1 ../../../source/bfd/mach-o.c:2701:24: runtime error: shift exponent ... is too large for 64-bit type 'long long int'
      1 ../../../source/bfd/mach-o.c:2702:32: runtime error: shift exponent ... is negative
      1 ../../../source/bfd/mach-o.c:2702:32: runtime error: shift exponent ... is too large for 64-bit type 'long long int'
      1 ../../../source/bfd/mach-o.c:2735:22: runtime error: shift exponent ... is too large for 64-bit type 'long long int'
      1 ../../../source/bfd/mach-o.c:2819:21: runtime error: shift exponent ... is negative
      1 ../../../source/bfd/mach-o.c:2819:21: runtime error: shift exponent ... is too large for 64-bit type 'long long int'
      1 ../../../source/bfd/mach-o.c:2823:23: runtime error: shift exponent ... is negative
      1 ../../../source/bfd/mach-o.c:2823:23: runtime error: shift exponent ... is too large for 64-bit type 'long long int'
      1 ../../../source/bfd/mach-o.c:2829:21: runtime error: shift exponent ... is negative
      1 ../../../source/bfd/mach-o.c:2829:21: runtime error: shift exponent ... is too large for 64-bit type 'long long int'
Comment 210 Sourceware Commits 2015-02-26 12:24:35 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e3ee40059d4a4e04d10e2b5c46bacd2a810355ca

commit e3ee40059d4a4e04d10e2b5c46bacd2a810355ca
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Feb 26 12:23:18 2015 +0000

    Fixes a resource exhaustion problem when running windres on a corrupt binary.
    
    	PR binutils/17512
    	* resrc.c (write_rc_messagetable): Tighten check for invalid
    	message lengths.
Comment 211 Nick Clifton 2015-02-26 12:42:21 UTC
Hi Alexander,

(In reply to Alexander Cherepanov from comment #207)
> Problems with `windres` (32-bit)
> Errors:
>       8 Conditional jump or move depends on uninitialised value(s)
>       1 Invalid read of size ...
>       1 Process terminating with default action of signal 11 (SIGSEGV)
>       2 Use of uninitialised value of size ...

These should be fixed now.

Cheers
  Nick
Comment 212 Sourceware Commits 2015-02-26 14:24:14 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c8071705c69a13d237aeca4709bf91deaff7e5cb

commit c8071705c69a13d237aeca4709bf91deaff7e5cb
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Feb 26 14:21:54 2015 +0000

    Fix undefined arithmetic operations detected by -fsanitize=undefined when running readelf on fuzzed binaries.
    
    	PR binutils/17512
    	* dwarf.c (display_debug_loc): Pacify the undefined behaviour
    	sanitizer by simplifying address difference calculation.
    	(struct Frame_Chunk): Change type of cfa_offset to dwarf_vma in
    	order to avoid arithmetic overflows.
    	(frame_display_row): Cast cfa_offset before printing it.
    	(display_debug_frames): Likewise.
    	Check for an unexpected segment size.
    	Chnage type of 'l' local to dwarf_vma and cast it back to an int
    	when printing.
    	(process_cu_tu_index): Tighten check for an invalid ncols value.
    	* readelf.c (process_corefile_note_segment): Check for
    	inote.descdata extending beyond the end of the section.
    	(process_v850_notes): Likewise.
Comment 213 Nick Clifton 2015-02-26 14:25:35 UTC
Hi Alexander,

(In reply to Alexander Cherepanov from comment #208)
> Problems with `readelf -agteAruhlsSdIncVWw --dyn-syms` (32-bit)

Fixed.

Cheers
  Nick
Comment 214 Sourceware Commits 2015-02-26 21:33:41 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c86934ceee0971a04bbfc145c7b9a53357c25c91

commit c86934ceee0971a04bbfc145c7b9a53357c25c91
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Feb 26 21:32:04 2015 +0000

    Fixes illegal memory access errors and arithmetic overflows when running strip on fuzzed binaries.
    
    	PR binutils/17512
    	* coffcode.h (coff_compute_section_file_positions): Report
    	negative page sizes.
    	* elf.c (elf_fake_sections): Handle excessive alignmment powers.
    	(assign_file_positions_for_non_load_sections): Replace assertion
    	with an error message.
    	(rewrite_elf_program_header): Handle excessive segment
    	alignments.
    	* mach-o.c (bfd_mach_o_read_section_32): Likewise.
    	(bfd_mach_o_read_section_64): Likewise.
    	* peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Use %B to
    	print a bfd name, not %A.
Comment 215 Nick Clifton 2015-02-26 21:35:17 UTC
Hi Alexander,

(In reply to Alexander Cherepanov from comment #209)
> Problems with `strip-new -o /dev/null` (32-bit)
> Errors:
>       5 Invalid read of size ...
>       9 Syscall param write(buf) points to uninitialised byte(s)

These should all be fixed now.

Cheers
  Nick
Comment 216 Sourceware Commits 2015-02-26 22:17:34 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d93c7787a0dd4261b8ac65a92a33196b62ef57b4

commit d93c7787a0dd4261b8ac65a92a33196b62ef57b4
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Feb 26 22:16:16 2015 +0000

    Fix arithmetic overflows running srconv on fuzzed binaries.
    
    	PR binutils/17512
    	* coffgrok.c (do_type): Check for an out of range tag index.
    	Check for integer overflow computing array dimension.
    	(do_define): Likewise.
Comment 217 Nick Clifton 2015-02-26 22:18:44 UTC
Hi Alexander,

(In reply to Alexander Cherepanov from comment #206)
> > > Problems with `srconv @@ /dev/null` (32-bit)

> Not sure if it is supposed to be fixed but undefined behavior (other 3
> samples) is not yet fixed.

Oops - sorry about this.  The undefined behaviours should now be fixed as well.

Cheers
  Nick
Comment 218 Sourceware Commits 2015-03-24 10:31:58 UTC
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1dead8aee09e9ba148f6f44040122f62b5e4acea

commit 1dead8aee09e9ba148f6f44040122f62b5e4acea
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Mar 24 10:30:34 2015 +0000

    Import security fixes for readelf from the master branch:
    
    	2015-02-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* readelf.c (process_corefile_note_segment): Check for
    	inote.descdata extending beyond the end of the section.
    	(process_v850_notes): Likewise.
    
    	2015-02-24  Mike Frysinger  <vapier@gentoo.org>
    
    	PR binutils/17531
    	* readelf.c (process_symbol_table): Declare chained.  Increment it
    	in every loop.  Abort when chained is larger than nchains.  Move
    	error check outside of chain loop.
    
    	2015-02-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (dump_relocations): Handle printing offsets which are
    	MIN_INT.
    	(process_corefile_note_segment): Add range check of the namesz
    	field.
    
    	2015-02-06  Nick Clifton  <nickc@redhat.com>
    
    	* readelf.c (process_mips_specific): Fail if an option has an
    	invalid size.
    
    	2015-02-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_data): Change parameter types from size_t to
    	bfd_size_type.  Add checks for loss of accuracy when casting from
    	bfd_size_type to size_t.
    	(get_dynamic_data): Likewise.
    	(process_section_groups): Limit number of error messages.
    
    	2015-01-05  Nick Clifton  <nickc@redhat.com>
    
    	* readelf.c (slurp_ia64_unwind_table): Warn if the reloc could not
    	be indentified.
    	(dynamic_section_mips_val): Warn if the timestamp is invalid.
    	(print_mips_got_entry): Add a data_end parameter.  Warn if a read
    	would go beyond the end of the data, and return an error value.
    	(process_mips_specific): Do not read options from beyond the end
    	of the section.
    	Correct code to display optional data at the end of an option.
    	Warn if there are too many GOT symbols.
    	Update calls to print_mips_got_entry, and handle error returns.
    
    	2014-12-08  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (dump_ia64_unwind): Add range checks.
    	(slurp_ia64_unwind_table): Change to a boolean function.  Add
    	range checks.
    	(process_version_sections): Add range checks.
    	(get_symbol_version_string): Add check for missing section
    	headers.
    
    	2014-12-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_machine_flags): Replace call to abort with a
    	warning message and a return value.
    	(get_elf_section_flags): Likewise.
    	(get_symbol_visibility): Likewise.
    	(get_ia64_symbol_other): Likewise.
    	(get_ia64_symbol_other): Likewise.
    	(is_32bit_abs_reloc): Likewise.
    	(apply_relocations): Likewise.
    	(display_arm_attribute): Likewise.
    
    	2014-12-01  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.h (struct dwarf_section): Add user_data field.
    	* dwarf.c (frame_need_space): Check for an over large register
    	number.
    	(display_debug_frames): Check the return value from
    	frame_need_space.  Check for a CFA expression that is so long the
    	start address wraps around.
    	(debug_displays): Initialise the user_data field.
    	* objdump.c (load_specific_debug_section): Save the BFD section
    	pointer in the user_data field of the dwarf_section structure.
    	(free_debug_section): Update BFD section data when freeing section
    	contents.
    	* readelf.c (load_specific_debug_section): Initialise the
    	user_data field.
    
    	2014-12-01  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (process_archive): Add range checks.
    
    	2014-11-28  Alan Modra  <amodra@gmail.com>
    
    	* readelf.c (get_32bit_elf_symbols): Cast bfd_size_type values to
    	unsigned long for %lx.
    	(get_64bit_elf_symbols, process_section_groups): Likewise.
    
    	2014-11-27  Espen Grindhaug <espen@grindhaug.org>
    	    Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_data): Move excessive length check to earlier on
    	in the function and allow for wraparound in the arithmetic.
    	(get_32bit_elf_symbols): Terminate early if the section size is
    	zero.  Check for an invalid sh_entsize.  Check for an index
    	section with an invalid size.
    	(get_64bit_elf_symbols): Likewise.
    	(process_section_groups): Check for an invalid sh_entsize.
    
    	2014-11-21  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (process_version_sections): Prevent an infinite loop
    	processing corrupt version need data.
    	(process_corefile_note_segment): Handle corrupt notes.
    
    	2014-11-18  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_unwind_section_word): Skip reloc processing if
    	there are no relocs associated with the section.
    	(decode_tic6x_unwind_bytecode): Warn and return if the stack
    	pointer adjustment falls off the end of the buffer.
Comment 219 Sourceware Commits 2015-03-24 11:33:30 UTC
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=304a2b6fe67786b45889a784bf71aabf2a9d26fd

commit 304a2b6fe67786b45889a784bf71aabf2a9d26fd
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Mar 24 11:31:37 2015 +0000

    Import fixes for invalid memory access issues in the binutils DWARF parser from the trunk sources.
    
    	PR binutils/17512
    	* dwarf.c (display_debug_loc): Pacify the undefined behaviour
    	sanitizer by simplifying address difference calculation.
    	(struct Frame_Chunk): Change type of cfa_offset to dwarf_vma in
    	order to avoid arithmetic overflows.
    	(frame_display_row): Cast cfa_offset before printing it.
    	(display_debug_frames): Likewise.
    	Check for an unexpected segment size.
    	Chnage type of 'l' local to dwarf_vma and cast it back to an int
    	when printing.
    	(process_cu_tu_index): Tighten check for an invalid ncols value.
    	* readelf.c (process_corefile_note_segment): Check for
    	inote.descdata extending beyond the end of the section.
    	(process_v850_notes): Likewise.
    
    	2015-02-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (read_leb128): Fix test for shift becoming too large.
    
    	PR binutils/17531
    	* dwarf.c (display_debug_aranges): Add check for an excessive
    	ar_length value.
    	(process_cu_tu_index): Check for a row * columns sum being too
    	large.
    
    	2015-02-13  Alan Modra  <amodra@gmail.com>
    
    	* dwarf.c: Formatting, whitespace.
    	(process_debug_info): Style fix.
    
    	2015-02-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (display_debug_pubnames_worker): Work around compiler
    	bug checking address ranges.
    	(display_debug_frames): Likewise.
    	(display_gdb_index): Likewise.
    	(process_cu_tu_index): Add range check on the ncols value.
    
    	2015-02-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (eh_addr_size): Use an unsigned type.
    	(size_of_encoded_value): Return an unsigned type.
    	(read_leb128): Break if the shift becomes too big.
    	(process_extended_line_op): Do not read the address if the length
    	is too long.
    	(read_cie): Warn and fail if the pointer size or segment size are
    	too big.
    	* dwarf.h (DWARF2_External_LineInfo): Delete unused and incorrect
    	structure definition.
    	(DWARF2_External_PubNames): Likewise.
    	(DWARF2_External_CompUnit): Likewise.
    	(DWARF2_External_ARange): Likewise.
    	(DWARF2_Internal_LineInfo): Use dwarf_vma type for
    	li_prologue_length.
    	(eh_addr_size): Update prototype.
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Zero the debug information array
    	since correct initialisation cannot be relied upon.
    	(process_cu_tu_index): Improve range checks.
    
    	PR binutils/17531
    	* dwarf.c (display_debug_pubnames_worker): Use dwarf_vma type for
    	offset.
    
    	2015-02-06  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (display_debug_frames): Fix range checks to work on
    	32-bit binaries complied on a 64-bit host.
    
    	PR binutils/17531
    	* dwarf.c (xcmalloc): Fail if the arguments are too big.
    	(xcrealloc): Likewise.
    	(xcalloc2): Likewise.
    	* readelf.c (process_mips_specific): Fail if an option has an
    	invalid size.
    
    	2015-02-05  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17926
    	* dwarf.c (dwarf_select_sections_by_letters): Don't refer to optarg.
    
    	2015-02-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (read_and_display_attr_value): Test for a block length
    	being so long that it wraps around to before the start of the block.
    	(process_debug_info): Test for section_begin wrapping around to
    	before the start of the section.
    	(display_gdb_index): Test for num_cus being so large that the end
    	address wraps around to before the start of the section.
    	(process_cu_tu_index): Test for j being so large that the section
    	index pool wraps around to before the start of the section.
    
    	2015-02-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Add range check.
    	(display_debug_pubnames_worker): Likewise.
    	(display_gdb_index): Fix range check.
    	(process_cu_tu_index): Add range check.
    	* readelf.c (get_data): Change parameter types from size_t to
    	bfd_size_type.  Add checks for loss of accuracy when casting from
    	bfd_size_type to size_t.
    	(get_dynamic_data): Likewise.
    	(process_section_groups): Limit number of error messages.
    
    	2015-01-12  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* dwarf.c (process_debug_info): Properly check abbrev size.
    
    	2015-01-12  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Check for abbrev_base being larger
    	than the section size.
    	(process_cu_tu_index): Use xcalloc2 to allocate the CU and TU
    	arrays.
    	(xcalloc2): New function.  Like xcalloc, but checks for overflow.
    	(display_debug_addr): Use xcalloc to allocate the debug_addr_info
    	array.  Check for an address_base that is too large.
    
    	* dwarf.h (xcalloc2): Prototype.
    
    	2015-01-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (alloc_num_debug_info_entries): New variable.
    	(process_debug_info): Set it.  Use it to avoid displaying
    	attributes for which there is no info.
    	(display_debug_abbrev): Check that the debug_info_entry index is
    	valid before using it.
    	(display_loc_list_dwo): Likewise.
    	(process_cu_tu_index): Add range check for an overlarge dw_sect
    	value.
    	(free_debug_memory): Reset alloc_num_debug_info_entries.
    
    	2014-12-22  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (decode_location_expression): Check for an out of range
    	value for a DW_OP_GNU_entry_value expression.
    	(display_debug_lines_raw): Check for a partial
    	.debug_line. section being encountered without a prior, full
    	.debug.line section.
    	(display_debug_lines_decoded): Likewise.  Also check for
    	li_line_range being zero.
    	(display_debug_pubnames_worker): Check for an invalid pn_length
    	field.
    	(read_cie): Add range checks.
    
    	2014-12-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (display_gdb_index): Add more range checks.
    
    	2014-12-08  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (display_debug_frames): Check for a negative
    	augmentation data length.
    	(display_gdb_index): Check for invalid offsets.
    
    	2014-12-01  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* dwarf.c (process_cu_tu_index): Properly check for an out of
    	range row index.
    
    	2014-12-01  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.h (struct dwarf_section): Add user_data field.
    	* dwarf.c (frame_need_space): Check for an over large register
    	number.
    	(display_debug_frames): Check the return value from
    	frame_need_space.  Check for a CFA expression that is so long the
    	start address wraps around.
    	(debug_displays): Initialise the user_data field.
    	* objdump.c (load_specific_debug_section): Save the BFD section
    	pointer in the user_data field of the dwarf_section structure.
    	(free_debug_section): Update BFD section data when freeing section
    	contents.
    	* readelf.c (load_specific_debug_section): Initialise the
    	user_data field.
    
    	2014-12-01  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* dwarf.c (process_cu_tu_index): Check for an out of range row
    	index.
    	* elfcomm.c (adjust_relative_path): Change name_len parameter to
    	an unsigned long.  Check for path length overflow.
    	(process_archive_index_and_symbols): Check for invalid header
    	size.
    	(setup_archive): Add checks for invalid archives.
    	(get_archive_member_name): Add range checks.
    	* elfcomm.h (adjust_relative_path): Update prototyoe.
    	* readelf.c (process_archive): Add range checks.
    
    	2014-11-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (display_block): Do nothing if the block starts after
    	the end of the buffer.
    	(read_and_display_attr_value): Add range checks.
    	(struct Frame_Chunk): Make the ncols and ra fields unsigned.
    	(frame_need_space): Test for an ncols of zero.
    	(read_cie): Fail if the augmentation data extends off the end of
    	the buffer.
    	(display_debug_frames): Add checks for read_cie failing.  Add
    	range checks.
    
    	2014-11-21  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (get_encoded_value): Check for an encoded size of 0.
    	(display_debug_lines_raw): Check for an invalid line range value.
    	(display_debug_frames): Check for corrupt augmentation data.
    
    	2014-11-19  Jan-Benedict Glaw  <jbglaw@lug-owl.de>
    
    	* dwarf.c (process_extended_line_op): Fix signedness warning.
    
    	2014-11-18  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (get_encoded_value): Warn and return if the encoded
    	value is more than 64-bits long.
    	(SAFE_BYTE_GET): Do not attempt to read more than 64-bits.
    	(process_extended_line_op): Add more range checks.
    	(decode_location_expression): Use the return value from
    	display_block.  Add more range checks.
    	(read_debug_line_header): Add range check.
    	(display_debug_lines_raw): Add range checks.
    	(display_debug_frames): Silently skip multiple zero terminators.
    	Add range checks.
    	(process_cu_tu_index): Check for non-existant or empty sections.
    	Use SAFE_BYTE_GET instead of byte_get.
Comment 220 Sourceware Commits 2015-03-24 12:26:57 UTC
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4f9583e9c45482e111d30f94df650a3f2cf36b99

commit 4f9583e9c45482e111d30f94df650a3f2cf36b99
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Mar 24 12:25:25 2015 +0000

    Import fixes from trunk sources to correct invalid memory access issues with various binutils programs.
    
    	Apply from master:
    	2015-02-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffgrok.c (do_type): Check for an out of range tag index.
    	Check for integer overflow computing array dimension.
    	(do_define): Likewise.
    
    	2015-02-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* resrc.c (write_rc_messagetable): Tighten check for invalid
    	message lengths.
    
    	2015-02-13  Nick Clifton  <nickc@redhat.com>
    
    	* coffgrok.c (do_define): Add check for type size overflow.
    	* srconv.c (walk_tree_sfile): Check that enough sections are
    	available before parsing.
    	(prescan): Likewise.
    
    	2015-02-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* objdump.c (display_any_bfd): Fail if archives nest too deeply.
    
    	2015-01-27  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dlltool.c (identify_search_archive): If the last archive was the
    	same as the current archive, terminate the loop.
    
    	* addr2line.c (slurp_symtab): If the symcount is zero, free the
    	symbol table pointer.
    
    	* rcparse.y: Add checks to avoid integer divide by zero.
    	* rescoff.c (read_coff_rsrc): Add check on the size of the
    	resource section.
    	(read_coff_res_dir): Add check on the nesting level.
    	Check for resource names overrunning the buffer.
    	* resrc.c (write_rc_messagetable): Update formatting.
    	Add check of 'elen' being zero.
    
    	2015-01-23  Nick Clifton  <nickc@redhat.com>
    
    	* nlmconv.c (powerpc_mangle_relocs): Fix build errors introduced
    	by recent delta, when compiling on for a 32-bit host.
    
    	2015-01-21  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* addr2line.c (main): Call bfd_set_error_program_name.
    	* ar.c (main): Likewise.
    	* coffdump.c (main): Likewise.
    	* cxxfilt.c (main): Likewise.
    	* dlltool.c (main): Likewise.
    	* nlmconv.c (main): Likewise.
    	* nm.c (main): Likewise.
    	* objdump.c (main): Likewise.
    	* size.c (main): Likewise.
    	* srconv.c (main): Likewise.
    	* strings.c (main): Likewise.
    	* sysdump.c (main): Likewise.
    	* windmc.c (main): Likewise.
    	* windres.c (main): Likewise.
    	* objcopy.c (main): Likewise.
    	(copy_relocations_in_section): Check for relocs without associated
    	symbol pointers.
    
    	2015-01-21  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffgrok.c (do_type): Check that computed ref exists.
    	(doit): Add range checks when computing section for scope.
    
    	2015-01-08  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* ojcopy.c (copy_object): Free the symbol table if no symbols
    	could be loaded.
    	(copy_file): Use bfd_close_all_done to close files that could not
    	be copied.
    
    	* sysdump.c (getINT): Fail if reading off the end of the buffer.
    	Replace call to abort with a call to fatal.
    	(getCHARS): Prevetn reading off the end of the buffer.
    
    	* nlmconv.c (i386_mangle_relocs): Skip relocs without an
    	associated symbol.
    	(powerpc_mangle_relocs): Skip unrecognised relocs.  Check address
    	range before applying a reloc.
    
    	2015-01-07  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dlltool.c (scan_obj_file): Break loop if the last archive
    	displayed matches the current archive.
    
    	* objdump.c (display_any_bfd): Add a depth limit to nested archive
    	display in order to avoid infinite loops.
    	* srconv.c: Replace calls to abort with calls to fatal with an
    	error message.
    
    	2015-01-06  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffdump.c (dump_coff_section): Check for a symbol being
    	available before printing its name.
    	(main): Check the return value from coff_grok.
    	* coffgrok.c: Reformat and tidy.
    	Add range checks to most functions.
    	(coff_grok): Return NULL if the input bfd is not in a COFF
    	format.
    	* coffgrok.h: Reformat and tidy.
    	(struct coff_section): Change the nrelocs field to unsigned.
    	* srconv.c (main): Check the return value from coff_grok.
    
    	2015-01-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* nm.c (print_symbol): Add 'is_synthetic' parameter.  Use it to
    	help initialize the info.elfinfo field.
    	(print_size_symbols): Add 'synth_count' parameter.  Use it to set
    	the is_synthetic parameter when calling print_symbol.
    	(print_symbols): Likewise.
    	(display_rel_file): Pass synth_count to printing function.
    	(display_archive): Break loop if the last archive displayed
    	matches the current archive.
Comment 221 Sourceware Commits 2015-03-24 16:34:15 UTC
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a57494b3cf09162ed556f4d1da2bd77d2acc4e4

commit 7a57494b3cf09162ed556f4d1da2bd77d2acc4e4
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Mar 24 16:32:44 2015 +0000

    Import fixes from mainline that address illegal memory accesses when working with COFF/PE based files.
    
    	Apply from master:
    	2015-02-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_compute_section_file_positions): Report
    	negative page sizes.
    
    	2015-02-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (styp_to_sec_flags): Use an unsigned long type to
    	hold the flag bits.
    
    	2015-02-06  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* peXXigen.c (rsrc_print_resource_entries): Add range check for
    	addresses that wrap around the address space.
    	(rsrc_parse_entry): Likewise.
    
    	2015-02-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* ecoff.c: Use bfd_alloc2 to allocate space for structure arrays.
    	(_bfd_ecoff_slurp_symbol_table): Check for a negative symbol
    	index or an out of range fdr index.
    	* peXXigen.c (pe_print_edata):  Check for numeric overflow in edt
    	fields.
    
    	2015-01-22  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (handle_COMDAT): When searching for the section
    	symbol, make sure that there is space left in the symbol table.
    
    	2015-01-21  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_set_arch_mach_hook): Check return value from
    	bfd_malloc.
    	(coff_slurp_line_table): Return FALSE if the line number
    	information was corrupt.
    	(coff_slurp_symbol_table): Return FALSE if the symbol information
    	was corrupt.
    	* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Set bfd_error if the
    	read fails.
    	(slurp_symtab): Check the return from bfd_malloc.
    	(_bfd_XX_bfd_copy_private_bfd_data_common): Fail if the copy
    	encountered an error.
    	(_bfd_XXi_final_link_postscript): Fail if a section could not be
    	copied.
    	* peicode.h (pe_bfd_object_p): Fail if the header could not be
    	swapped in.
    
    	2015-01-08  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_symbol_table): Return false if we failed
    	to load the line table.
    
    	2015-01-06  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coff-i860.c (CALC_ADDEND): Always set an addend value.
    
    	2014-11-27  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* ecoff.c (_bfd_ecoff_slurp_symbol_table): Warn about and correct
    	a discrepancy between the isymMax and ifdMax values in the
    	symbolic header.
    
    	2014-11-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coff-h8300.c (rtype2howto): Replace abort with returning a NULL
    	value.
    	* coff-h8500.c (rtype2howto): Likewise.
    	* coff-tic30.c (rtype2howto): Likewise.
    	* coff-z80.c (rtype2howto): Likewise.
    	* coff-z8k.c (rtype2howto): Likewise.
    	* coff-ia64.c (RTYPE2HOWTO): Always return a valid howto.
    	* coff-m68k.c (m68k_rtype2howto): Return a NULL howto if none
    	could be found.
    	* coff-mcore.c (RTYPE2HOWTO): Add range checking.
    	* coff-w65.c (rtype2howto): Likewise.
    	* coff-we32k.c (RTYPE2HOWTO): Likewise.
    	* pe-mips.c (RTYPE2HOWTO): Likewise.
    	* coff-x86_64.c (coff_amd64_reloc): Likewise.  Replace abort with
    	an error return.
    	* coffcode.h (coff_slurp_reloc_table): Allow the rel parameter to
    	be unused.
    	* coffgen.c (make_a_section_from_file): Check the length of a
    	section name before testing to see if it is a debug section name.
    	(coff_object_p): Zero out any uninitialised bytes in the opt
    	header.
    	* ecoff.c (_bfd_ecoff_slurp_symbolic_info): Test for the raw
    	source being empty when there are values to be processed.
    	(_bfd_ecoff_slurp_symbol_table): Add range check.
    
    	2014-11-21  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffgen.c (coff_get_normalized_symtab): Check for an excessive
    	number of auxillary entries.
    
    	2014-11-21  Alexander Cherepanov  <cherepan@mccme.ru>
    
    	PR binutils/17512
    	* coffgen.c (_bfd_coff_read_string_table): Test allocation of
    	string table before clearing the first few bytes.
Comment 222 Sourceware Commits 2015-03-24 17:21:28 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fc42baf3cdc41bc8cf12e35ae78e4529c1470118

commit fc42baf3cdc41bc8cf12e35ae78e4529c1470118
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Mar 24 17:20:00 2015 +0000

    Fixes a bug introduced by the new ranges checks on COFF symbol tables.
    
    	PR binutils/17512
    	* coffgen.c (coff_get_normalized_symtab): Fix test for out of
    	range auxillary sections.
Comment 223 Sourceware Commits 2015-03-25 14:22:44 UTC
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a539f2c77280d67248128aa993e5f606419a46e6

commit a539f2c77280d67248128aa993e5f606419a46e6
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Mar 25 14:20:36 2015 +0000

    Import patches from the master sources which fix illegal memory accesses found by running the binutils on fuzzed binaries.
    
    2015-03-25  Nick Clifton  <nickc@redhat.com>
    
    	Apply from master:
    	2015-02-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* mach-o.c (bfd_mach_o_read_section_32): Likewise.
    	(bfd_mach_o_read_section_64): Likewise.
    
    	2015-02-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* versados.c (process_otr): Check the esdid value before using it
    	to access the EDATA.
    
    	2015-02-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* mach-o.c: Use bfd_alloc2 to allocate space for structure arrays.
    	(bfd_mach_o_canonicalize_one_reloc): Fix check on out
    	of range symbol indicies.
    	(bfd_mach_o_canonicalize_relocs): Check for out of range alloc.
    	(bfd_mach_o_canonicalize_dynamic_reloc): Likewise.
    	(bfd_mach_o_build_dysymtab): Likewise.
    	(bfd_mach_o_write_symtab_content): Set the string table size to
    	zero upon error.
    	(bfd_mach_o_read_symtab_symbols): Reset the nsyms value if the
    	read fails.
    	* tekhex.c (first_phase): Check for src pointer reaching end of
    	buffer.
    
    	2015-01-27  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* pdp11.c (aout_get_external_symbols): Return false if there are
    	no symbols.
    
    	2015-01-22  DJ Delorie  <dj@redhat.com>
    
    	* elf32-m32c.c (m32c_apply_reloc_24): New.
    	(m32c_elf_howto_table): Use it for R_M32C_24.
    	(m32c_elf_relocate_section): Handle R_M32C_24 specially.
    
    	2015-01-21  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* mach-o.c (bfd_mach_o_bfd_copy_private_header_data): Always
    	initialise the fields of the dyld_info structure.
    	(bfd_mach_o_build_exec_seg_command): Replace assertion with an
    	error message and a return value.
    	(bfd_mach_o_layout_commands): Change the function to boolean.
    	Return FALSE if the function fails.
    	(bfd_mach_o_build_commands): Fail if bfd_mach_o_layout_commands
    	fails.
    	(bfd_mach_o_read_command): Fail if an unrecognised command is
    	encountered.
    	* tekhex.c (first_phase): Fail if the section is too big.
    	* versados.c (struct esdid): Add content_size field.
    	(process_otr): Use and check the new field.
    	(versados_get_section_contents): Check that the section exists and
    	that the requested data is available.
    
    	2015-01-19  Alan Modra  <amodra@gmail.com>
    
    	* bfd-in.h (bfd_get_section_limit_octets): New define, extracted from..
    	(bfd_get_section_limit): ..here.
    	* reloc.c (bfd_perform_relocation): Correct bfd_reloc_outofrange check.
    	(bfd_install_relocation, _bfd_final_link_relocate): Add same check here.
    	* bfd-in2.h: Regenerate.
    
    	* cpu-ns32k.c (_bfd_do_ns32k_reloc_contents): Return bfd_reloc_ok
    	on zero size relocs.
    	* ecoff.c (ecoff_reloc_link_order): Likewise.
    	* elf32-nds32.c (nds32_relocate_contents): Likewise.
    	* elfxx-aarch64.c (_bfd_aarch64_elf_put_addend): Likewise.
    
    	* reloc.c (_bfd_relocate_contents): Don't bomb on zero size relocs.
    	(_bfd_clear_contents): Likewise.
    	* elfxx-mips.c (mips_elf_obtain_contents): Likewise.
    	(mips_elf_perform_relocation): Likewise.
    
    	* aoutx.h (aout_link_reloc_link_order): Allow for NULL return
    	from malloc on zero size alloc.
    	* cofflink.c (_bfd_coff_reloc_link_order): Likewise.
    	* elflink.c (elf_reloc_link_order): Likewise.
    	* linker.c (_bfd_generic_reloc_link_order): Likewise.
    	* pdp11.c (aout_link_reloc_link_order): Likewise.
    	* xcofflink.c (xcoff_reloc_link_order): Likewise.
    
    	* aoutx.h (howto_table_ext): Ensure NONE relocs have size 3,
    	bitsize 0, and complain_overflow_dont.
    	* coff-sparc.c (coff_sparc_howto_table): Likewise.
    	* elf-hppa.h (elf_hppa_howto_table): Likewise.
    	* elf-m10200.c (elf_mn10200_howto_table): Likewise.
    	* elf-m10300.c (elf_mn10300_howto_table): Likewise.
    	* elf32-arc.c (elf_arc_howto_table): Likewise.
    	* elf32-arm.c (elf32_arm_howto_table_1): Likewise.
    	* elf32-avr.c (elf_avr_howto_table): Likewise.
    	* elf32-bfin.c (bfin_howto_table): Likewise.
    	* elf32-cr16.c (cr16_elf_howto_table): Likewise.
    	* elf32-cris.c (cris_elf_howto_table): Likewise.
    	* elf32-crx.c (crx_elf_howto_table): Likewise.
    	* elf32-d10v.c (elf_d10v_howto_table): Likewise.
    	* elf32-d30v.c (elf_d30v_howto_table): Likewise.
    	* elf32-dlx.c (dlx_elf_howto_table): Likewise.
    	* elf32-epiphany.c (epiphany_elf_howto_table): Likewise.
    	* elf32-fr30.c (fr30_elf_howto_table): Likewise.
    	* elf32-frv.c (elf32_frv_howto_table): Likewise.
    	* elf32-h8300.c (h8_elf_howto_table): Likewise.
    	* elf32-i370.c (i370_elf_howto_raw): Likewise.
    	* elf32-i386.c (elf_howto_table): Likewise.
    	* elf32-i860.c (elf32_i860_howto_table): Likewise.
    	* elf32-i960.c (elf32_i960_relocate): Likewise.
    	* elf32-ip2k.c (ip2k_elf_howto_table): Likewise.
    	* elf32-iq2000.c (iq2000_elf_howto_table): Likewise.
    	* elf32-lm32.c (lm32_elf_howto_table): Likewise.
    	* elf32-m32c.c (m32c_elf_howto_table): Likewise.
    	* elf32-m32r.c (m32r_elf_howto_table): Likewise.
    	* elf32-m68hc11.c (elf_m68hc11_howto_table): Likewise.
    	* elf32-m68hc12.c (elf_m68hc11_howto_table): Likewise.
    	* elf32-m68k.c (howto_table): Likewise.
    	* elf32-mcore.c (mcore_elf_howto_raw): Likewise.
    	* elf32-mep.c (mep_elf_howto_table): Likewise.
    	* elf32-metag.c (elf_metag_howto_table): Likewise.
    	* elf32-microblaze.c (microblaze_elf_howto_raw): Likewise.
    	* elf32-mips.c (elf_mips_howto_table_rel): Likewise.
    	* elf32-moxie.c (moxie_elf_howto_table): Likewise.
    	* elf32-msp430.c (elf_msp430_howto_table): Likewise.
    	* elf32-mt.c (mt_elf_howto_table): Likewise.
    	* elf32-nds32.c (nds32_elf_howto_table): Likewise.
    	* elf32-nios2.c (elf_nios2_howto_table_rel): Likewise.
    	* elf32-or1k.c (or1k_elf_howto_table): Likewise.
    	* elf32-pj.c (pj_elf_howto_table): Likewise.
    	* elf32-ppc.c (ppc_elf_howto_raw): Likewise.
    	* elf32-rl78.c (rl78_elf_howto_table): Likewise.
    	* elf32-rx.c (rx_elf_howto_table): Likewise.
    	* elf32-s390.c (elf_howto_table): Likewise.
    	* elf32-score.c (elf32_score_howto_table): Likewise.
    	* elf32-score7.c (elf32_score_howto_table): Likewise.
    	* elf32-sh-relocs.h (R_SH_NONE): Likewise.
    	* elf32-spu.c (elf_howto_table): Likewise.
    	* elf32-tic6x.c (elf32_tic6x_howto_table): Likewise.
    	* elf32-tilepro.c (tilepro_elf_howto_table): Likewise.
    	* elf32-v850.c (v850_elf_howto_table): Likewise.
    	* elf32-vax.c (howto_table): Likewise.
    	* elf32-xc16x.c (xc16x_elf_howto_table): Likewise.
    	* elf32-xgate.c (elf_xgate_howto_table): Likewise.
    	* elf32-xstormy16.c (xstormy16_elf_howto_table): Likewise.
    	* elf32-xtensa.c (elf_howto_table): Likewise.
    	* elf64-alpha.c (elf64_alpha_howto_table): Likewise.
    	* elf64-mips.c (mips_elf64_howto_table_rel): Likewise.
    	* elf64-mmix.c (elf_mmix_howto_table): Likewise.
    	* elf64-ppc.c (ppc64_elf_howto_raw): Likewise.
    	* elf64-s390.c (elf_howto_table): Likewise.
    	* elf64-sh64.c (sh_elf64_howto_table): Likewise.
    	* elf64-x86-64.c (x86_64_elf_howto_table): Likewise.
    	* elfn32-mips.c (elf_mips_howto_table_rel): Likewise.
    	* elfnn-aarch64.c (elfNN_aarch64_howto_table): Likewise.
    	(elfNN_aarch64_howto_none): Likewise.
    	* elfxx-ia64.c (ia64_howto_table): Likewise.
    	* elfxx-sparc.c (_bfd_sparc_elf_howto_table): Likewise.
    	* elfxx-tilegx.c (tilegx_elf_howto_table): Likewise.
    	* nlm32-sparc.c (nlm32_sparc_howto_table): Likewise.
    
    	2015-01-06  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* mach-o.c (bfd_mach_o_read_symtab_strtab): Zero terminate the
    	string table.
    
    	* reloc.c (bfd_get_reloc_size): Handle a reloc size of -1.
    	(bfd_perform_relocation): Include the size of the reloc in the
    	test for an out of range relocation.
    	(bfd_generic_get_relocated_section_contents): Remove reloc range
    	test.
    
    	* tekhex.c (getvalue): Add an end pointer parameter.  Use it to
    	avoid reading off the end of the buffer.
    	(getsym): Likewise.
    	(first_phase): Likewise.
    	(pass_over): Pass an end pointer to the invoked function.
    
    	2015-01-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* archive.c (do_slurp_bsd_armap): Make sure that the parsed sized
    	is at least big enough for the header to be read.
    	* mach-o.c (bfd_mach_o_get_synthetic_symtab): Add range checks.
    	(bfd_mach_o_read_command): Prevetn duplicate error messages about
    	unrecognized commands.
    	* syms.c (_bfd_stab_section_find_nearest_line): Add range checks
    	when indexing into the string table.
    
    	2014-12-22  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* archive.c (do_slurp_bsd_armap): Return if the parsed_size is
    	zero.
    	(bfd_slurp_armap): Zero terminate the name.
    	(bfd_generic_stat_arch_elt): If there is no header, fail.
    	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): If no symbols have
    	been provided then set the reloc's symbol to undefined.
    	* reloc.c (bfd_generic_get_relocated_section_contents): Add range
    	checking of the reloc to be applied.
    	* versados.c (process_otr): Add more range checks.
    	(versados_canonicalize_reloc): If the section is unknown, set the
    	symbol to undefined.
    	* vms-alpha.c (_bfd_vms_slurp_eisd): Add range checks.
    	(alpha_vms_object_p): Likewise.
    
    	2014-12-16  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* format.c (bfd_check_format_matches): Check for a matching vector
    	before using match priorities.
    	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Fix off-by-one
    	errors with previous delta.
    
    	2014-12-09  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* archive64.c (bfd_elf64_archive_slurp_armap): Add range checks.
    	* libbfd.c (safe_read_leb128): New function.
    	* libbfd-in.h (safe_read_leb128): Add prototype.
    	* libbfd.h: Regenerate.
    
    	2014-12-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* compress.c (bfd_get_full_section_contents): Fail if there are no
    	section contents available when the compress_status is
    	COMPRESS_SECTION_DONE.
    	* libbfd.c (bfd_malloc): Refuse to allocate a negative size.
    	(bfd_malloc2): Use bfd_malloc.
    	(bfd_realloc): Refuse to reallocate a negative size.
    	(bfd_realloc2): Use bfd_realloc.
    	(bfd_realloc_or_free): Use bfd_realloc.
    	(bfd_zmalloc): Use bfd_malloc.
    	(bfd_zmalloc): Use bfd_malloc2.
    	* opncls.c (bfd_alloc): Refuse to allocate a negative size.
    
    	2014-12-01  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* archive.c (do_slurp_coff_armap): Add range checks to prevent
    	running off the end of the string table.
    	* compress.c (bfd_get_full_section_contents): Return a NULL
    	pointer for zero sized sections.  Do not attempt to copy a buffer
    	onto itself.
    	* reloc.c (bfd_perform_relocation): Avoid seg-fault if the howto
    	parameter is NULL.
    
    	2014-11-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Likewise.
    	(bfd_mach_o_mangle_sections): Move test for too many sections to
    	before the allocation of the section table.
    	(bfd_mach_o_read_symtab_strtab): If the read fails, free the
    	memory and nullify the symbol pointer.
    	* reloc.c (bfd_generic_get_relocated_section_contents): Add
    	handling of a bfd_reloc_notsupported return value.
    	* versados.c (EDATA): Add range checking.
    	(get_record): Likewise.
    	(process_otr): Check for contents being available before updating
    	them.
    	(versados_canonicalize_reloc): Add range check.
    
    	2014-11-21  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* ieee.c (next_byte): Convert to a function.  Return FALSE if the
    	next byte is beyond the end of the buffer.
    	(parse_int): Test the return value of next_byte.
    	(parse_expression): Convert to boolean.  Return FALSE if the
    	parsing failed.  Test the return value of next_byte.
    	(ieee_seek): Convert to a function.  Return FALSE if the seek goes
    	beyond the end of the buffer.
    	(ieee_slurp_external_symbols): Test the return value of ieee_seek
    	and next_byte.
    	(ieee_slurp_sections): Convert to boolean.  Return FALSE if the
    	operation failed.  Test the return value of ieee_seek and
    	next_byte.
    	(ieee_archive_p): Test the return value of ieee_seek and
    	next_byte.
    	(do_one): Likewise.
    	(ieee_slurp_section_data): Likewise.
    	(ieee_object_p): Likewise.  Store the size of the buffer in the
    	total_amt field in the header.
    	* libieee.h (common_header_type): Add amt field.
    	* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the
    	reloc's value is within range.
    	(bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the
    	operation fails.
    	* versados.c (process_otr): Check that the section exists before
    	taking its size.
    	(versados_object_p): Make sure that enough data was read for the
    	header to be checked.
    	* vms-alpha.c (vms_get_remaining_object_record): Change
    	read_so_far parameter to an unsigned int.  Check that the amount
    	read is in range.
Comment 224 Sourceware Commits 2015-03-25 16:10:06 UTC
The binutils-2_25-branch branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ab50ec071e10f7dc038d05c82bc2c7b388e787f5

commit ab50ec071e10f7dc038d05c82bc2c7b388e787f5
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Mar 25 16:08:17 2015 +0000

    Import fixes from mainline sources that address illegal memory access problems with the ELF targeted parts of the BFD library.
    
    2015-03-25  Nick Clifton  <nickc@redhat.com>
    
    	Apply from master:
    	2015-02-26  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* elf.c (elf_fake_sections): Handle excessive alignmment powers.
    	(assign_file_positions_for_non_load_sections): Replace assertion
    	with an error message.
    	(rewrite_elf_program_header): Handle excessive segment
    	alignments.
    
    	2015-02-13  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17512
    	* elf64-ppc.c (opd_entry_value): Tighten offset check.  Remove
    	now redundant assert.
    
    	2015-02-12  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf2.c (read_1_byte, read_1_signed_byte, read_2_bytes)
    	(read_4_bytes, read_8_bytes, read_n_bytes, read_string)
    	(read_indirect_string, read_alt_indirect_string)
    	(read_alt_indirect_ref, read_address, read_abbrevs)
    	(read_attribute_value, read_attribute, decode_line_info)
    	(find_abstract_instance_name, read_rangelist)
    	(scan_unit_for_symbols, parse_comp_unit)
    	(_bfd_dwarf2_find_nearest_line): Harden DWARF reading code.  Pass
    	end pointers to reading functions and check for offsets taking
    	pointers out of range.  Replace calls to read_*_leb128 with calls
    	to safe_read_leb128.
    
    	* elf64-ppc.c (opd_entry_value): Add a check for an overlarge
    	offset.
    
    	2015-02-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* elf-m10300.c (mn10300_info_to_howto): Fix typo in error message.
    	* elf32-arc.c (arc_info_to_howto_rel): Likewise.
    	* elf32-avr.c (avr_info_to_howto_rela): Likewise.
    	* elf32-cr16.c (elf_cr16_info_to_howto): Likewise.
    	* elf32-cr16c.c (elf_cr16c_info_to_howto_rel): Likewise.
    	* elf32-cris.c (cris_info_to_howto_rela): Likewise.
    	* elf32-crx.c (elf_crx_info_to_howto): Likewise.
    	* elf32-d10v.c (d10v_info_to_howto_rel): Likewise.
    	* elf32-d30v.c (d30v_info_to_howto_rel): Likewise.
    	* elf32-epiphany.c (epiphany_info_to_howto_rela): Likewise.
    	* elf32-fr30.c (fr30_info_to_howto_rela): Likewise.
    	* elf32-frv.c (frv_info_to_howto_rela): Likewise.
    	* elf32-i370.c (i370_elf_info_to_howto): Likewise.
    	* elf32-i960.c (elf32_i960_info_to_howto_rel): Likewise.
    	* elf32-ip2k.c (ip2k_info_to_howto_rela): Likewise.
    	* elf32-iq2000.c (iq2000_info_to_howto_rela): Likewise.
    	* elf32-lm32.c (lm32_info_to_howto_rela): Likewise.
    	* elf32-m32c.c (m32c_info_to_howto_rela): Likewise.
    	* elf32-m32r.c (m32r_info_to_howto_rel): Likewise.
    	* elf32-m68hc11.c (m68hc11_info_to_howto_rel): Likewise.
    	* elf32-m68hc12.c (m68hc11_info_to_howto_rel): Likewise.
    	* elf32-mcore.c (mcore_elf_info_to_howto): Likewise.
    	* elf32-mep.c (mep_info_to_howto_rela): Likewise.
    	* elf32-metag.c (metag_info_to_howto_rela): Likewise.
    	* elf32-microblaze.c (microblaze_elf_info_to_howto): Likewise.
    	* elf32-moxie.c (moxie_info_to_howto_rela): Likewise.
    	* elf32-msp430.c (msp430_info_to_howto_rela): Likewise.
    	* elf32-mt.c (mt_info_to_howto_rela): Likewise.
    	* elf32-nds32.c (nds32_info_to_howto_rel): Likewise.
    	* elf32-or1k.c (or1k_info_to_howto_rela): Likewise.
    	* elf32-pj.c (pj_elf_info_to_howto): Likewise.
    	* elf32-ppc.c (ppc_elf_info_to_howto): Likewise.
    	* elf32-rl78.c (rl78_info_to_howto_rela): Likewise.
    	* elf32-rx.c (rx_info_to_howto_rela): Likewise.
    	* elf32-sh.c (sh_elf_info_to_howto): Likewise.
    	* elf32-spu.c (spu_elf_info_to_howto): Likewise.
    	* elf32-v850.c (v850_elf_perform_relocation): Likewise.
    	* elf32-vax.c (rtype_to_howto): Likewise.
    	* elf32-visium.c (visium_info_to_howto_rela): Likewise.
    	* elf32-xgate.c (xgate_info_to_howto_rel): Likewise.
    	* elf32-xtensa.c (elf_xtensa_info_to_howto_rela): Likewise.
    	* elf64-alpha.c (elf64_alpha_info_to_howto): Likewise.
    	* elf64-mmix.c (mmix_info_to_howto_rela): Likewise.
    
    	2015-01-27  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf2.c (concat_filename): Check for an empty directory table.
    	(scan_unit_for_symbols): Check for reading off the end of the
    	unit.
    	(parse_comp_unit): Check for a DW_AT_comp_dir attribute with a
    	non-string form.
    
    	2015-01-15  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* elf-m10300.c (mn10300_info_to_howto): Replace assertion with an
    	error message.  Never return an invalid howto pointer.
    	* elf32-cr16.c (cr16_info_to_howto): Likewise.
    	* elf32-crx.c (elf_crx_info_to_howto): Likewise.
    	* elf32-i370.c (i370_elf_info_to_howto): Likewise.
    	* elf32-mcore.c (mcore_elf_info_to_howto): Likewise.
    	* elf32-microblaze.c (microblaze_elf_info_to_howto): Likewise.
    	* elf32-mips.c (mips_elf32_rtype_to_howto): Likewise.
    	* elf32-pj.c (pj_elf_info_to_howto): Likewise.
    	* elf32-ppc.c (ppc_elf_info_to_howto): Likewise.
    	* elf32-spu.c (spu_elf_info_to_howto): Likewise.
    	* elf32-v850.c (v850_elf_info_to_howto_rela): Likewise.
    	* elf32-vax.c (rtype_to_howto): Likewise.
    	* elf64-alpha.c (elf64_alpha_info_to_howto): Likewise.
    	* elf64-mips.c (mips_elf64_rtype_to_howto): Likewise.
    	* elfn32-mips.c (sh_elf_info_to_howto): Likewise.
    	* elf32-sh.c (sh_elf_info_to_howto): Likewise.
    	(sh_elf_reloc): Check that the reloc is in range.
    	* reloc.c (bfd_perform_relocation): Check that the section is big
    	enough for the entire reloc.
    	(bfd_generic_get_relocated_section_contents): Report unexpected
    	return values from perform_reloc.
    
    	2015-01-08  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* elf.c (_bfd_elf_map_sections_to_segments): Enforce a minimum
    	maxpagesize of 1.
    
    	2015-01-06  H.J. Lu  <hongjiu.lu@intel.com>
    
    	PR binutils/17512
    	* elf32-i386.c (elf_i386_get_plt_sym_val): Skip unknown relocation.
    	* elf64-x86-64.c (elf_x86_64_get_plt_sym_val): Likewise.
    
    	2014-12-22  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* elf32-arc.c (arc_info_to_howto_rel): Replace BFD_ASSERT with
    	error message.
    	* elf32-avr.c (avr_info_to_howto_rela): Likewise.
    	* elf32-cr16c.c (elf_cr16c_info_to_howto_rel): Likewise.
    	* elf32-cris.c (cris_info_to_howto_rela): Likewise.
    	* elf32-d10v.c (d10v_info_to_howto_rel): Likewise.
    	* elf32-d30v.c (d30v_info_to_howto_rel): Likewise.
    	* elf32-dlx.c (dlx_rtype_to_howto): Likewise.
    	* elf32-epiphany.c (epiphany_info_to_howto_rela): Likewise.
    	* elf32-fr30.c (fr30_info_to_howto_rela): Likewise.
    	* elf32-frv.c (frv_info_to_howto_rela): Likewise.
    	* elf32-i960.c (elf32_i960_info_to_howto_rel): Likewise.
    	* elf32-ip2k.c (ip2k_info_to_howto_rela): Likewise.
    	* elf32-iq2000.c (iq2000_info_to_howto_rela): Likewise.
    	* elf32-lm32.c (lm32_info_to_howto_rela): Likewise.
    	* elf32-m32c.c (m32c_info_to_howto_rela): Likewise.
    	* elf32-m32r.c (m32r_info_to_howto_rel): Likewise.
    	* elf32-m68hc11.c (m68hc11_info_to_howto_rel): Likewise.
    	* elf32-m68hc12.c (m68hc11_info_to_howto_rel): Likewise.
    	* elf32-mep.c (mep_info_to_howto_rela): Likewise.
    	* elf32-metag.c (metag_info_to_howto_rela): Likewise.
    	* elf32-moxie.c (moxie_info_to_howto_rela): Likewise.
    	* elf32-msp430.c (msp430_info_to_howto_rela): Likewise.
    	* elf32-mt.c (mt_info_to_howto_rela): Likewise.
    	* elf32-nds32.c (nds32_info_to_howto_rel): Likewise.
    	* elf32-or1k.c (or1k_info_to_howto_rela): Likewise.
    	* elf32-rl78.c (rl78_info_to_howto_rela): Likewise.
    	* elf32-rx.c (rx_info_to_howto_rela): Likewise.
    	* elf32-v850.c (v850_elf_info_to_howto_rel): Likewise.
    	* elf32-xgate.c (xgate_info_to_howto_rel): Likewise.
    	* elf32-xtensa.c (elf_xtensa_info_to_howto_rela): Likewise.
    	* elf64-mmix.c (mmix_info_to_howto_rela): Likewise.
    	* elf64-x86-64.c (elf_x86_64_reloc_type_lookup): Likewise.
    	* elfnn-aarch64.c (elfNN_aarch64_bfd_reloc_from_type): Likewise.
    	* elf64-sparc.c (elf64_sparc_slurp_one_reloc_table): Add range
    	checking of reloc symbol index.
    
    	2014-12-09  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* elf-attrs.c (_bfd_elf_parse_attributes): Use safe_read_leb128.
    	Check for an over-long subsection length.
    	* elf.c (elf_parse_notes): Check that the namedata is long enough
    	for the string comparison that is about to be performed.
    	(elf_read_notes): Zero-terminate the note buffer.
    
    	2014-12-01  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* elf-attrs.c (_bfd_elf_parse_attributes): Check for an empty
    	header.  Add range checks to avoid running off the end of the
    	section.
    	* elf.c (bfd_elf_get_str_section): Seek before allocating so that
    	if the seek fails, no memory is allocated.
    	(bfd_elf_string_from_elf_section): Do not allocate a string from a
    	non string section.  It only leads to trouble later on.
    	(_bfd_elf_print_private_bfd_data): Check for there being too
    	little external dynamic data.
    	(bfd_section_from_shdr): Replace assertion with a failure mode.
    	(bfd_section_from_shdr): When walking a loaded group section use
    	the internal structure size, not the external size.  Check for the
    	group section being empty.
    	* elf32-i386.c (elf_i386_rtype_to_howto): Replace assertion with a
    	failure mode.
    	* elfcode.h (elf_slurp_reloc_table): Likewise.
    
    	2014-11-27  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* elf.c (_bfd_elf_print_private_bfd_data): Fix the range check
    	scanning the external dynamic entries.
Comment 225 Nick Clifton 2015-11-27 12:01:51 UTC
*** Bug 19296 has been marked as a duplicate of this bug. ***
Comment 226 felix 2016-07-23 12:34:01 UTC
Unfortunately, thanks to fixes to this bug, I cannot (can no longer?) run windres on stock binaries shipping with Windows.

$ i686-w64-mingw32-windres shell32.dll shell32.rc
i686-w64-mingw32-windres: shell32.dll: resource name: address out of bounds

(The shell32.dll binary is from Windows 98 SE.)
Comment 227 Nick Clifton 2016-07-25 10:00:28 UTC
Created attachment 9402 [details]
Proposed patch

Hi Felix,
 
> $ i686-w64-mingw32-windres shell32.dll shell32.rc
> i686-w64-mingw32-windres: shell32.dll: resource name: address out of bounds

Oops - sorry about that.  This patch will fix the immediate problem.  But running
windres now produces this result:

   version length 928 does not match resource length 936

I assume that this is not the expected result. :-(  I am not sure what is causing
this though, so it looks like more investigation is needed.

Cheers
  Nick
Comment 228 Sourceware Commits 2016-07-28 14:38:23 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4931146e91c3c8208f1e0b8462b8f33e70da506a

commit 4931146e91c3c8208f1e0b8462b8f33e70da506a
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Jul 28 15:37:16 2016 +0100

    Fix decoding of Windows resources.
    
    	PR binutils/17512
    	* rescoff.c (read_coff_res_dir): Fix detection of buffer overrun.
    	* resbin.c (bin_to_res_version): Allow for the padded length of a
    	version block to be longer than the recorded length.  Skip padding
    	bytes.
Comment 229 Nick Clifton 2016-07-28 14:42:58 UTC
Hi Felix,

  Right - I have checked in an extended version of my previous patch and now decoding the resources in shell32.dll should work.

Cheers
  Nick
Comment 230 Christophe Lyon 2016-08-01 13:09:58 UTC
(In reply to cvs-commit@gcc.gnu.org from comment #228)
> The master branch has been updated by Nick Clifton <nickc@sourceware.org>:
> 
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=4931146e91c3c8208f1e0b8462b8f33e70da506a
> 
> commit 4931146e91c3c8208f1e0b8462b8f33e70da506a
> Author: Nick Clifton <nickc@redhat.com>
> Date:   Thu Jul 28 15:37:16 2016 +0100
> 
>     Fix decoding of Windows resources.
>     
>     	PR binutils/17512
>     	* rescoff.c (read_coff_res_dir): Fix detection of buffer overrun.
>     	* resbin.c (bin_to_res_version): Allow for the padded length of a
>     	version block to be longer than the recorded length.  Skip padding
>     	bytes.

Hi Nick,

Since you committed this patch, I've noticed build failures when binutils are configured with:
--enable-64-bit-bfd=yes --target arm-wince-pe,
in a i386 chroot.

The error messages are:
../../binutils/resbin.c: In function 'bin_to_res_version':
../../binutils/resbin.c:967:5: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'rc_uint_type' [-Werror=format=]
     verlen, length);
     ^
../../binutils/resbin.c:967:5: error: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'rc_uint_type' [-Werror=format=]
Comment 231 Sourceware Commits 2016-08-02 10:07:34 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2d5bddc1eb5d2c04ed142c7ba6fc13e2e3a28079

commit 2d5bddc1eb5d2c04ed142c7ba6fc13e2e3a28079
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Aug 2 11:06:28 2016 +0100

    Avoid compile time warning when building on 32-bit host.
    
    	PR binutils/17512
    	* resbin.c (bin_to_res_version): Cast variables to correct type
    	for printing in error message.
Comment 232 Nick Clifton 2016-08-02 10:10:06 UTC
(In reply to Christophe Lyon from comment #230)

Hi Christophe,

> ../../binutils/resbin.c:967:5: error: format '%lu' expects argument of type
> 'long unsigned int', but argument 2 has type 'rc_uint_type' [-Werror=format=]
>      verlen, length);

Sorry about that.  For some reason my 32-bit builds are not showing up this kind of problem.  I think it is because my host machine is still 64-bits.

Anyway, I have checked in a simple patch to fix the problem.

Cheers
  Nick
Comment 233 Paul Carroll 2016-09-07 22:08:35 UTC
If I may say so, I believe the issue of synthetic symbols is not being handled correctly by the patch here.
The 'is_synthetic' flag was added to 'print_symbol()'.
The flag itself is set in 'print_size_symbols()' and 'print_symbols()' by just deciding that the last 'synth_count' symbols in the list are synthetic.
However, since there are 2 different methods of sorting these symbols, either with the 'qsort()' or the call to 'sort_symbols_by_size()', it is unlikely that the last 'synth_count' symbols of each sort will all be synthetic.
There is also the added call to 'filter_symbols()' before the sorts, which may or may not remove synthetic symbols, while not adjusting the 'synth_count' value.
(If no synthetic symbols are filtered, then there is no harm - I haven't looked at the filter function yet)

In my opinion, it makes more sense to remove the 'from >= fromsynth' from the calls to 'print_symbol()' and 'print_size_symbols()', since the last 'synth_count' symbols are not going to be synthetic.
Likewise, 'print_symbols()' can drop the 'is_synthetic' argument.
Instead, the symbol's flag can be tested to see if BSF_SYNTHETIC is set.
By doing that, the position of the symbol in the sorted list is irrelevant.

I am assuming that only synthetic symbols are being created with the BSF_SYNTHETIC flag set.  That seems to match the code in the bfd directory.
Comment 234 Sourceware Commits 2017-03-20 17:20:37 UTC
The master branch has been updated by Mark Wielaard <mark@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39e224f6f9ee3f6123d4c9ddb7c0955e0604c1b4

commit 39e224f6f9ee3f6123d4c9ddb7c0955e0604c1b4
Author: Mark Wielaard <mark@klomp.org>
Date:   Mon Mar 20 15:32:34 2017 +0100

    readelf: Don't error on .debug files with NOBITS .dynamic section.
    
    The fix for PR binutils/17512 added a check for the dynamic segment being
    inside the actual ELF file. If not an error message would be produced:
    
    readelf: Error: the dynamic segment offset + size exceeds the size of the file
    
    Unfortunately for separate debuginfo files it is common for the dynamic
    segment not being inside the file because the .dynamic section is NOBITS.
    
    Since the check is done unconditionally in process_program_headers and
    process_program_headers is always called (to setup dynamic_addr in case
    it is needed). The error is produced on any operations done on any .debug
    file (even if no program headers or the dynamic segment is used).
    
    If there are section headers then a cross check is done to see if the
    .dynamic section is NOBITS in which case dynamic_addr is set to zero
    without a warning or error (which is then checked first before any
    operation on the dynamic segement is done).
    
    Move the check for the dynamic segment being inside the actual ELF file
    after the cross check with the section headers to suppress the error for
    .debug files.
    
    binutils/ChangeLog:
    
    	* readelf.c (process_program_headers): Move dynamic_addr check
    	after .dynamic section cross check.
Comment 235 Sourceware Commits 2023-03-03 03:47:44 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=de357ff4e4f8fa7aaf621d680fde72a010b026d2

commit de357ff4e4f8fa7aaf621d680fde72a010b026d2
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Mar 3 09:13:03 2023 +1030

    binutils coff type list
    
    As for commit 72d225ef9cc7, handle type numbers starting anywhere.
    
            PR 17512
            * rdcoff.c (struct coff_slots): Add base_index.
            (coff_get_slot): Delete pr17512 excessively large slot check.
            Don't allocate entire array from 0 to type number, allocate a
            sparse array.
Comment 236 Sourceware Commits 2023-03-27 11:29:27 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=695c322803476e92e1566c90470b6bb737a40514

commit 695c322803476e92e1566c90470b6bb737a40514
Author: Alan Modra <amodra@gmail.com>
Date:   Sun Mar 26 19:26:46 2023 +1030

    coffgrok access of u.auxent.x_sym.x_tagndx.p
    
    u.auxent.x_sym.x_tagndx is a union.  The p field is only valid when
    fix_tag is set.  This patch fixes code in coffgrok.c that accessed the
    field without first checking fix_tag, and removes a whole lot of code
    validating bogus pointers to prevent segfaults (which no longer
    happen, I checked the referenced PR 17512 testcases).  The patch also
    documents this in the fix_tag comment, makes is_sym a bitfield, and
    sorts the selecter fields a little.
    
    bfd/
            * coffcode.h (combined_entry_type): Make is_sym a bitfield.
            Sort and comment on union selectors.
            * libcoff.h: Regenerate.
    binutils/
            * coffgrok.c (do_type): Make aux a combined_entry_type.  Test
            fix_tag before accessing u.auxent.x_sym.x_tagndx.p.  Remove
            now unnecessary pointer bounds checking.