1 files changed, 48 insertions, 0 deletions

diff --git a/main/binutils/binutils-2.24-CVE-2014-8738.patch b/main/binutils/binutils-2.24-CVE-2014-8738.patch
new file mode 100644
index 0000000000..d671ed241b
--- /dev/null
+++ b/main/binutils/binutils-2.24-CVE-2014-8738.patch
@@ -0,0 +1,48 @@
+diff --git a/bfd/archive.c b/bfd/archive.c
+index 40a3395..b905213 100644
+--- a/bfd/archive.c
++++ b/bfd/archive.c
+@@ -1293,6 +1293,9 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+       amt = namedata->parsed_size;
+       if (amt + 1 == 0)
+ 	goto byebye;
++      /* PR binutils/17533: A corrupt archive can contain an invalid size.  */
++      if (amt > (bfd_size_type) bfd_get_size (abfd))
++	goto byebye;
+ 
+       bfd_ardata (abfd)->extended_names_size = amt;
+       bfd_ardata (abfd)->extended_names = (char *) bfd_zalloc (abfd, amt + 1);
+@@ -1300,6 +1303,8 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ 	{
+ 	byebye:
+ 	  free (namedata);
++	  bfd_ardata (abfd)->extended_names = NULL;
++	  bfd_ardata (abfd)->extended_names_size = 0;
+ 	  return FALSE;
+ 	}
+ 
+@@ -1308,7 +1313,6 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ 	  if (bfd_get_error () != bfd_error_system_call)
+ 	    bfd_set_error (bfd_error_malformed_archive);
+ 	  bfd_release (abfd, (bfd_ardata (abfd)->extended_names));
+-	  bfd_ardata (abfd)->extended_names = NULL;
+ 	  goto byebye;
+ 	}
+ 
+@@ -1316,11 +1320,12 @@ _bfd_slurp_extended_name_table (bfd *abfd)
+ 	 text, the entries in the list are newline-padded, not null
+ 	 padded. In SVR4-style archives, the names also have a
+ 	 trailing '/'.  DOS/NT created archive often have \ in them
+-	 We'll fix all problems here..  */
++	 We'll fix all problems here.  */
+       {
+ 	char *ext_names = bfd_ardata (abfd)->extended_names;
+ 	char *temp = ext_names;
+ 	char *limit = temp + namedata->parsed_size;
++
+ 	for (; temp < limit; ++temp)
+ 	  {
+ 	    if (*temp == ARFMAG[1])
+-- 
+1.7.1
+