diff -Nru gdb-7.7.1/debian/changelog gdb-7.7.1/debian/changelog --- gdb-7.7.1/debian/changelog 2014-10-08 18:48:25.000000000 +0000 +++ gdb-7.7.1/debian/changelog 2017-06-09 18:30:54.000000000 +0000 @@ -1,3 +1,55 @@ +gdb (7.7.1-0ubuntu5~14.04.3) trusty-security; urgency=medium + + * SECURITY UPDATE: DoS via invalid value in NumberOfRvaAndSizes field + - debian/patches/CVE-2014-8501.patch: add check to bfd/peXXigen.c. + - CVE-2014-8501 + * SECURITY UPDATE: stack overflow when printing bad bytes + - debian/patches/CVE-2014-9939.patch: fix escape sequences in + bfd/ihex.c, bfd/srec.c. + - CVE-2014-9939 + * SECURITY UPDATE: integer overflow in string_appends + - debian/patches/CVE-2016-2226.patch: check for overflow in + libiberty/cplus-dem.c, added xmalloc_failed to + gdb/common/common-utils.c. + - CVE-2016-2226 + * SECURITY UPDATE: use-after-free vulberabilities + - debian/patches/CVE-2016-4487_4488.patch: set bsize and ksize in + libiberty/cplus-dem.c, added test to + libiberty/testsuite/demangle-expected. + - CVE-2016-4487 + - CVE-2016-4488 + * SECURITY UPDATE: integer overflow in gnu_special + - debian/patches/CVE-2016-4489.patch: handle case where consume_count + returns -1 in libiberty/cplus-dem.c. + - CVE-2016-4489 + * SECURITY UPDATE: integer overflow after sanity checks + - debian/patches/CVE-2016-4490.patch: parse numbers as integer instead + of long in libiberty/cp-demangle.c, added test to + libiberty/testsuite/demangle-expected. + - CVE-2016-4490 + * SECURITY UPDATE: denial of service via infinite recursion + - debian/patches/CVE-2016-4491-1.patch: limit recursion in + include/demangle.h, libiberty/cp-demangle.c, libiberty/cp-demint.c, + added test to libiberty/testsuite/demangle-expected. + - debian/patches/CVE-2016-4491-2.patch: limit more recursion in + libiberty/cp-demangle.c. + - debian/patches/CVE-2016-4491-3.patch: initialize d_printing in + gdb/cp-name-parser.y, libiberty/cp-demangle.c. + - CVE-2016-4491 + * SECURITY UPDATE: buffer overflow in do_type + - debian/patches/CVE-2016-4492_4493.patch: properly handle large values + and overflow in libiberty/cplus-dem.c, added test to + libiberty/testsuite/demangle-expected. + - CVE-2016-4492 + - CVE-2016-4493 + * SECURITY UPDATE: denial of service via infinite recursion + - debian/patches/CVE-2016-6131.patch: prevent infinite recursion in + libiberty/cplus-dem.c, added test to + libiberty/testsuite/demangle-expected. + - CVE-2016-6131 + + -- Marc Deslauriers Fri, 09 Jun 2017 10:42:55 -0400 + gdb (7.7.1-0ubuntu5~14.04.2) trusty-proposed; urgency=medium * SRU: Update for trusty. LP: #1351646. diff -Nru gdb-7.7.1/debian/patches/CVE-2014-8501.patch gdb-7.7.1/debian/patches/CVE-2014-8501.patch --- gdb-7.7.1/debian/patches/CVE-2014-8501.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2014-8501.patch 2017-06-08 11:57:13.000000000 +0000 @@ -0,0 +1,52 @@ +From 7e1e19887abd24aeb15066b141cdff5541e0ec8e Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Mon, 27 Oct 2014 14:45:06 +0000 +Subject: [PATCH] Fix a seg-fault in strings and other binutuils when parsing a + corrupt PE executable with an invalid value in the NumberOfRvaAndSizes field + of the AOUT header. + + PR binutils/17512 + * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries + with an invalid value for NumberOfRvaAndSizes. +--- + bfd/ChangeLog | 4 ++++ + bfd/peXXigen.c | 12 ++++++++++++ + 2 files changed, 16 insertions(+) + +#diff --git a/bfd/ChangeLog b/bfd/ChangeLog +#index 7ba4431..e1d9379 100644 +#--- a/bfd/ChangeLog +#+++ b/bfd/ChangeLog +#@@ -1,5 +1,9 @@ +# 2014-10-27 Nick Clifton +# +#+ PR binutils/17512 +#+ * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries +#+ with an invalid value for NumberOfRvaAndSizes. +#+ +# PR binutils/17510 +# * elf.c (setup_group): Improve handling of corrupt group +# sections. +Index: gdb-7.7.1/bfd/peXXigen.c +=================================================================== +--- gdb-7.7.1.orig/bfd/peXXigen.c 2017-06-08 07:57:10.856366679 -0400 ++++ gdb-7.7.1/bfd/peXXigen.c 2017-06-08 07:57:10.836366437 -0400 +@@ -468,6 +468,18 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, + { + int idx; + ++ /* PR 17512: Corrupt PE binaries can cause seg-faults. */ ++ if (a->NumberOfRvaAndSizes > 16) ++ { ++ (*_bfd_error_handler) ++ (_("%B: aout header specifies an invalid number of data-directory entries: %d"), ++ abfd, a->NumberOfRvaAndSizes); ++ /* Paranoia: If the number is corrupt, then assume that the ++ actual entries themselves might be corrupt as well. */ ++ a->NumberOfRvaAndSizes = 0; ++ } ++ ++ + for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) + { + /* If data directory is empty, rva also should be 0. */ diff -Nru gdb-7.7.1/debian/patches/CVE-2014-9939.patch gdb-7.7.1/debian/patches/CVE-2014-9939.patch --- gdb-7.7.1/debian/patches/CVE-2014-9939.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2014-9939.patch 2017-06-08 11:57:24.000000000 +0000 @@ -0,0 +1,88 @@ +From 7e27a9d5f22f9f7ead11738b1546d0b5c737266b Mon Sep 17 00:00:00 2001 +From: "Yuriy M. Kaminskiy" +Date: Tue, 4 Aug 2015 16:51:53 +0100 +Subject: [PATCH] Fix stack buffer overflows when parsing corrupt ihex files. + + PR binutils/18750 + * ihex.c (ihex_scan): Fixes incorrect escape sequence in error message + and stack overflow when char is signed and \200-\376 was in place of hex + digit; also fixes \377 was handled as EOF instead of "incorrect character". + (ihex_read_section): Changed for consistency. + (ihex_bad_byte): Prevent (now impossible to trigger) stack + overflow and incorrect escape sequence handling. + * srec.c (srec_bad_byte): Likewise. + + * readelf.c (process_mips_specific): Fix incorrect escape + sequence handling. +--- + bfd/ChangeLog | 12 ++++++++++++ + bfd/ihex.c | 6 +++--- + bfd/srec.c | 2 +- + binutils/ChangeLog | 11 +++++++++++ + binutils/readelf.c | 2 +- + 5 files changed, 28 insertions(+), 5 deletions(-) + +#diff --git a/bfd/ChangeLog b/bfd/ChangeLog +#index 986299d..a8b3646 100644 +#--- a/bfd/ChangeLog +#+++ b/bfd/ChangeLog +#@@ -1,3 +1,15 @@ +#+2015-08-04 Yuriy M. Kaminskiy" +#+ Tyler Hicks +#+ +#+ PR binutils/18750 +#+ * ihex.c (ihex_scan): Fixes incorrect escape sequence in error message +#+ and stack overflow when char is signed and \200-\376 was in place of hex +#+ digit; also fixes \377 was handled as EOF instead of "incorrect character". +#+ (ihex_read_section): Changed for consistency. +#+ (ihex_bad_byte): Prevent (now impossible to trigger) stack +#+ overflow and incorrect escape sequence handling. +#+ * srec.c (srec_bad_byte): Likewise. +#+ +# 2015-08-03 Hans-Peter Nilsson +# +# * elf32-cris.c (cris_elf_relocate_section) +Index: gdb-7.7.1/bfd/ihex.c +=================================================================== +--- gdb-7.7.1.orig/bfd/ihex.c 2017-06-08 07:57:20.356481702 -0400 ++++ gdb-7.7.1/bfd/ihex.c 2017-06-08 07:57:18.144454936 -0400 +@@ -220,7 +220,7 @@ ihex_bad_byte (bfd *abfd, unsigned int l + char buf[10]; + + if (! ISPRINT (c)) +- sprintf (buf, "\\%03o", (unsigned int) c); ++ sprintf (buf, "\\%03o", (unsigned int) c & 0xff); + else + { + buf[0] = c; +@@ -277,7 +277,7 @@ ihex_scan (bfd *abfd) + else + { + file_ptr pos; +- char hdr[8]; ++ unsigned char hdr[8]; + unsigned int i; + unsigned int len; + bfd_vma addr; +@@ -554,7 +554,7 @@ ihex_read_section (bfd *abfd, asection * + error = FALSE; + while ((c = ihex_get_byte (abfd, &error)) != EOF) + { +- char hdr[8]; ++ unsigned char hdr[8]; + unsigned int len; + unsigned int type; + unsigned int i; +Index: gdb-7.7.1/bfd/srec.c +=================================================================== +--- gdb-7.7.1.orig/bfd/srec.c 2017-06-08 07:57:20.356481702 -0400 ++++ gdb-7.7.1/bfd/srec.c 2017-06-08 07:57:19.244468248 -0400 +@@ -251,7 +251,7 @@ srec_bad_byte (bfd *abfd, + char buf[10]; + + if (! ISPRINT (c)) +- sprintf (buf, "\\%03o", (unsigned int) c); ++ sprintf (buf, "\\%03o", (unsigned int) c & 0xff); + else + { + buf[0] = c; diff -Nru gdb-7.7.1/debian/patches/CVE-2016-2226.patch gdb-7.7.1/debian/patches/CVE-2016-2226.patch --- gdb-7.7.1/debian/patches/CVE-2016-2226.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2016-2226.patch 2017-06-08 16:54:16.000000000 +0000 @@ -0,0 +1,114 @@ +Backport of: + +From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001 +From: bernds +Date: Fri, 8 Apr 2016 12:10:21 +0000 +Subject: [PATCH] =?utf8?q?Fix=20memory=20allocation=20size=20overflows=20(?= + =?utf8?q?PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + + PR c++/69687 + * cplus-dem.c: Include if available. + (INT_MAX): Define if necessary. + (remember_type, remember_Ktype, register_Btype, string_need): + Abort if we detect cases where we the size of the allocation would + overflow. + + + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4 +--- + libiberty/ChangeLog | 7 +++++++ + libiberty/cplus-dem.c | 15 +++++++++++++++ + 2 files changed, 22 insertions(+) + +#diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog +#index 8e82a5f..2a34356 100644 +#--- a/libiberty/ChangeLog +#+++ b/libiberty/ChangeLog +#@@ -1,5 +1,12 @@ +# 2016-04-08 Marcel Böhme +# +#+ PR c++/69687 +#+ * cplus-dem.c: Include if available. +#+ (INT_MAX): Define if necessary. +#+ (remember_type, remember_Ktype, register_Btype, string_need): +#+ Abort if we detect cases where we the size of the allocation would +#+ overflow. +#+ +# PR c++/70498 +# * cplus-dem.c (gnu_special): Handle case where consume_count returns +# -1. +Index: gdb-7.7.1/libiberty/cplus-dem.c +=================================================================== +--- gdb-7.7.1.orig/libiberty/cplus-dem.c 2017-06-08 07:57:35.660666625 -0400 ++++ gdb-7.7.1/libiberty/cplus-dem.c 2017-06-08 07:57:35.608665998 -0400 +@@ -56,6 +56,13 @@ void * malloc (); + void * realloc (); + #endif + ++#ifdef HAVE_LIMITS_H ++#include ++#endif ++#ifndef INT_MAX ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */ ++#endif ++ + #include + #undef CURRENT_DEMANGLING_STYLE + #define CURRENT_DEMANGLING_STYLE work->options +@@ -4231,6 +4238,8 @@ remember_type (struct work_stuff *work, + } + else + { ++ if (work -> typevec_size > INT_MAX / 2) ++ xmalloc_failed (INT_MAX); + work -> typevec_size *= 2; + work -> typevec + = XRESIZEVEC (char *, work->typevec, work->typevec_size); +@@ -4258,6 +4267,8 @@ remember_Ktype (struct work_stuff *work, + } + else + { ++ if (work -> ksize > INT_MAX / 2) ++ xmalloc_failed (INT_MAX); + work -> ksize *= 2; + work -> ktypevec + = XRESIZEVEC (char *, work->ktypevec, work->ksize); +@@ -4287,6 +4298,8 @@ register_Btype (struct work_stuff *work) + } + else + { ++ if (work -> bsize > INT_MAX / 2) ++ xmalloc_failed (INT_MAX); + work -> bsize *= 2; + work -> btypevec + = XRESIZEVEC (char *, work->btypevec, work->bsize); +@@ -4741,6 +4754,8 @@ string_need (string *s, int n) + else if (s->e - s->p < n) + { + tem = s->p - s->b; ++ if (n > INT_MAX / 2 - tem) ++ xmalloc_failed (INT_MAX); + n += tem; + n *= 2; + s->b = XRESIZEVEC (char, s->b, n); +Index: gdb-7.11.1/gdb/common/common-utils.c +=================================================================== +--- gdb-7.11.1.orig/gdb/common/common-utils.c 2016-02-09 22:19:39.000000000 -0500 ++++ gdb-7.11.1/gdb/common/common-utils.c 2017-06-08 12:48:46.779145822 -0400 +@@ -100,6 +100,12 @@ xfree (void *ptr) + free (ptr); /* ARI: free */ + } + ++void ++xmalloc_failed (size_t size) ++{ ++ malloc_failure (size); ++} ++ + /* Like asprintf/vasprintf but get an internal_error if the call + fails. */ + diff -Nru gdb-7.7.1/debian/patches/CVE-2016-4487_4488.patch gdb-7.7.1/debian/patches/CVE-2016-4487_4488.patch --- gdb-7.7.1/debian/patches/CVE-2016-4487_4488.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2016-4487_4488.patch 2017-06-08 12:00:49.000000000 +0000 @@ -0,0 +1,68 @@ +Backport of: + +From be3004dc350a820a5b0320b34bd05673ba534058 Mon Sep 17 00:00:00 2001 +From: law +Date: Thu, 31 Mar 2016 17:20:53 +0000 +Subject: [PATCH] * cplus-dem.c (squangle_mop_up): Zero bsize/ksize + after freeing btypevec/ktypevec. * testsuite/demangle-expected: Add + coverage tests. + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234645 138bc75d-0d04-0410-961f-82ee72b054a4 +--- + libiberty/ChangeLog | 7 +++++++ + libiberty/cplus-dem.c | 2 ++ + libiberty/testsuite/demangle-expected | 10 ++++++++++ + 3 files changed, 19 insertions(+) + +#diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog +#index d11f4ce..b4054bd 100644 +#--- a/libiberty/ChangeLog +#+++ b/libiberty/ChangeLog +#@@ -1,3 +1,10 @@ +#+2016-03-31 Mikhail Maltsev +#+ Marcel Bohme boehme.marcel@gmail.com +#+ +#+ * cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing +#+ btypevec/ktypevec. +#+ * testsuite/demangle-expected: Add coverage tests. +#+ +# 2016-01-27 Iain Buclaw +# +# * d-demangle.c (dlang_call_convention): Handle extern Objective-C +Index: gdb-7.7.1/libiberty/cplus-dem.c +=================================================================== +--- gdb-7.7.1.orig/libiberty/cplus-dem.c 2017-06-08 07:57:49.508833570 -0400 ++++ gdb-7.7.1/libiberty/cplus-dem.c 2017-06-08 07:58:32.025343934 -0400 +@@ -1225,10 +1225,14 @@ squangle_mop_up (struct work_stuff *work + if (work -> btypevec != NULL) + { + free ((char *) work -> btypevec); ++ work->btypevec = NULL; ++ work->bsize = 0; + } + if (work -> ktypevec != NULL) + { + free ((char *) work -> ktypevec); ++ work->ktypevec = NULL; ++ work->ksize = 0; + } + } + +Index: gdb-7.7.1/libiberty/testsuite/demangle-expected +=================================================================== +--- gdb-7.7.1.orig/libiberty/testsuite/demangle-expected 2017-06-08 07:57:49.508833570 -0400 ++++ gdb-7.7.1/libiberty/testsuite/demangle-expected 2017-06-08 07:58:50.909569610 -0400 +@@ -4343,3 +4343,13 @@ cereal::detail::InputBindingMap >(std::function&&)::{lambda()#1}*& std::_Any_data::_M_access >(void post >(std::function&&)::{lambda()#1}*&&)::{lambda()#1}*>() ++# ++# Tests a use-after-free problem ++ ++_Q.__0 ++::Q.(void) ++# ++# Tests a use-after-free problem ++ ++_Q10-__9cafebabe. ++cafebabe.::-(void) diff -Nru gdb-7.7.1/debian/patches/CVE-2016-4489.patch gdb-7.7.1/debian/patches/CVE-2016-4489.patch --- gdb-7.7.1/debian/patches/CVE-2016-4489.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2016-4489.patch 2017-06-08 11:59:16.000000000 +0000 @@ -0,0 +1,51 @@ +From 053ec2207203a194d2ae82e2f164009aad3f14d2 Mon Sep 17 00:00:00 2001 +From: bernds +Date: Fri, 8 Apr 2016 12:06:59 +0000 +Subject: [PATCH] =?utf8?q?Handle=20an=20overflow=20case=20(PR70498,=20patc?= + =?utf8?q?h=20by=20Marcel=20B=C3=B6hme).?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + + PR c++/70498 + * cplus-dem.c (gnu_special): Handle case where consume_count returns + -1. + + + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234828 138bc75d-0d04-0410-961f-82ee72b054a4 +--- + libiberty/ChangeLog | 6 ++++++ + libiberty/cplus-dem.c | 5 +++++ + 2 files changed, 11 insertions(+) + +#diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog +#index 1e59c53..8e82a5f 100644 +#--- a/libiberty/ChangeLog +#+++ b/libiberty/ChangeLog +#@@ -1,3 +1,9 @@ +#+2016-04-08 Marcel Böhme +#+ +#+ PR c++/70498 +#+ * cplus-dem.c (gnu_special): Handle case where consume_count returns +#+ -1. +#+ +# 2016-03-31 Mikhail Maltsev +# Marcel Bohme boehme.marcel@gmail.com +# +Index: gdb-7.7.1/libiberty/cplus-dem.c +=================================================================== +--- gdb-7.7.1.orig/libiberty/cplus-dem.c 2017-06-08 07:59:14.137846396 -0400 ++++ gdb-7.7.1/libiberty/cplus-dem.c 2017-06-08 07:59:14.129846300 -0400 +@@ -2990,6 +2990,11 @@ gnu_special (struct work_stuff *work, co + success = 1; + break; + } ++ else if (n == -1) ++ { ++ success = 0; ++ break; ++ } + } + else + { diff -Nru gdb-7.7.1/debian/patches/CVE-2016-4490.patch gdb-7.7.1/debian/patches/CVE-2016-4490.patch --- gdb-7.7.1/debian/patches/CVE-2016-4490.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2016-4490.patch 2017-06-08 12:00:29.000000000 +0000 @@ -0,0 +1,264 @@ +Backport of: + +From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001 +From: bernds +Date: Mon, 2 May 2016 17:06:40 +0000 +Subject: [PATCH] =?utf8?q?Demangler=20integer=20overflow=20fixes=20from=20?= + =?utf8?q?Marcel=20B=C3=B6hme.?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + + PR c++/70498 + * cp-demangle.c: Parse numbers as integer instead of long to avoid + overflow after sanity checks. Include if available. + (INT_MAX): Define if necessary. + (d_make_template_param): Takes integer argument instead of long. + (d_make_function_param): Likewise. + (d_append_num): Likewise. + (d_identifier): Likewise. + (d_number): Parse as and return integer. + (d_compact_number): Handle overflow. + (d_source_name): Change variable type to integer for parsed number. + (d_java_resource): Likewise. + (d_special_name): Likewise. + (d_discriminator): Likewise. + (d_unnamed_type): Likewise. + * testsuite/demangle-expected: Add regression test cases. + + + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4 +--- + libiberty/ChangeLog | 19 +++++++++++++ + libiberty/cp-demangle.c | 52 ++++++++++++++++++++--------------- + libiberty/testsuite/demangle-expected | 14 ++++++++-- + 3 files changed, 61 insertions(+), 24 deletions(-) + +#diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog +#index 7497392..1407cd3 100644 +#--- a/libiberty/ChangeLog +#+++ b/libiberty/ChangeLog +#@@ -1,3 +1,22 @@ +#+2016-05-02 Marcel Böhme +#+ +#+ PR c++/70498 +#+ * cp-demangle.c: Parse numbers as integer instead of long to avoid +#+ overflow after sanity checks. Include if available. +#+ (INT_MAX): Define if necessary. +#+ (d_make_template_param): Takes integer argument instead of long. +#+ (d_make_function_param): Likewise. +#+ (d_append_num): Likewise. +#+ (d_identifier): Likewise. +#+ (d_number): Parse as and return integer. +#+ (d_compact_number): Handle overflow. +#+ (d_source_name): Change variable type to integer for parsed number. +#+ (d_java_resource): Likewise. +#+ (d_special_name): Likewise. +#+ (d_discriminator): Likewise. +#+ (d_unnamed_type): Likewise. +#+ * testsuite/demangle-expected: Add regression test cases. +#+ +# 2016-04-30 Oleg Endo +# +# * configure: Remove SH5 support. +Index: gdb-7.7.1/libiberty/cp-demangle.c +=================================================================== +--- gdb-7.7.1.orig/libiberty/cp-demangle.c 2017-06-08 07:59:31.318050563 -0400 ++++ gdb-7.7.1/libiberty/cp-demangle.c 2017-06-08 08:00:09.254499826 -0400 +@@ -124,6 +124,13 @@ extern char *alloca (); + # endif /* alloca */ + #endif /* HAVE_ALLOCA_H */ + ++#ifdef HAVE_LIMITS_H ++#include ++#endif ++#ifndef INT_MAX ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */ ++#endif ++ + #include "ansidecl.h" + #include "libiberty.h" + #include "demangle.h" +@@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v + struct demangle_component *); + + static struct demangle_component * +-d_make_template_param (struct d_info *, long); ++d_make_template_param (struct d_info *, int); + + static struct demangle_component * + d_make_sub (struct d_info *, const char *, int); +@@ -417,7 +424,7 @@ static struct demangle_component *d_unqu + + static struct demangle_component *d_source_name (struct d_info *); + +-static long d_number (struct d_info *); ++static int d_number (struct d_info *); + + static struct demangle_component *d_identifier (struct d_info *, int); + +@@ -1097,7 +1104,7 @@ d_make_dtor (struct d_info *di, enum gnu + /* Add a new template parameter. */ + + static struct demangle_component * +-d_make_template_param (struct d_info *di, long i) ++d_make_template_param (struct d_info *di, int i) + { + struct demangle_component *p; + +@@ -1113,7 +1120,7 @@ d_make_template_param (struct d_info *di + /* Add a new function parameter. */ + + static struct demangle_component * +-d_make_function_param (struct d_info *di, long i) ++d_make_function_param (struct d_info *di, int i) + { + struct demangle_component *p; + +@@ -1587,7 +1594,7 @@ d_unqualified_name (struct d_info *di) + static struct demangle_component * + d_source_name (struct d_info *di) + { +- long len; ++ int len; + struct demangle_component *ret; + + len = d_number (di); +@@ -1600,12 +1607,12 @@ d_source_name (struct d_info *di) + + /* number ::= [n] <(non-negative decimal integer)> */ + +-static long ++static int + d_number (struct d_info *di) + { + int negative; + char peek; +- long ret; ++ int ret; + + negative = 0; + peek = d_peek_char (di); +@@ -1832,7 +1839,7 @@ d_java_resource (struct d_info *di) + { + struct demangle_component *p = NULL; + struct demangle_component *next = NULL; +- long len, i; ++ int len, i; + char c; + const char *str; + +@@ -1974,7 +1981,7 @@ d_special_name (struct d_info *di) + case 'C': + { + struct demangle_component *derived_type; +- long offset; ++ int offset; + struct demangle_component *base_type; + + derived_type = cplus_demangle_type (di); +@@ -2897,10 +2904,10 @@ d_pointer_to_member_type (struct d_info + + /* _ */ + +-static long ++static int + d_compact_number (struct d_info *di) + { +- long num; ++ int num; + if (d_peek_char (di) == '_') + num = 0; + else if (d_peek_char (di) == 'n') +@@ -2908,7 +2915,7 @@ d_compact_number (struct d_info *di) + else + num = d_number (di) + 1; + +- if (! d_check_char (di, '_')) ++ if (num < 0 || ! d_check_char (di, '_')) + return -1; + return num; + } +@@ -2920,7 +2927,7 @@ d_compact_number (struct d_info *di) + static struct demangle_component * + d_template_param (struct d_info *di) + { +- long param; ++ int param; + + if (! d_check_char (di, 'T')) + return NULL; +@@ -3122,9 +3129,10 @@ d_expression_1 (struct d_info *di) + } + else + { +- index = d_compact_number (di) + 1; +- if (index == 0) ++ index = d_compact_number (di); ++ if (index == INT_MAX || index == -1) + return NULL; ++ index ++; + } + return d_make_function_param (di, index); + } +@@ -3447,7 +3455,7 @@ d_local_name (struct d_info *di) + static int + d_discriminator (struct d_info *di) + { +- long discrim; ++ int discrim; + + if (d_peek_char (di) != '_') + return 1; +@@ -3503,7 +3511,7 @@ static struct demangle_component * + d_unnamed_type (struct d_info *di) + { + struct demangle_component *ret; +- long num; ++ int num; + + if (! d_check_char (di, 'U')) + return NULL; +@@ -4016,10 +4024,10 @@ d_append_string (struct d_print_info *dp + } + + static inline void +-d_append_num (struct d_print_info *dpi, long l) ++d_append_num (struct d_print_info *dpi, int l) + { + char buf[25]; +- sprintf (buf,"%ld", l); ++ sprintf (buf,"%d", l); + d_append_string (dpi, buf); + } + +Index: gdb-7.7.1/libiberty/testsuite/demangle-expected +=================================================================== +--- gdb-7.7.1.orig/libiberty/testsuite/demangle-expected 2017-06-08 07:59:31.318050563 -0400 ++++ gdb-7.7.1/libiberty/testsuite/demangle-expected 2017-06-08 07:59:31.278050089 -0400 +@@ -4344,12 +4344,22 @@ cereal::detail::InputBindingMap >(std::function&&)::{lambda()#1}*& std::_Any_data::_M_access >(void post >(std::function&&)::{lambda()#1}*&&)::{lambda()#1}*>() + # +-# Tests a use-after-free problem ++# Tests a use-after-free problem PR70481 + + _Q.__0 + ::Q.(void) + # +-# Tests a use-after-free problem ++# Tests a use-after-free problem PR70481 + + _Q10-__9cafebabe. + cafebabe.::-(void) ++# ++# Tests integer overflow problem PR70492 ++ ++__vt_90000000000cafebabe ++__vt_90000000000cafebabe ++# ++# Tests write access violation PR70498 ++ ++_Z80800000000000000000000 ++_Z80800000000000000000000 diff -Nru gdb-7.7.1/debian/patches/CVE-2016-4491-1.patch gdb-7.7.1/debian/patches/CVE-2016-4491-1.patch --- gdb-7.7.1/debian/patches/CVE-2016-4491-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2016-4491-1.patch 2017-06-08 12:03:11.000000000 +0000 @@ -0,0 +1,349 @@ +Backport of: + +From a664c62cf916d036dba3d25973e5bb92c523536e Mon Sep 17 00:00:00 2001 +From: trippels +Date: Wed, 8 Mar 2017 14:28:38 +0000 +Subject: [PATCH] Fix PR demangler/70909 and 67264 (endless demangler + recursion) + +ChangeLog: + + PR demangler/70909 + PR demangler/67264 + * include/demangle.h: Add d_printing to struct demangle_component + and pass struct demangle_component as non const. + +libiberty/ChangeLog: + + PR demangler/70909 + PR demangler/67264 + * cp-demangle.c: Fix endless recursion. Pass + struct demangle_component as non const. + (d_make_empty): Initialize variable. + (d_print_comp_inner): Limit recursion. + (d_print_comp): Decrement variable. + * cp-demint.c (cplus_demangle_fill_component): Initialize + variable. + (cplus_demangle_fill_builtin_type): Likewise. + (cplus_demangle_fill_operator): Likewise. + * testsuite/demangle-expected: Add tests. + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@245978 138bc75d-0d04-0410-961f-82ee72b054a4 +--- + ChangeLog | 7 +++++ + include/demangle.h | 9 ++++-- + libiberty/ChangeLog | 15 +++++++++ + libiberty/cp-demangle.c | 59 ++++++++++++++++++++--------------- + libiberty/cp-demint.c | 3 ++ + libiberty/testsuite/demangle-expected | 31 ++++++++++++++++++ + 6 files changed, 97 insertions(+), 27 deletions(-) + +#diff --git a/ChangeLog b/ChangeLog +#index bdca057..27168c8 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,3 +1,10 @@ +#+2017-03-08 Mark Wielaard +#+ +#+ PR demangler/70909 +#+ PR demangler/67264 +#+ * include/demangle.h: Add d_printing to struct demangle_component +#+ and pass struct demangle_component as non const. +#+ +# 2017-02-26 Gerald Pfeifer +# +# * MAINTAINERS: Remove Neil Booth as option handling maintainer. +Index: gdb-7.7.1/include/demangle.h +=================================================================== +--- gdb-7.7.1.orig/include/demangle.h 2017-06-08 08:01:33.663492341 -0400 ++++ gdb-7.7.1/include/demangle.h 2017-06-08 08:01:33.647492153 -0400 +@@ -455,6 +455,11 @@ struct demangle_component + /* The type of this component. */ + enum demangle_component_type type; + ++ /* Guard against recursive component printing. ++ Initialize to zero. Private to d_print_comp. ++ All other fields are final after initialization. */ ++ int d_printing; ++ + union + { + /* For DEMANGLE_COMPONENT_NAME. */ +@@ -649,7 +654,7 @@ cplus_demangle_v3_components (const char + + extern char * + cplus_demangle_print (int options, +- const struct demangle_component *tree, ++ struct demangle_component *tree, + int estimated_length, + size_t *p_allocated_size); + +@@ -669,7 +674,7 @@ cplus_demangle_print (int options, + + extern int + cplus_demangle_print_callback (int options, +- const struct demangle_component *tree, ++ struct demangle_component *tree, + demangle_callbackref callback, void *opaque); + + #ifdef __cplusplus +Index: gdb-7.7.1/libiberty/cp-demangle.c +=================================================================== +--- gdb-7.7.1.orig/libiberty/cp-demangle.c 2017-06-08 08:01:33.663492341 -0400 ++++ gdb-7.7.1/libiberty/cp-demangle.c 2017-06-08 08:02:53.908427929 -0400 +@@ -169,10 +169,10 @@ static struct demangle_component *d_mang + static struct demangle_component *d_type (struct d_info *); + + #define cplus_demangle_print d_print +-static char *d_print (int, const struct demangle_component *, int, size_t *); ++static char *d_print (int, struct demangle_component *, int, size_t *); + + #define cplus_demangle_print_callback d_print_callback +-static int d_print_callback (int, const struct demangle_component *, ++static int d_print_callback (int, struct demangle_component *, + demangle_callbackref, void *); + + #define cplus_demangle_init_info d_init_info +@@ -261,7 +261,7 @@ struct d_print_mod + in which they appeared in the mangled string. */ + struct d_print_mod *next; + /* The modifier. */ +- const struct demangle_component *mod; ++ struct demangle_component *mod; + /* Whether this modifier was printed. */ + int printed; + /* The list of templates which applies to this modifier. */ +@@ -521,7 +521,7 @@ static inline void d_append_string (stru + static inline char d_last_char (struct d_print_info *); + + static void +-d_print_comp (struct d_print_info *, int, const struct demangle_component *); ++d_print_comp (struct d_print_info *, int, struct demangle_component *); + + static void + d_print_java_identifier (struct d_print_info *, const char *, int); +@@ -530,23 +530,23 @@ static void + d_print_mod_list (struct d_print_info *, int, struct d_print_mod *, int); + + static void +-d_print_mod (struct d_print_info *, int, const struct demangle_component *); ++d_print_mod (struct d_print_info *, int, struct demangle_component *); + + static void + d_print_function_type (struct d_print_info *, int, +- const struct demangle_component *, ++ struct demangle_component *, + struct d_print_mod *); + + static void + d_print_array_type (struct d_print_info *, int, +- const struct demangle_component *, ++ struct demangle_component *, + struct d_print_mod *); + + static void +-d_print_expr_op (struct d_print_info *, int, const struct demangle_component *); ++d_print_expr_op (struct d_print_info *, int, struct demangle_component *); + + static void +-d_print_cast (struct d_print_info *, int, const struct demangle_component *); ++d_print_cast (struct d_print_info *, int, struct demangle_component *); + + static int d_demangle_callback (const char *, int, + demangle_callbackref, void *); +@@ -872,6 +872,7 @@ d_make_empty (struct d_info *di) + if (di->next_comp >= di->num_comps) + return NULL; + p = &di->comps[di->next_comp]; ++ p->d_printing = 0; + ++di->next_comp; + return p; + } +@@ -4049,7 +4050,7 @@ d_last_char (struct d_print_info *dpi) + CP_STATIC_IF_GLIBCPP_V3 + int + cplus_demangle_print_callback (int options, +- const struct demangle_component *dc, ++ struct demangle_component *dc, + demangle_callbackref callback, void *opaque) + { + struct d_print_info dpi; +@@ -4088,7 +4089,7 @@ cplus_demangle_print_callback (int optio + + CP_STATIC_IF_GLIBCPP_V3 + char * +-cplus_demangle_print (int options, const struct demangle_component *dc, ++cplus_demangle_print (int options, struct demangle_component *dc, + int estimate, size_t *palc) + { + struct d_growable_string dgs; +@@ -4217,7 +4218,7 @@ d_pack_length (const struct demangle_com + + static void + d_print_subexpr (struct d_print_info *dpi, int options, +- const struct demangle_component *dc) ++ struct demangle_component *dc) + { + int simple = 0; + if (dc->type == DEMANGLE_COMPONENT_NAME +@@ -4292,11 +4293,11 @@ d_get_saved_scope (struct d_print_info * + + static void + d_print_comp_inner (struct d_print_info *dpi, int options, +- const struct demangle_component *dc) ++ struct demangle_component *dc) + { + /* Magic variable to let reference smashing skip over the next modifier + without needing to modify *dc. */ +- const struct demangle_component *mod_inner = NULL; ++ struct demangle_component *mod_inner = NULL; + + /* Variable used to store the current templates while a previously + captured scope is used. */ +@@ -4677,7 +4678,7 @@ d_print_comp_inner (struct d_print_info + case DEMANGLE_COMPONENT_RVALUE_REFERENCE: + { + /* Handle reference smashing: & + && = &. */ +- const struct demangle_component *sub = d_left (dc); ++ struct demangle_component *sub = d_left (dc); + if (sub->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM) + { + struct d_saved_scope *scope = d_get_saved_scope (dpi, sub); +@@ -5359,9 +5360,16 @@ d_print_comp_inner (struct d_print_info + + static void + d_print_comp (struct d_print_info *dpi, int options, +- const struct demangle_component *dc) ++ struct demangle_component *dc) + { + struct d_component_stack self; ++ if (dc == NULL || dc->d_printing > 1) ++ { ++ d_print_error (dpi); ++ return; ++ } ++ else ++ dc->d_printing++; + + self.dc = dc; + self.parent = dpi->component_stack; +@@ -5370,6 +5378,7 @@ d_print_comp (struct d_print_info *dpi, + d_print_comp_inner (dpi, options, dc); + + dpi->component_stack = self.parent; ++ dc->d_printing--; + } + + /* Print a Java dentifier. For Java we try to handle encoded extended +@@ -5520,7 +5529,7 @@ d_print_mod_list (struct d_print_info *d + + static void + d_print_mod (struct d_print_info *dpi, int options, +- const struct demangle_component *mod) ++ struct demangle_component *mod) + { + switch (mod->type) + { +@@ -5589,7 +5598,7 @@ d_print_mod (struct d_print_info *dpi, i + + static void + d_print_function_type (struct d_print_info *dpi, int options, +- const struct demangle_component *dc, ++ struct demangle_component *dc, + struct d_print_mod *mods) + { + int need_paren; +@@ -5671,7 +5680,7 @@ d_print_function_type (struct d_print_in + + static void + d_print_array_type (struct d_print_info *dpi, int options, +- const struct demangle_component *dc, ++ struct demangle_component *dc, + struct d_print_mod *mods) + { + int need_space; +@@ -5725,7 +5734,7 @@ d_print_array_type (struct d_print_info + + static void + d_print_expr_op (struct d_print_info *dpi, int options, +- const struct demangle_component *dc) ++ struct demangle_component *dc) + { + if (dc->type == DEMANGLE_COMPONENT_OPERATOR) + d_append_buffer (dpi, dc->u.s_operator.op->name, +@@ -5738,7 +5747,7 @@ d_print_expr_op (struct d_print_info *dp + + static void + d_print_cast (struct d_print_info *dpi, int options, +- const struct demangle_component *dc) ++ struct demangle_component *dc) + { + struct d_print_template dpt; + +Index: gdb-7.7.1/libiberty/cp-demint.c +=================================================================== +--- gdb-7.7.1.orig/libiberty/cp-demint.c 2017-06-08 08:01:33.663492341 -0400 ++++ gdb-7.7.1/libiberty/cp-demint.c 2017-06-08 08:01:33.651492201 -0400 +@@ -122,6 +122,7 @@ cplus_demangle_fill_component (struct de + p->type = type; + p->u.s_binary.left = left; + p->u.s_binary.right = right; ++ p->d_printing = 0; + + return 1; + } +@@ -145,6 +146,7 @@ cplus_demangle_fill_builtin_type (struct + { + p->type = DEMANGLE_COMPONENT_BUILTIN_TYPE; + p->u.s_builtin.type = &cplus_demangle_builtin_types[i]; ++ p->d_printing = 0; + return 1; + } + } +@@ -171,6 +173,7 @@ cplus_demangle_fill_operator (struct dem + { + p->type = DEMANGLE_COMPONENT_OPERATOR; + p->u.s_operator.op = &cplus_demangle_operators[i]; ++ p->d_printing = 0; + return 1; + } + } +Index: gdb-7.7.1/libiberty/testsuite/demangle-expected +=================================================================== +--- gdb-7.7.1.orig/libiberty/testsuite/demangle-expected 2017-06-08 08:01:33.663492341 -0400 ++++ gdb-7.7.1/libiberty/testsuite/demangle-expected 2017-06-08 08:01:33.651492201 -0400 +@@ -4381,3 +4381,34 @@ __t2m05B500000000000000000_ + + __10%0__S4_0T0T0 + %0<>::%0(%0<>) ++ ++# ++# Test recursion PR67264 ++_Z1KIStcvT_E ++_Z1KIStcvT_E ++ ++_ZcvT_IIS0_EE ++_ZcvT_IIS0_EE ++ ++_ZcvT_IZcvT_E1fE ++_ZcvT_IZcvT_E1fE ++ ++_Z1gINcvT_EE ++_Z1gINcvT_EE ++ ++_ZcvT_ILZcvDTT_EEE ++_ZcvT_ILZcvDTT_EEE ++ ++_Z1gIJOOT_EEOT_c ++_Z1gIJOOT_EEOT_c ++ ++_Z1KMMMMMMMMMMMMMMMA_xooooooooooooooo ++_Z1KMMMMMMMMMMMMMMMA_xooooooooooooooo ++ ++_ZdvMMMMMMMMMMMMMrrrrA_DTdvfp_fp_Eededilfdfdfdfd ++_ZdvMMMMMMMMMMMMMrrrrA_DTdvfp_fp_Eededilfdfdfdfd ++# ++# Test for Infinite Recursion PR70909 ++ ++_Z1MA_aMMMMA_MMA_MMMMMMMMSt1MS_o11T0000000000t2M0oooozoooo ++_Z1MA_aMMMMA_MMA_MMMMMMMMSt1MS_o11T0000000000t2M0oooozoooo diff -Nru gdb-7.7.1/debian/patches/CVE-2016-4491-2.patch gdb-7.7.1/debian/patches/CVE-2016-4491-2.patch --- gdb-7.7.1/debian/patches/CVE-2016-4491-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2016-4491-2.patch 2017-06-08 12:03:18.000000000 +0000 @@ -0,0 +1,104 @@ +Backport of: + +From b4cd77b1236a743dd5d94bc210534856a12e6efe Mon Sep 17 00:00:00 2001 +From: mark +Date: Fri, 21 Apr 2017 09:02:03 +0000 +Subject: [PATCH] libiberty: Limit demangler maximum d_print_comp recursion + call depth. + +The fix for PR demangler/70909 and 67264 (endless demangler recursion) +catches when a demangle_component is printed in a cycle. But that doesn't +protect the call stack blowing up from non-cyclic nested types printed +recursively through d_print_comp. This can happen by a (very) long mangled +string that simply creates a very deep pointer or qualifier chain. Limit +the recursive d_print_comp call depth for a d_print_info to 1K nested +types. + +libiberty/ChangeLog: + + * cp-demangle.c (MAX_RECURSION_COUNT): New constant. + (struct d_print_info): Add recursion field. + (d_print_init): Initialize recursion. + (d_print_comp): Check and update d_print_info recursion depth. + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@247056 138bc75d-0d04-0410-961f-82ee72b054a4 +--- + libiberty/ChangeLog | 7 +++++++ + libiberty/cp-demangle.c | 15 ++++++++++++--- + 2 files changed, 19 insertions(+), 3 deletions(-) + +#diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog +#index 673eb26..34e585e 100644 +#--- a/libiberty/ChangeLog +#+++ b/libiberty/ChangeLog +#@@ -1,5 +1,12 @@ +# 2017-04-21 Mark Wielaard +# +#+ * cp-demangle.c (MAX_RECURSION_COUNT): New constant. +#+ (struct d_print_info): Add recursion field. +#+ (d_print_init): Initialize recursion. +#+ (d_print_comp): Check and update d_print_info recursion depth. +#+ +#+2017-04-21 Mark Wielaard +#+ +# * cp-demangle.c (d_substitution): Return NULL if d_add_substitution +# fails. +# +Index: gdb-7.7.1/libiberty/cp-demangle.c +=================================================================== +--- gdb-7.7.1.orig/libiberty/cp-demangle.c 2017-06-08 08:03:16.472689773 -0400 ++++ gdb-7.7.1/libiberty/cp-demangle.c 2017-06-08 08:03:16.460689633 -0400 +@@ -317,6 +317,9 @@ struct d_info_checkpoint + int expansion; + }; + ++/* Maximum number of times d_print_comp may be called recursively. */ ++#define MAX_RECURSION_COUNT 1024 ++ + enum { D_PRINT_BUFFER_LENGTH = 256 }; + struct d_print_info + { +@@ -339,6 +342,9 @@ struct d_print_info + struct d_print_mod *modifiers; + /* Set to 1 if we saw a demangling error. */ + int demangle_failure; ++ /* Number of times d_print_comp was recursively called. Should not ++ be bigger than MAX_RECURSION_COUNT. */ ++ int recursion; + /* The current index into any template argument packs we are using + for printing. */ + int pack_index; +@@ -3954,6 +3960,7 @@ d_print_init (struct d_print_info *dpi, + dpi->opaque = opaque; + + dpi->demangle_failure = 0; ++ dpi->recursion = 0; + + dpi->component_stack = NULL; + +@@ -5363,13 +5370,14 @@ d_print_comp (struct d_print_info *dpi, + struct demangle_component *dc) + { + struct d_component_stack self; +- if (dc == NULL || dc->d_printing > 1) ++ if (dc == NULL || dc->d_printing > 1 || dpi->recursion > MAX_RECURSION_COUNT) + { + d_print_error (dpi); + return; + } +- else +- dc->d_printing++; ++ ++ dc->d_printing++; ++ dpi->recursion++; + + self.dc = dc; + self.parent = dpi->component_stack; +@@ -5379,6 +5387,7 @@ d_print_comp (struct d_print_info *dpi, + + dpi->component_stack = self.parent; + dc->d_printing--; ++ dpi->recursion--; + } + + /* Print a Java dentifier. For Java we try to handle encoded extended diff -Nru gdb-7.7.1/debian/patches/CVE-2016-4491-3.patch gdb-7.7.1/debian/patches/CVE-2016-4491-3.patch --- gdb-7.7.1/debian/patches/CVE-2016-4491-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2016-4491-3.patch 2017-06-09 18:30:31.000000000 +0000 @@ -0,0 +1,92 @@ +From b9da89d161e3903faa335f444af2bf05e40f926e Mon Sep 17 00:00:00 2001 +From: mark +Date: Mon, 13 Mar 2017 18:26:47 +0000 +Subject: [PATCH] Merge libiberty: Initialize d_printing in all + cplus_demangle_fill_* functions. + +While integrating the d_printing recursion guard change into gdb I +noticed we forgot to initialize the demangle_component d_printing +field in cplus_demangle_fill_{name,extended_operator,ctor,dtor}. +As is done in cplus_demangle_fill_{component,builtin_type,operator}. +It happened to work because in gcc all demangle_components were +allocated through d_make_empty. But gdb has its own allocation +mechanism (as might other users). + +libiberty/ChangeLog: + + * cp-demangle.c (cplus_demangle_fill_name): Initialize + demangle_component d_printing. + (cplus_demangle_fill_extended_operator): Likewise. + (cplus_demangle_fill_ctor): Likewise. + (cplus_demangle_fill_dtor): Likewise. + +gdb/ChangeLog: + + * cp-name-parser.y (make_empty): Initialize d_printing to zero. +--- + gdb/ChangeLog | 4 ++++ + gdb/cp-name-parser.y | 1 + + libiberty/ChangeLog | 8 ++++++++ + libiberty/cp-demangle.c | 4 ++++ + 4 files changed, 17 insertions(+) + +#diff --git a/gdb/ChangeLog b/gdb/ChangeLog +#index e4c4432..7de2498 100644 +#--- a/gdb/ChangeLog +#+++ b/gdb/ChangeLog +#@@ -1,3 +1,7 @@ +#+2017-03-13 Mark Wielaard +#+ +#+ * cp-name-parser.y (make_empty): Initialize d_printing to zero. +#+ +# 2017-03-10 Keith Seitz +# +# PR c++/8218 +Index: gdb-7.7.1/gdb/cp-name-parser.y +=================================================================== +--- gdb-7.7.1.orig/gdb/cp-name-parser.y 2017-06-09 14:30:29.644900014 -0400 ++++ gdb-7.7.1/gdb/cp-name-parser.y 2017-06-09 14:30:29.624899764 -0400 +@@ -207,6 +207,7 @@ make_empty (enum demangle_component_type + { + struct demangle_component *ret = d_grab (); + ret->type = d_type; ++ ret->d_printing = 0; + return ret; + } + +Index: gdb-7.7.1/libiberty/cp-demangle.c +=================================================================== +--- gdb-7.7.1.orig/libiberty/cp-demangle.c 2017-06-09 14:30:29.644900014 -0400 ++++ gdb-7.7.1/libiberty/cp-demangle.c 2017-06-09 14:30:29.628899814 -0400 +@@ -809,6 +809,7 @@ cplus_demangle_fill_name (struct demangl + { + if (p == NULL || s == NULL || len == 0) + return 0; ++ p->d_printing = 0; + p->type = DEMANGLE_COMPONENT_NAME; + p->u.s_name.s = s; + p->u.s_name.len = len; +@@ -824,6 +825,7 @@ cplus_demangle_fill_extended_operator (s + { + if (p == NULL || args < 0 || name == NULL) + return 0; ++ p->d_printing = 0; + p->type = DEMANGLE_COMPONENT_EXTENDED_OPERATOR; + p->u.s_extended_operator.args = args; + p->u.s_extended_operator.name = name; +@@ -843,6 +845,7 @@ cplus_demangle_fill_ctor (struct demangl + || (int) kind < gnu_v3_complete_object_ctor + || (int) kind > gnu_v3_object_ctor_group) + return 0; ++ p->d_printing = 0; + p->type = DEMANGLE_COMPONENT_CTOR; + p->u.s_ctor.kind = kind; + p->u.s_ctor.name = name; +@@ -862,6 +865,7 @@ cplus_demangle_fill_dtor (struct demangl + || (int) kind < gnu_v3_deleting_dtor + || (int) kind > gnu_v3_object_dtor_group) + return 0; ++ p->d_printing = 0; + p->type = DEMANGLE_COMPONENT_DTOR; + p->u.s_dtor.kind = kind; + p->u.s_dtor.name = name; diff -Nru gdb-7.7.1/debian/patches/CVE-2016-4492_4493.patch gdb-7.7.1/debian/patches/CVE-2016-4492_4493.patch --- gdb-7.7.1/debian/patches/CVE-2016-4492_4493.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2016-4492_4493.patch 2017-06-08 12:01:16.000000000 +0000 @@ -0,0 +1,96 @@ +From b6616075cb48d42a28cc78ca1c66127b671b361c Mon Sep 17 00:00:00 2001 +From: law +Date: Wed, 13 Jul 2016 22:06:09 +0000 +Subject: [PATCH] PR c++/70926 * cplus-dem.c: Handle large values and + overflow when demangling length variables. + (demangle_template_value_parm): Read only until end of mangled string. + (do_hpacc_template_literal): Likewise. (do_type): Handle overflow + when demangling array indices. + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@238313 138bc75d-0d04-0410-961f-82ee72b054a4 +--- + libiberty/ChangeLog | 9 +++++++++ + libiberty/cplus-dem.c | 10 ++++++---- + libiberty/testsuite/demangle-expected | 13 +++++++++++++ + 3 files changed, 28 insertions(+), 4 deletions(-) + +#diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog +#index 45b312b..317bd63 100644 +#--- a/libiberty/ChangeLog +#+++ b/libiberty/ChangeLog +#@@ -1,3 +1,12 @@ +#+2016-07-13 Marcel BÃhme +#+ +#+ PR c++/70926 +#+ * cplus-dem.c: Handle large values and overflow when demangling +#+ length variables. +#+ (demangle_template_value_parm): Read only until end of mangled string. +#+ (do_hpacc_template_literal): Likewise. +#+ (do_type): Handle overflow when demangling array indices. +#+ +# 2016-06-12 Brooks Moses +# +# * cp-demangle.c (cplus_demangle_print_callback): Avoid zero-length +Index: gdb-7.7.1/libiberty/cplus-dem.c +=================================================================== +--- gdb-7.7.1.orig/libiberty/cplus-dem.c 2017-06-08 08:01:14.431267005 -0400 ++++ gdb-7.7.1/libiberty/cplus-dem.c 2017-06-08 08:01:14.399266630 -0400 +@@ -2033,7 +2033,8 @@ demangle_template_value_parm (struct wor + else + { + int symbol_len = consume_count (mangled); +- if (symbol_len == -1) ++ if (symbol_len == -1 ++ || symbol_len > (long) strlen (*mangled)) + return -1; + if (symbol_len == 0) + string_appendn (s, "0", 1); +@@ -3593,7 +3594,7 @@ do_type (struct work_stuff *work, const + /* A back reference to a previously seen type */ + case 'T': + (*mangled)++; +- if (!get_count (mangled, &n) || n >= work -> ntypes) ++ if (!get_count (mangled, &n) || n < 0 || n >= work -> ntypes) + { + success = 0; + } +@@ -3768,7 +3769,7 @@ do_type (struct work_stuff *work, const + /* A back reference to a previously seen squangled type */ + case 'B': + (*mangled)++; +- if (!get_count (mangled, &n) || n >= work -> numb) ++ if (!get_count (mangled, &n) || n < 0 || n >= work -> numb) + success = 0; + else + string_append (result, work->btypevec[n]); +@@ -4109,7 +4110,8 @@ do_hpacc_template_literal (struct work_s + + literal_len = consume_count (mangled); + +- if (literal_len <= 0) ++ if (literal_len <= 0 ++ || literal_len > (long) strlen (*mangled)) + return 0; + + /* Literal parameters are names of arrays, functions, etc. and the +Index: gdb-7.7.1/libiberty/testsuite/demangle-expected +=================================================================== +--- gdb-7.7.1.orig/libiberty/testsuite/demangle-expected 2017-06-08 08:01:14.431267005 -0400 ++++ gdb-7.7.1/libiberty/testsuite/demangle-expected 2017-06-08 08:01:14.399266630 -0400 +@@ -4363,3 +4363,16 @@ __vt_90000000000cafebabe + + _Z80800000000000000000000 + _Z80800000000000000000000 ++# ++# Tests write access violation PR70926 ++ ++0__Ot2m02R5T0000500000 ++0__Ot2m02R5T0000500000 ++# ++ ++0__GT50000000000_ ++0__GT50000000000_ ++# ++ ++__t2m05B500000000000000000_ ++__t2m05B500000000000000000_ diff -Nru gdb-7.7.1/debian/patches/CVE-2016-6131.patch gdb-7.7.1/debian/patches/CVE-2016-6131.patch --- gdb-7.7.1/debian/patches/CVE-2016-6131.patch 1970-01-01 00:00:00.000000000 +0000 +++ gdb-7.7.1/debian/patches/CVE-2016-6131.patch 2017-06-08 12:01:23.000000000 +0000 @@ -0,0 +1,237 @@ +From ebcc31144416b524ea556708c32304c53b439724 Mon Sep 17 00:00:00 2001 +From: law +Date: Thu, 4 Aug 2016 16:53:18 +0000 +Subject: [PATCH] =?utf8?q?2016-08-04=20=20Marcel=20B=C3=B6hme=20=20?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + + PR c++/71696 + * cplus-dem.c: Prevent infinite recursion when there is a cycle + in the referencing of remembered mangled types. + (work_stuff): New stack to keep track of the remembered mangled + types that are currently being processed. + (push_processed_type): New method to push currently processed + remembered type onto the stack. + (pop_processed_type): New method to pop currently processed + remembered type from the stack. + (work_stuff_copy_to_from): Copy values of new variables. + (delete_non_B_K_work_stuff): Free stack memory. + (demangle_args): Push/Pop currently processed remembered type. + (do_type): Do not demangle a cyclic reference and push/pop + referenced remembered type. + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@239143 138bc75d-0d04-0410-961f-82ee72b054a4 +--- + libiberty/ChangeLog | 19 ++++++++- + libiberty/cplus-dem.c | 80 ++++++++++++++++++++++++++++++++--- + libiberty/testsuite/demangle-expected | 5 +++ + 3 files changed, 97 insertions(+), 7 deletions(-) + +#diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog +#index a2e49a1..e7ff8c3 100644 +#--- a/libiberty/ChangeLog +#+++ b/libiberty/ChangeLog +#@@ -1,3 +1,20 @@ +#+2016-08-04 Marcel Böhme +#+ +#+ PR c++/71696 +#+ * cplus-dem.c: Prevent infinite recursion when there is a cycle +#+ in the referencing of remembered mangled types. +#+ (work_stuff): New stack to keep track of the remembered mangled +#+ types that are currently being processed. +#+ (push_processed_type): New method to push currently processed +#+ remembered type onto the stack. +#+ (pop_processed_type): New method to pop currently processed +#+ remembered type from the stack. +#+ (work_stuff_copy_to_from): Copy values of new variables. +#+ (delete_non_B_K_work_stuff): Free stack memory. +#+ (demangle_args): Push/Pop currently processed remembered type. +#+ (do_type): Do not demangle a cyclic reference and push/pop +#+ referenced remembered type. +#+ +# 2016-07-29 Aldy Hernandez +# +# * make-relative-prefix.c (make_relative_prefix_1): Fall back to +#@@ -16,7 +33,7 @@ +# (d_template_args_1): Split out from d_template_args. +# (d_args_length): New. +# +#-2016-07-13 Marcel BÃhme +#+2016-07-13 Marcel Böhme +# +# PR c++/70926 +# * cplus-dem.c: Handle large values and overflow when demangling +Index: gdb-7.7.1/libiberty/cplus-dem.c +=================================================================== +--- gdb-7.7.1.orig/libiberty/cplus-dem.c 2017-06-08 08:01:21.631351419 -0400 ++++ gdb-7.7.1/libiberty/cplus-dem.c 2017-06-08 08:01:21.607351138 -0400 +@@ -144,6 +144,9 @@ struct work_stuff + string* previous_argument; /* The last function argument demangled. */ + int nrepeats; /* The number of times to repeat the previous + argument. */ ++ int *proctypevec; /* Indices of currently processed remembered typevecs. */ ++ int proctypevec_size; ++ int nproctypes; + }; + + #define PRINT_ANSI_QUALIFIERS (work -> options & DMGL_ANSI) +@@ -429,6 +432,10 @@ iterate_demangle_function (struct work_s + + static void remember_type (struct work_stuff *, const char *, int); + ++static void push_processed_type (struct work_stuff *, int); ++ ++static void pop_processed_type (struct work_stuff *); ++ + static void remember_Btype (struct work_stuff *, const char *, int, int); + + static int register_Btype (struct work_stuff *); +@@ -1283,6 +1290,10 @@ work_stuff_copy_to_from (struct work_stu + memcpy (to->btypevec[i], from->btypevec[i], len); + } + ++ if (from->proctypevec) ++ to->proctypevec = ++ XDUPVEC (int, from->proctypevec, from->proctypevec_size); ++ + if (from->ntmpl_args) + to->tmpl_argvec = XNEWVEC (char *, from->ntmpl_args); + +@@ -1311,11 +1322,17 @@ delete_non_B_K_work_stuff (struct work_s + /* Discard the remembered types, if any. */ + + forget_types (work); +- if (work -> typevec != NULL) ++ if (work->typevec != NULL) + { +- free ((char *) work -> typevec); +- work -> typevec = NULL; +- work -> typevec_size = 0; ++ free ((char *) work->typevec); ++ work->typevec = NULL; ++ work->typevec_size = 0; ++ } ++ if (work->proctypevec != NULL) ++ { ++ free (work->proctypevec); ++ work->proctypevec = NULL; ++ work->proctypevec_size = 0; + } + if (work->tmpl_argvec) + { +@@ -3535,6 +3552,8 @@ static int + do_type (struct work_stuff *work, const char **mangled, string *result) + { + int n; ++ int i; ++ int is_proctypevec; + int done; + int success; + string decl; +@@ -3547,6 +3566,7 @@ do_type (struct work_stuff *work, const + + done = 0; + success = 1; ++ is_proctypevec = 0; + while (success && !done) + { + int member; +@@ -3599,8 +3619,15 @@ do_type (struct work_stuff *work, const + success = 0; + } + else +- { +- remembered_type = work -> typevec[n]; ++ for (i = 0; i < work->nproctypes; i++) ++ if (work -> proctypevec [i] == n) ++ success = 0; ++ ++ if (success) ++ { ++ is_proctypevec = 1; ++ push_processed_type (work, n); ++ remembered_type = work->typevec[n]; + mangled = &remembered_type; + } + break; +@@ -3820,6 +3847,9 @@ do_type (struct work_stuff *work, const + string_delete (result); + string_delete (&decl); + ++ if (is_proctypevec) ++ pop_processed_type (work); ++ + if (success) + /* Assume an integral type, if we're not sure. */ + return (int) ((tk == tk_none) ? tk_integral : tk); +@@ -4233,6 +4263,41 @@ do_arg (struct work_stuff *work, const c + } + + static void ++push_processed_type (struct work_stuff *work, int typevec_index) ++{ ++ if (work->nproctypes >= work->proctypevec_size) ++ { ++ if (!work->proctypevec_size) ++ { ++ work->proctypevec_size = 4; ++ work->proctypevec = XNEWVEC (int, work->proctypevec_size); ++ } ++ else ++ { ++ if (work->proctypevec_size < 16) ++ /* Double when small. */ ++ work->proctypevec_size *= 2; ++ else ++ { ++ /* Grow slower when large. */ ++ if (work->proctypevec_size > (INT_MAX / 3) * 2) ++ xmalloc_failed (INT_MAX); ++ work->proctypevec_size = (work->proctypevec_size * 3 / 2); ++ } ++ work->proctypevec ++ = XRESIZEVEC (int, work->proctypevec, work->proctypevec_size); ++ } ++ } ++ work->proctypevec [work->nproctypes++] = typevec_index; ++} ++ ++static void ++pop_processed_type (struct work_stuff *work) ++{ ++ work->nproctypes--; ++} ++ ++static void + remember_type (struct work_stuff *work, const char *start, int len) + { + char *tem; +@@ -4496,10 +4561,13 @@ demangle_args (struct work_stuff *work, + { + string_append (declp, ", "); + } ++ push_processed_type (work, t); + if (!do_arg (work, &tem, &arg)) + { ++ pop_processed_type (work); + return (0); + } ++ pop_processed_type (work); + if (PRINT_ARG_TYPES) + { + string_appends (declp, &arg); +Index: gdb-7.7.1/libiberty/testsuite/demangle-expected +=================================================================== +--- gdb-7.7.1.orig/libiberty/testsuite/demangle-expected 2017-06-08 08:01:21.631351419 -0400 ++++ gdb-7.7.1/libiberty/testsuite/demangle-expected 2017-06-08 08:01:21.623351325 -0400 +@@ -4376,3 +4376,8 @@ _Z80800000000000000000000 + + __t2m05B500000000000000000_ + __t2m05B500000000000000000_ ++# ++# Tests stack overflow PR71696 ++ ++__10%0__S4_0T0T0 ++%0<>::%0(%0<>) diff -Nru gdb-7.7.1/debian/patches/series gdb-7.7.1/debian/patches/series --- gdb-7.7.1/debian/patches/series 2014-06-12 19:14:54.000000000 +0000 +++ gdb-7.7.1/debian/patches/series 2017-06-09 14:42:50.000000000 +0000 @@ -12,3 +12,14 @@ gdb-linaro.diff pr14963.diff +CVE-2014-8501.patch +CVE-2014-9939.patch +CVE-2016-2226.patch +CVE-2016-4487_4488.patch +CVE-2016-4489.patch +CVE-2016-4490.patch +CVE-2016-4492_4493.patch +CVE-2016-6131.patch +CVE-2016-4491-1.patch +CVE-2016-4491-2.patch +CVE-2016-4491-3.patch