Bug 17552 - strip/objcopy: directory traversal
Summary: strip/objcopy: directory traversal
Status: ASSIGNED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.26
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-04 22:14 UTC by Alexander Cherepanov
Modified: 2014-11-17 17:06 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
Proposed patch (1.39 KB, patch)
2014-11-05 11:48 UTC, Nick Clifton
Details | Diff
Cleanup temporary files on error (723 bytes, patch)
2014-11-06 15:32 UTC, Nick Clifton
Details | Diff
Proposed patch (regenerated) (723 bytes, patch)
2014-11-07 13:47 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Cherepanov 2014-11-04 22:14:34 UTC
strip and objcopy don't filter out .. components from paths inside archive.

Consider an archive created with the following command:

$ printf '!<arch>\n%-48s%-10d`\n../file\n%-48s%-10s`\n' '//' 8 '/0' 0 > test.a

then runnig strip/objcopy on it will unlink ./file (e.g. unlink("stq0g2tL/../st4Mtgu4/../file") ).

Consider this:

$ printf '!<arch>\n%-48s%-10d`\n../../file\n\n%-48s%-10s`\n' '//' 12 '/0' 0 > test.a

then runnig strip/objcopy on it will unlink ../../file (e.g. unlink("staOxyFW/../../st4KIqLm/../../file") ).

See also https://sourceware.org/bugzilla/show_bug.cgi?id=17533#c4 .
Comment 1 Nick Clifton 2014-11-05 11:48:34 UTC
Created attachment 7899 [details]
Proposed patch
Comment 2 Nick Clifton 2014-11-05 11:49:05 UTC
Hi Alexander,

  Please could you try out the uploaded patch and let me know if it works for you ?

Cheers
  Nick
Comment 3 Alexander Cherepanov 2014-11-05 18:07:21 UTC
Yes, the check seems to be Ok in general. And the specific issues are fixed.

Two remarks:
- strip/objcopy don't remove temporary files and dirs when run on the test.a from below. Perhaps, this is intended behavior, I don't know;
- you seems to target Windows but the macros in include/filenames.h don't check for dos special names like con and prn (but it shouldn't be a problem under cygwin1.7).
Comment 4 cvs-commit@gcc.gnu.org 2014-11-06 14:50:43 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  dd9b91de2149ee81d47f708e7b0bbf57da10ad42 (commit)
      from  834107255bbefceb445fa733ebc1ea5d9f41ec7f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dd9b91de2149ee81d47f708e7b0bbf57da10ad42

commit dd9b91de2149ee81d47f708e7b0bbf57da10ad42
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Nov 6 14:49:10 2014 +0000

    Prevent archive memebers with illegal pathnames from being extracted from an archive.
    
    	PR binutils/17552, binutils/17533
    	* bucomm.c (is_valid_archive_path): New function.  Returns false
    	for absolute pathnames and pathnames that include /../.
    	* bucomm.h (is_valid_archive_path): Add prototype.
    	* ar.c (extract_file): Use new function to check for valid
    	pathnames when extracting files from an archive.
    	* objcopy.c (copy_archive): Likewise.
    	* doc/binutils.texi: Update documentation to mention the
    	limitation on pathname of archive members.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog         |   16 ++++++++++++++--
 binutils/ar.c              |    9 +++++++++
 binutils/bucomm.c          |   26 ++++++++++++++++++++++++++
 binutils/bucomm.h          |   12 ++++++++----
 binutils/doc/binutils.texi |    3 ++-
 binutils/objcopy.c         |    6 ++++++
 6 files changed, 65 insertions(+), 7 deletions(-)
Comment 5 Nick Clifton 2014-11-06 14:57:57 UTC
Hi Alexander,

  OK - I have checked the patch in.

  With regard to your questions.  1) Leaving the temporary files behind is not an intended feature, it is a bug.  I see about creating a patch to fix it.

  2. Adding handling for Windows special files seems a bit over the top.  Are there any real world sceanarios where this would be a real problem ?

Cheers
  Nick
Comment 6 Nick Clifton 2014-11-06 15:32:51 UTC
Created attachment 7909 [details]
Cleanup temporary files on error

Hi Alexander,

  Please try out this patch and see if it gets rid of those left over temporary files...

Cheers
  Nick
Comment 7 Alexander Cherepanov 2014-11-06 18:26:01 UTC
(In reply to Nick Clifton from comment #6)
>   Please try out this patch and see if it gets rid of those left over
> temporary files...

The patch doesn't apply to git head:

  patching file binutils/objcopy.c
  Hunk #1 FAILED at 2298.
  Hunk #2 FAILED at 2310.
  Hunk #3 FAILED at 2353.
  3 out of 5 hunks FAILED -- saving rejects to file binutils/objcopy.c.rej

(In reply to Nick Clifton from comment #5)
>   2. Adding handling for Windows special files seems a bit over the top. 
> Are there any real world sceanarios where this would be a real problem ?

Not really sure. I mainly think about sending garbage to a serial (com1-com9) or parallel (lpt9) port when something is connected to it, or to a printer (prn). But I haven't checked what native Windows ar (or other tools) will do in such a case.
Comment 8 Nick Clifton 2014-11-07 13:47:01 UTC
Created attachment 7913 [details]
Proposed patch (regenerated)

Hi Alexander,

  Sorry about that.  The master sources are changing rapidly at the moment.  Please try this regenerated patch instead.

Cheers
  Nick
Comment 9 Alexander Cherepanov 2014-11-07 15:10:01 UTC
Sorry, Nick, the new patch seems exactly as the previous. And it doesn't apply to git head. Did I miss something?
Comment 10 Nick Clifton 2014-11-07 15:43:42 UTC
Hi Alexander,

> Sorry, Nick, the new patch seems exactly as the previous.

So it is. :-(  I just assumed that I had made a mistake last time and so I regenerated the patch.  I should have checked to see if it was actually different in some way.

> And it doesn't apply to git head. Did I miss something?

Well I guess so.  I generated the patch by running "git diff binutils/objcopy.c" from an up-to-date set of binutils master sources, so I do not see how I missed anything.  Are you using the master branch ?

If you have a look at the failed hunks is there anything obvious about why they did not apply ?

If it still causes you problems I will just go ahead and check the patch in.  Then you can pull an updated set of sources and try again.  My local testing has not shown up any problems with the patch...

Cheers
  Nick
Comment 11 Alexander Cherepanov 2014-11-09 19:36:55 UTC
Ok, figured it out -- tabs were garbled while copy-pasting from a Web-page. Sorry for the noise.

The patch is working for me (binutils/strip-new and binutils/objcopy).
Comment 12 cvs-commit@gcc.gnu.org 2014-11-10 14:30:05 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, master has been updated
       via  5e186ece2feebb46e63ff6bb2d2490aad0d5a724 (commit)
      from  36e9d67b868c85232ab630514260f0d9c9c6b27b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5e186ece2feebb46e63ff6bb2d2490aad0d5a724

commit 5e186ece2feebb46e63ff6bb2d2490aad0d5a724
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Nov 10 14:28:43 2014 +0000

    Fix objcopy and strip so that they remove their temporary files even if an error occurs.
    
    	PR binutils/17552
    	* (copy_archive): Clean up temporary files even if an error
    	occurs.

-----------------------------------------------------------------------

Summary of changes:
 binutils/ChangeLog |    6 ++++++
 binutils/objcopy.c |   21 ++++++++++++++-------
 2 files changed, 20 insertions(+), 7 deletions(-)
Comment 13 cvs-commit@gcc.gnu.org 2014-11-17 17:06:14 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "gdb and binutils".

The branch, binutils-2_25-branch has been updated
       via  8f66a6af276d17c0e386cd2409873f2e3e0b8a37 (commit)
       via  32a9d621c3c480aa093a089a36e36c35f68a4010 (commit)
      from  ff67f476b9907b9fddfbafff52caa4cce6a6f58c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8f66a6af276d17c0e386cd2409873f2e3e0b8a37

commit 8f66a6af276d17c0e386cd2409873f2e3e0b8a37
Merge: 32a9d62 ff67f47
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Nov 17 17:04:16 2014 +0000

    Merge branch 'binutils-2_25-branch' of ssh://sourceware.org/git/binutils-gdb into binutils-2_25-branch
    
    Conflicts:
    	gas/ChangeLog

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=32a9d621c3c480aa093a089a36e36c35f68a4010

commit 32a9d621c3c480aa093a089a36e36c35f68a4010
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Nov 17 16:59:09 2014 +0000

    Applies a series of patches for PR 17512 and 17533 which fix invalid memory accesses.
    
    	2014-11-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* config/obj-coff.c (coff_obj_symbol_new_hook): Set the is_sym
    	field.
    
    	2014-11-14  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (get_encoded_value): Add an 'end' parameter.  Change the
    	'data' parameter to a double pointer and return the updated value.
    	(decode_location_expression): Update call to get_encoded_value.
    	(frame_need_space): Handle the case where one or both of the
    	mallocs fails.
    	(read_cie): Initialise the cie pointer, even if the read fails.
    	(display_debug_frames): Warn if the calculated block_end is before
    	the start of the block.  Break the loop if the CIE could not be
    	read.  Update call to get_encoded_value.  Warn if the read CFA
    	expressions are too big.
    
    	2014-11-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (process_version_sections): If the read of the version
    	def information fails, make sure that the external verdef data is
    	not used.
    	(get_dynamic_data): Do not attempt to allocate memory for more
    	dynamic data than there is in the file.  If the read fails, free
    	the allocated buffer.
    	(process_symbol_table): Do not print dynamic information if we
    	were unable to read the dynamic symbol table.
    	(print_gnu_note): Do not print the note if the descsz is too
    	small.
    
    	2014-11-12  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* dwarf.c (read_and_display_attr_value): Check that we do not read
    	past end.
    	(display_debug_pubnames_worker): Add range checks.
    	(process_debug_info): Check for invalid pointer sizes.
    	(display_loc_list): Likewise.
    	(display_loc_list_dwo): Likewise.
    	(display_debug_ranges): Likewise.
    	(display_debug_aranges): Check for invalid address size.
    	(read_cie): Add range checks.  Replace call strchr with while loop.
    	* objdump.c (dump_dwarf): Replace abort with a warning message.
    	(print_section_stabs): Improve range checks.
    	* rdcoff.c (coff_get_slot): Use long for indx parameter type.
    	Add check for an excesively large index.
    	* rddbg.c (read_section_stabs_debugging_info): Zero terminate the
    	string table.  Avoid walking off the end of the stabs data.
    	* stabs.c (parse_stab_string): Add check for a NULL name.
    
    	2014-11-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* binutils/readelf.c (dynamic_nent): Change type to size_t.
    	(slurp_rela_relocs): Use size_t type for nrelas.
    	(slurp_rel_relocs): Likewise.
    	(get_program_headers): Improve out of memory error message.
    	(get_32bit_section_headers): Likewise.
    	(get_32bit_section_headers): Likewise.
    	(get_64bit_section_headers): Likewise.
    	(get_32bit_elf_symbols): Likewise.
    	(get_64bit_elf_symbols): Likewise.
    	(process_section_groups): Likewise.
    	(get_32bit_dynamic_section): Likewise.
    	(get_64bit_dynamic_section): Likewise.
    	(process_dynamic_section): Likewise.
    	(process_version_sections): Likewise.
    	(get_symbol_index_type): Likewise.
    	(process_mips_specific): Likewise.
    	(process_corefile_note_segment): Likewise.
    	(process_version_sections): Use size_t type for total.
    	(get_dynamic_data): Change type of number parameter to size_t.
    	Improve out of memory error messages.
    	(process_symbol_table): Change type of nbuckets and nchains to
    	size_t.  Skip processing of sections headers if there are none.
    	Improve out of memory error messages.
    
    	2014-11-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (display_arm_attribute): Avoid reading off the end of
    	the buffer when processing a Tag_nodefaults.
    
    	2014-11-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (ia64_process_unwind): Replace assertion with an error
    	message.  Add range checking for group section indicies.
    	(hppa_process_unwind): Replace assertion with an error message.
    	(process_syminfo): Likewise.
    	(decode_arm_unwind_bytecode): Add range checking.
    	(dump_section_as_strings): Add more string range checking.
    	(display_tag_value): Likewise.
    	(display_arm_attribute): Likewise.
    	(display_gnu_attribute): Likewise.
    	(display_tic6x_attribute): Likewise.
    	(display_msp430x_attribute): Likewise.
    
    	2014-11-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17552
    	* objcopy.c (copy_archive): Clean up temporary files even if an
    	error occurs.
    
    	2014-11-07  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_data): Avoid allocating memory when we know that
    	the read will fail.
    	(find_section_by_type): New function.
    	(get_unwind_section_word): Check for invalid symbol indicies.
    	Check for invalid reloc types.
    	(get_32bit_dynamic_section): Add range checks.
    	(get_64bit_dynamic_section): Add range checks.
    	(process_dynamic_section): Check for a corrupt time value.
    	(process_symbol_table): Add range checks.
    	(dump_section_as_strings): Add string length range checks.
    	(display_tag_value): Likewise.
    	(display_arm_attribute): Likewise.
    	(display_gnu_attribute): Likewise.
    	(display_tic6x_attribute): Likewise.
    	(display_msp430x_attribute): Likewise.
    	(process_mips_specific): Add range check.
    
    	2014-11-06  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17552, binutils/17533
    	* bucomm.c (is_valid_archive_path): New function.  Returns false
    	for absolute pathnames and pathnames that include /../.
    	* bucomm.h (is_valid_archive_path): Add prototype.
    	* ar.c (extract_file): Use new function to check for valid
    	pathnames when extracting files from an archive.
    	* objcopy.c (copy_archive): Likewise.
    	* doc/binutils.texi: Update documentation to mention the
    	limitation on pathname of archive members.
    
    	2014-11-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (printable_section_name): New function.
    	(printable_section_name_from_index): New function.
    	(dump_relocations): Use new function.
    	(process_program_headers, get_32bit_elf_symbols,
    	(get_64bit_elf_symbols, process_section_headers,
    	(process_section_groups, process_relocs, ia64_process_unwind,
    	(hppa_process_unwind, get_unwind_section_word, decode_arm_unwind,
    	(arm_process_unwind, process_version_sections,
    	(process_symbol_table, apply_relocations, get_section_contents,
    	(dump_section_as_strings, dump_section_as_bytes,
    	(display_debug_section, process_attributes, process_mips_specific,
    	(process_mips_specific process_gnu_liblist): Likewise.
    	(get_unwind_section_word): Check for a missing symbol table.
    	Replace aborts with error messages.
    	(arm_process_unwind): Check for a missing string table.
    	(process_attributes): Check for an attribute length that is too
    	small.
    	(process_mips_specific): Check for a corrupt GOT symbol offset.
    
    	2014-11-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17533
    	* bucomm.c (is_valid_archive_path): New function.
    	* bucomm.h (is_valid_archive_path): Prototype it.
    	* ar.c (extract_file): Call is_valid_archive_path to verify a
    	member filename before extracting it.
    	* objcopy.c (copy_archive): Likewise.
    
    	2014-11-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17531
    	* readelf.c (get_data): If the reason parameter is null, do not
    	print any error messages.
    	(get_32bit_section_headers): Verify section header entry size
    	before reading in the section headers.
    	(get_64bit_section_headers): Likewise.
    	(process_section_headers): Pass FALSE to get_section_headers.
    	(get_file_header): Pass TRUE to get_section_headers.
    	(process_dynamic_section): Change an assert to an error message.
    	(process_symbol_table): Handle corrupt histograms.
    	(get_32bit_program_headers): Verify program header entry size
    	before reading in the program headers.
    	(get_64bit_program_headers): Likewise.
    	(get_unwind_section_word): Do nothing if no section was provided.
    	Fail if the offset is outside of the section.
    	(print_dynamic_symbol): Catch out of range symbol indicies.
    	(process_mips_specific): Likewise.
    	(process_attributes): Make sure that there is enough space left in
    	the section before attempting to read the length of the next
    	attribute.
    
    	2014-11-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* objdump.c (slurp_symtab): Fail gracefully if the table could not
    	be read.
    	(dump_relocs_in_section): Likewise.
    
    	2014-11-14  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17597
    	* opncls.c (bfd_get_debug_link_info): Avoid reading off the end of
    	the section.
    	(bfd_get_alt_debug_link_info): Likewise.
    
    	2014-11-14  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* ieee.c (ieee_archive_p) Skip processing if no bytes are read at
    	all.
    	(ieee_object_p): Likewise.
    
    	2014-11-13  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* coffcode.h (coff_slurp_line_table): Add cast to unsigned int.
    
    	2014-11-13  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* coffcode.h (coff_pointerize_aux_hook): Fix a typo.
    
    	2014-11-13  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_ptr_struct): Add is_sym field.
    	(coff_new_section_hook): Set the is_sym field.
    	(coff_pointerize_aux_hook): Check the is_sym field.
    	(coff_print_aux): Likewise.
    	(coff_compute_section_file_positions): Likewise.
    	(coff_write_object_contents): Likewise.
    	(coff_slurp_line_table): Likewise.
    	(coff_slurp_symbol_table): Likewise.
    	(CALC_ADDEND): Likewise.
    	* coffgen.c (coff_renumber_symbols): Likewise.
    	(coff_mangle_symbols): Likewise.
    	(coff_fix_symbol_name): Likewise.
    	(coff_write_symbol): Likewise.
    	(coff_write_alien_symbol): Likewise.
    	(coff_write_native_symbol): Likewise.
    	(coff_write_symbols): Likewise.
    	(coff_write_linenumbers): Likewise.
    	(coff_pointerize_aux): Likewise.
    	(coff_get_normalized_symtab): Likewise.
    	(coff_get_symbol_info): Likewise.
    	(bfd_coff_get_syment): Likewise.
    	(bfd_coff_get_auxent): Likewise.
    	(coff_print_symbol): Likewise.
    	(coff_find_nearest_line_with_names): Likewise.
    	(bfd_coff_set_symbol_class): Likewise.
    	(coff_make_empty_symbol): Set the is_sym field.
    	(coff_bfd_make_debug_symbol): Likewise.
    	* peicode.h (pe_ILF_make_a_symbol): Likewise.
    	* libcoff.h: Regenerate.
    	* libcoff-in.h: Regenerate.
    
    	2014-11-12  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Set the line number of
    	corrupt entries to -1.
    	(coff_slurp_symbol_table): Alway initialise the value of the
    	symbol.
    	* coffgen.c (coff_print_symbol): Check that the combined pointer
    	is valid.
    	(coff_print_symbol): Do not print negative line numbers.
    	* peXXigen.c (pe_print_idata): Add range checking displaying
    	member names.
    
    	2014-11-12  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Drop line number info
    	not preceded by a valid function entry.  Revert last change.
    
    	2014-11-11  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Initialise the parts of the
    	line number cache that would not be initialised by the copy from
    	the new line number table.
    	(coff_classify_symbol): Allow for _bfd_coff_internal_syment_name
    	returning NULL.
    	* coffgen.c (coff_get_normalized_symbols): Get the external
    	symbols before allocating space for the internal symbols, in case
    	the get fails.
    	* elf.c (_bfd_elf_slurp_version_tables): Only allocate a verref
    	array if one is needed.  Likewise with the verdef array.
    	* peXXigen.c (_bfd_XXi_swap_sym_in): Replace abort()'s with error
    	messages.
    	(_bfd_XXi_swap_aux_in): Make sure that all fields of the aux
    	structure are initialised.
    	(pe_print_edata): Avoid reading off the end of the data buffer.
    
    	2014-11-11  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Use updated lineno_count
    	when building func_table.
    
    	2014-11-11  Alan Modra  <amodra@gmail.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_slurp_line_table): Don't bfd_zalloc, just
    	memset the particular bits we need.  Update src after hitting loop
    	"continue".  Don't count lineno omitted due to invalid symbols in
    	nbr_func, and update lineno_count.  Init entire terminating
    	lineno.  Don't both allocating terminator in n_lineno_cache.
    	Redirect sym->lineno pointer to where n_lineno_cache will be
    	copied, and free n_lineno_cache.
    	* pe-mips.c (NUM_HOWTOS): Typo fix.
    
    	2014-11-10  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17521
    	* coff-i386.c (NUM_HOWTOS): New define.
    	(RTYPE2HOWTO): Use it.
    	(coff_i386_rtype_to_howto): Likewise.
    	(coff_i386_reloc_name_lookup): Likewise.
    	(CALC_ADDEND): Check that reloc r_type field is valid.
    	* coff-x86_64.c (NUM_HOWTOS): New define.
    	(RTYPE2HOWTO): Use it.
    	(coff_amd64_rtype_to_howto): Likewise.
    	(coff_amd64_reloc_name_lookup): Likewise.
    	(CALC_ADDEND): Check that reloc r_type field is valid.
    	* coffcode.h (coff_slurp_line_table): Check for symbol table
    	indexing underflow.
    	(coff_slurp_symbol_table): Use zalloc to ensure that all table
    	entries are initialised.
    	* coffgen.c (_bfd_coff_read_string_table): Initialise unused bits
    	in the string table.  Also ensure that the table is 0 terminated.
    	(coff_get_normalized_symtab): Check for symbol table indexing
    	underflow.
    	* opncls.c (bfd_alloc): Catch the case where a small negative size
    	can result in only 1 byte being allocated.
    	(bfd_alloc2): Use bfd_alloc.
    	* pe-mips.c (NUM_HOWTOS): New define.
    	(coff_mips_reloc_name_lookup): Use it.
    	(CALC_ADDEND): Check that reloc r_type field is valid.
    	* peXXigen.c (_bfd_XXi_swap_aouthdr_in): Initialise unused entries
    	in the DataDirectory.
    	(pe_print_idata): Avoid reading beyond the end of the data block
    	wen printing strings.
    	(pe_print_edata): Likewise.
    	Check for table indexing underflow.
    	* peicode.h (pe_mkobject): Initialise the pe_opthdr field.
    	(pe_bfd_object_p): Allocate and initialize enough space to hold a
    	PEAOUTHDR, even if the opt_hdr field specified less.
    
    	2014-11-08  Alan Modra  <amodra@gmail.com>
    
    	* peXXigen.c (pe_print_idata): Revert last patch, cast lhs instead.
    
    	2014-11-07  H.J. Lu  <hongjiu.lu@intel.com>
    
    	* peXXigen.c (pe_print_idata): Cast to unsigned long in range
    	checks.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* tekhex.c (tekhex_set_arch_mach): Ignore unknown arch errors.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* tekhex.c (CHUNK_SPAN): Define.
    	(struct data_struct <chunk_init>): Use one byte per span, update
    	all code accessing this field.
    	(find_chunk): Add create param, don't create new entry unless set.
    	(insert_byte): Don't save zeros.
    	(first_phase): Set section SEC_CODE or SEC_DATA flag depending
    	on symbol type.  Create an alternate section if both types of
    	symbol are given.  Attach type '2' and '6' symbols to absolute
    	section.
    	(move_section_contents): Fix caching of chunk.  Don't create chunk
    	when reading, or for writing zeros.
    	(tekhex_set_section_contents): Don't create initial chunks.
    	(tekhex_write_object_contents): Use CHUNK_SPAN.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* aoutx.h (aout_get_external_symbols): Tidy allocation of symbol buffer.
    
    	2014-11-07  Alan Modra  <amodra@gmail.com>
    
    	* archive.c (_bfd_slurp_extended_name_table): Revert bfd_get_size check.
    	* coffcode.h (coff_set_alignment_hook): Likewise.
    	(coff_slurp_line_table): Likewise.
    	* coffgen.c (coff_get_normalized_symtab): Likewise.
    	(_bfd_coff_get_external_symbols): Likewise.
    	* elf.c (bfd_elf_get_str_section): Likewise.
    	* tekhex.c (first_phase): Likewise.
    
    	2014-11-06  Nick Clifton  <nickc@redhat.com>
    
    	* aoutx.h (slurp_symbol_table): Revert previous delta.
    	(slurp_reloc_table): Likewise.
    	* compress.c (bfd_get_full_section_contents): Remove file size
    	test.
    	* coffgen.c (coff_get_normalized_symtab): Allow zero-sized symtabs
    	and do not complain about linker generated files.
    
    	2014-11-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (handle_COMDAT): Replace abort with BFD_ASSERT.
    	Replace another abort with an error message.
    	(coff_slurp_line_table): Add more range checking.
    	* peXXigen.c (pe_print_debugdata): Add range checking.
    
    	2014-11-05  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffcode.h (coff_set_alignment_hook): Warn if the file lies
    	about the number of relocations it contains.
    	(coff_sort_func_alent): Return 0 if the pointers are NULL.
    	(coff_slurp_line_table): Add more range checks.  Do not free new
    	tables created when sorting line numbers.
    	* peXXigen.c (pe_print_idata): Add range checks.
    	(pe_print_edata): Likewise.
    	(rsrc_print_resource_entries): Likewise.  Avoid printing control
    	characters.  Terminate priniting if corruption is detected.
    	(rsrc_print_resource_directory): Terminate printing if an unknown
    	directory type is encountered.
    	(pe_print_debugdata): Fix off-by-one error.
    	(rsrc_count_entries): Add range checking.
    	(rsrc_parse_entry): Likewise.
    
    	2014-11-04  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* compress.c (bfd_get_full_section_contents): Improve test for
    	linker created objects.
    
    	PR binutils/17533
    	* archive.c (_bfd_slurp_extended_name_table): Handle archives with
    	corrupt extended name tables.
    
    	2014-11-03  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* aoutx.h (slurp_symbol_table): Check that computed table size is
    	not bigger than the file from which is it being read.
    	(slurp_reloc_table): Likewise.
    	* coffcode.h (coff_slurp_line_table): Remove unneeded local
    	'warned'.  Do not try to print the details of a symbol with an
    	invalid index.
    	* coffgen.c (make_a_sectiobn_from_file): Check computed string
    	index against length of string table.
    	(bfd_coff_internal_syment_name): Check read in string offset
    	against length of string table.
    	(build_debug_section): Return a pointer to the section used.
    	(_bfd_coff_read_string_table): Store the length of the string
    	table in the coff_tdata structure.
    	(bfd_coff_free_symbols): Set the length of the string table to
    	zero when it is freed.
    	(coff_get_normalized_symtab): Check offsets against string table
    	or data table lengths as appropriate.
    	* cofflink.c (_bfd_coff_link_input_bfd): Check offset against
    	length of string table.
    	* compress.c (bfd_get_full_section_contents): Check computed size
    	against the size of the file.
    	* libcoff-in.h (obj_coff_strings_len): Define.
    	(struct coff_tdata): Add strings_len field.
    	* libcoff.h: Regenerate.
    	* peXXigen.c (pe_print_debugdata): Do not attempt to print the
    	data if the debug section is too small.
    	* xcofflink.c (xcoff_link_input_bfd):  Check offset against
    	length of string table.
    
    	2014-10-31  Nick Clifton  <nickc@redhat.com>
    
    	PR binutils/17512
    	* coffgen.c (_bfd_coff_get_external_symbols): Do not try to load a
    	symbol table bigger than the file.
    	* elf.c (bfd_elf_get_str_section): Do not try to load a string
    	table bigger than the file.
    	* tekhex.c (first_phase): Check that the section range is sane.

-----------------------------------------------------------------------

Summary of changes:
 bfd/ChangeLog              |  282 ++++++++++++
 bfd/aoutx.h                |   24 +-
 bfd/archive.c              |    5 +-
 bfd/coff-i386.c            |   17 +-
 bfd/coff-x86_64.c          |   11 +-
 bfd/coffcode.h             |  170 +++++---
 bfd/coffgen.c              |  168 ++++++--
 bfd/cofflink.c             |    5 +-
 bfd/elf.c                  |   24 +-
 bfd/ieee.c                 |    6 +-
 bfd/libcoff-in.h           |    3 +
 bfd/libcoff.h              |   16 +-
 bfd/opncls.c               |   41 +-
 bfd/pe-mips.c              |    9 +-
 bfd/peXXigen.c             |  220 +++++++---
 bfd/peicode.h              |   15 +-
 bfd/tekhex.c               |  112 +++--
 bfd/xcofflink.c            |    5 +-
 binutils/ChangeLog         |  199 +++++++++
 binutils/ar.c              |    9 +
 binutils/bucomm.c          |   26 ++
 binutils/bucomm.h          |   12 +-
 binutils/doc/binutils.texi |    3 +-
 binutils/dwarf.c           |  209 +++++++---
 binutils/objcopy.c         |   23 +-
 binutils/objdump.c         |   27 +-
 binutils/rdcoff.c          |    9 +-
 binutils/rddbg.c           |   40 ++-
 binutils/readelf.c         | 1039 ++++++++++++++++++++++++++++++++------------
 binutils/stabs.c           |   30 +-
 gas/ChangeLog              |   10 +
 gas/config/obj-coff.c      |    1 +
 32 files changed, 2109 insertions(+), 661 deletions(-)