Test: $ printf '!<arch>\n%16s%-32s%-10s`\n' '' 100000000000000000 0 > test.a $ ar tv test.a Segmentation fault It crashes inside binutils-gdb/binutils/bucomm.c: 424 if (bfd_stat_arch_elt (abfd, &buf) == 0) 425 { 426 char modebuf[11]; 427 char timebuf[40]; 428 time_t when = buf.st_mtime; 429 const char *ctime_result = (const char *) ctime (&when); 430 bfd_size_type size; 431 432 /* POSIX format: skip weekday and seconds from ctime output. */ 433 sprintf (timebuf, "%.12s %.4s", ctime_result + 4, ctime_result + 20); 'when' is too big, 'ctime' returns 0, which gets derefenced inside sprintf. Seems not to be exploitable. Found with American Fuzzy Lop.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "gdb and binutils". The branch, master has been updated via 0593bd3ace3cb64775f4d9e8039da919c26803cd (commit) from 8435453b810d8ab0574e509446003d10d04abfd4 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0593bd3ace3cb64775f4d9e8039da919c26803cd commit 0593bd3ace3cb64775f4d9e8039da919c26803cd Author: Nick Clifton <nickc@redhat.com> Date: Tue Nov 18 17:35:39 2014 +0000 Fixes a seg-fault when displaying the time data for a corrupt archive. PR binutuls/17605 * bucomm.c (print_arelt_descr): Check for ctime returning NULL. ----------------------------------------------------------------------- Summary of changes: binutils/ChangeLog | 5 +++++ binutils/bucomm.c | 8 ++++++-- 2 files changed, 11 insertions(+), 2 deletions(-)
Created attachment 7946 [details] Check for ctime() returning NULL
Hi Alexander, Thanks for the bug report. I have applied a patch (also uploaded here) to the master sources which should fix this problem. Please give it a try. Cheers Nick
.