Package: binutils
Version: 2.22-6.1
Severity: normal
Tags: patch
There is a null dereference bug in srec_scan (srec.c) around Line 480 -- 615.
This bug causes any bintuils (nm, objdump, objcopy, etc.) to be crashed.
If Line 480 evalutes to 0, then the buf pointer will be used later as a NULL
pointer.
A patch for the bug is attached. A crashing input file is also attached.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages binutils depends on:
ii libc6 2.13-33
ii libgcc1 1:4.7.1-2
ii libstdc++6 4.7.1-2
ii zlib1g 1:1.2.7.dfsg-13
binutils recommends no packages.
Versions of packages binutils suggests:
pn binutils-doc <none>
-- no debconf information
--- srec.old.c 2012-08-14 10:10:14.857621139 -0400
+++ srec.c 2012-08-14 10:10:21.217621258 -0400
@@ -478,6 +478,8 @@
}
check_sum = bytes = HEX (hdr + 1);
+ if ( bytes == 0 ) goto error_return;
+
if (bytes * 2 > bufsize)
{
if (buf != NULL)
S800
