2 files changed, 268 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-5.2.inc b/meta/recipes-devtools/gcc/gcc-5.2.inc
index 46369c70ee..f2b065f109 100644
--- a/meta/recipes-devtools/gcc/gcc-5.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.2.inc
@@ -77,6 +77,7 @@ SRC_URI = "\
           file://CVE-2016-4488.patch \
           file://CVE-2016-4489.patch \
           file://CVE-2016-2226.patch \
+           file://CVE-2016-4490.patch \
          "
 BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-4490.patch
new file mode 100644
index 0000000000..563f3cf68a
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-4490.patch
@@ -0,0 +1,267 @@
+From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
+From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Mon, 2 May 2016 17:06:40 +0000
+Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
+ =?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+        PR c++/70498
+        * cp-demangle.c: Parse numbers as integer instead of long to avoid
+        overflow after sanity checks. Include <limits.h> if available.
+        (INT_MAX): Define if necessary.
+        (d_make_template_param): Takes integer argument instead of long.
+        (d_make_function_param): Likewise.
+        (d_append_num): Likewise.
+        (d_identifier): Likewise.
+        (d_number): Parse as and return integer.
+        (d_compact_number): Handle overflow.
+        (d_source_name): Change variable type to integer for parsed number.
+        (d_java_resource): Likewise.
+        (d_special_name): Likewise.
+        (d_discriminator): Likewise.
+        (d_unnamed_type): Likewise.
+        * testsuite/demangle-expected: Add regression test cases.
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
+Upstream-Status: Backport
+CVE: CVE_2016-4490
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libiberty/ChangeLog                   | 19 +++++++++++++
+ libiberty/cp-demangle.c               | 52 ++++++++++++++++++++---------------
+ libiberty/testsuite/demangle-expected | 14 ++++++++--
+ 3 files changed, 61 insertions(+), 24 deletions(-)
+Index: gcc-5.2.0/libiberty/cp-demangle.c
+===================================================================
+--- gcc-5.2.0.orig/libiberty/cp-demangle.c
+++ gcc-5.2.0/libiberty/cp-demangle.c
+@@ -124,6 +124,13 @@ extern char *alloca ();
+ # endif /* alloca */
+ #endif /* HAVE_ALLOCA_H */
+ 
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+#ifndef INT_MAX
+# define INT_MAX       (int)(((unsigned int) ~0) >> 1)          /* 0x7FFFFFFF */ 
+#endif
+
+ #include "ansidecl.h"
+ #include "libiberty.h"
+ #include "demangle.h"
+@@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v
+              struct demangle_component *);
+ 
+ static struct demangle_component *
+-d_make_template_param (struct d_info *, long);
+d_make_template_param (struct d_info *, int);
+ 
+ static struct demangle_component *
+ d_make_sub (struct d_info *, const char *, int);
+@@ -417,7 +424,7 @@ static struct demangle_component *d_unqu
+ 
+ static struct demangle_component *d_source_name (struct d_info *);
+ 
+-static long d_number (struct d_info *);
+static int d_number (struct d_info *);
+ 
+ static struct demangle_component *d_identifier (struct d_info *, int);
+ 
+@@ -1105,7 +1112,7 @@ d_make_dtor (struct d_info *di, enum gnu
+ /* Add a new template parameter.  */
+ 
+ static struct demangle_component *
+-d_make_template_param (struct d_info *di, long i)
+d_make_template_param (struct d_info *di, int i)
+ {
+   struct demangle_component *p;
+ 
+@@ -1121,7 +1128,7 @@ d_make_template_param (struct d_info *di
+ /* Add a new function parameter.  */
+ 
+ static struct demangle_component *
+-d_make_function_param (struct d_info *di, long i)
+d_make_function_param (struct d_info *di, int i)
+ {
+   struct demangle_component *p;
+ 
+@@ -1595,7 +1602,7 @@ d_unqualified_name (struct d_info *di)
+ static struct demangle_component *
+ d_source_name (struct d_info *di)
+ {
+-  long len;
+  int len;
+   struct demangle_component *ret;
+ 
+   len = d_number (di);
+@@ -1608,12 +1615,12 @@ d_source_name (struct d_info *di)
+ 
+ /* number ::= [n] <(non-negative decimal integer)>  */
+ 
+-static long
+static int
+ d_number (struct d_info *di)
+ {
+   int negative;
+   char peek;
+-  long ret;
+  int ret;
+ 
+   negative = 0;
+   peek = d_peek_char (di);
+@@ -1840,7 +1847,7 @@ d_java_resource (struct d_info *di)
+ {
+   struct demangle_component *p = NULL;
+   struct demangle_component *next = NULL;
+-  long len, i;
+  int len, i;
+   char c;
+   const char *str;
+ 
+@@ -1982,7 +1989,7 @@ d_special_name (struct d_info *di)
+        case 'C':
+          {
+            struct demangle_component *derived_type;
+-           long offset;
+           int offset;
+            struct demangle_component *base_type;
+ 
+            derived_type = cplus_demangle_type (di);
+@@ -2905,10 +2912,10 @@ d_pointer_to_member_type (struct d_info
+ 
+ /* <non-negative number> _ */
+ 
+-static long
+static int
+ d_compact_number (struct d_info *di)
+ {
+-  long num;
+  int num;
+   if (d_peek_char (di) == '_')
+     num = 0;
+   else if (d_peek_char (di) == 'n')
+@@ -2916,7 +2923,7 @@ d_compact_number (struct d_info *di)
+   else
+     num = d_number (di) + 1;
+ 
+-  if (! d_check_char (di, '_'))
+  if (num < 0 || ! d_check_char (di, '_'))
+     return -1;
+   return num;
+ }
+@@ -2928,7 +2935,7 @@ d_compact_number (struct d_info *di)
+ static struct demangle_component *
+ d_template_param (struct d_info *di)
+ {
+-  long param;
+  int param;
+ 
+   if (! d_check_char (di, 'T'))
+     return NULL;
+@@ -3130,9 +3137,10 @@ d_expression_1 (struct d_info *di)
+        }
+       else
+        {
+-         index = d_compact_number (di) + 1;
+-         if (index == 0)
+         index = d_compact_number (di);
+         if (index == INT_MAX || index == -1)
+            return NULL;
+         index ++;
+        }
+       return d_make_function_param (di, index);
+     }
+@@ -3455,7 +3463,7 @@ d_local_name (struct d_info *di)
+ static int
+ d_discriminator (struct d_info *di)
+ {
+-  long discrim;
+  int discrim;
+ 
+   if (d_peek_char (di) != '_')
+     return 1;
+@@ -3511,7 +3519,7 @@ static struct demangle_component *
+ d_unnamed_type (struct d_info *di)
+ {
+   struct demangle_component *ret;
+-  long num;
+  int num;
+ 
+   if (! d_check_char (di, 'U'))
+     return NULL;
+@@ -4037,10 +4045,10 @@ d_append_string (struct d_print_info *dp
+ }
+ 
+ static inline void
+-d_append_num (struct d_print_info *dpi, long l)
+d_append_num (struct d_print_info *dpi, int l)
+ {
+   char buf[25];
+-  sprintf (buf,"%ld", l);
+  sprintf (buf,"%d", l);
+   d_append_string (dpi, buf);
+ }
+ 
+Index: gcc-5.2.0/libiberty/testsuite/demangle-expected
+===================================================================
+--- gcc-5.2.0.orig/libiberty/testsuite/demangle-expected
+++ gcc-5.2.0/libiberty/testsuite/demangle-expected
+@@ -4357,12 +4357,22 @@ _QueueNotification_QueueController__$4PP
+ _Z1fSsB3fooS_
+ f(std::string[abi:foo], std::string[abi:foo])
+ #
+-# Tests a use-after-free problem
+# Tests a use-after-free problem PR70481
+ 
+ _Q.__0
+ ::Q.(void)
+ #
+-# Tests a use-after-free problem
+# Tests a use-after-free problem PR70481
+ 
+ _Q10-__9cafebabe.
+ cafebabe.::-(void)
+#
+# Tests integer overflow problem PR70492
+
+__vt_90000000000cafebabe
+__vt_90000000000cafebabe
+#
+# Tests write access violation PR70498
+
+_Z80800000000000000000000
+_Z80800000000000000000000
+Index: gcc-5.2.0/libiberty/ChangeLog
+===================================================================
+--- gcc-5.2.0.orig/libiberty/ChangeLog
+++ gcc-5.2.0/libiberty/ChangeLog
+@@ -1,3 +1,22 @@
+2016-05-02  Marcel Böhme  <boehme.marcel@gmail.com>
+
+       PR c++/70498
+       * cp-demangle.c: Parse numbers as integer instead of long to avoid
+       overflow after sanity checks. Include <limits.h> if available.
+       (INT_MAX): Define if necessary.
+       (d_make_template_param): Takes integer argument instead of long.
+       (d_make_function_param): Likewise.
+       (d_append_num): Likewise.
+       (d_identifier): Likewise.
+       (d_number): Parse as and return integer.
+       (d_compact_number): Handle overflow.
+       (d_source_name): Change variable type to integer for parsed number.
+       (d_java_resource): Likewise.
+       (d_special_name): Likewise.
+       (d_discriminator): Likewise.
+       (d_unnamed_type): Likewise.
+       * testsuite/demangle-expected: Add regression test cases.
+
+ 2016-04-08  Marcel Böhme  <boehme.marcel@gmail.com>
+ 
+        PR c++/69687

diff --git a/meta/recipes-devtools/gcc/gcc-5.2.inc b/meta/recipes-devtools/gcc/gcc-5.2.inc index 46369c70ee..f2b065f109 100644 --- a/meta/recipes-devtools/gcc/gcc-5.2.inc +++ b/meta/recipes-devtools/gcc/gcc-5.2.inc
@@ -77,6 +77,7 @@ SRC_URI = "\
77	file://CVE-2016-4488.patch \	77	file://CVE-2016-4488.patch \
78	file://CVE-2016-4489.patch \	78	file://CVE-2016-4489.patch \
79	file://CVE-2016-2226.patch \	79	file://CVE-2016-2226.patch \
		80	file://CVE-2016-4490.patch \
80	"	81	"
81		82
82	BACKPORTS = ""	83	BACKPORTS = ""


diff --git a/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-4490.patch new file mode 100644 index 0000000000..563f3cf68a --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-4490.patch
@@ -0,0 +1,267 @@
		1	From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
		2	From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
		3	Date: Mon, 2 May 2016 17:06:40 +0000
		4	Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
		5	=?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	PR c++/70498
		11	* cp-demangle.c: Parse numbers as integer instead of long to avoid
		12	overflow after sanity checks. Include <limits.h> if available.
		13	(INT_MAX): Define if necessary.
		14	(d_make_template_param): Takes integer argument instead of long.
		15	(d_make_function_param): Likewise.
		16	(d_append_num): Likewise.
		17	(d_identifier): Likewise.
		18	(d_number): Parse as and return integer.
		19	(d_compact_number): Handle overflow.
		20	(d_source_name): Change variable type to integer for parsed number.
		21	(d_java_resource): Likewise.
		22	(d_special_name): Likewise.
		23	(d_discriminator): Likewise.
		24	(d_unnamed_type): Likewise.
		25	* testsuite/demangle-expected: Add regression test cases.
		26
		27
		28
		29	git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
		30
		31	Upstream-Status: Backport
		32	CVE: CVE_2016-4490
		33	Signed-off-by: Armin Kuster <akuster@mvista.com>
		34
		35	---
		36	libiberty/ChangeLog \| 19 +++++++++++++
		37	libiberty/cp-demangle.c \| 52 ++++++++++++++++++++---------------
		38	libiberty/testsuite/demangle-expected \| 14 ++++++++--
		39	3 files changed, 61 insertions(+), 24 deletions(-)
		40
		41	Index: gcc-5.2.0/libiberty/cp-demangle.c
		42	===================================================================
		43	--- gcc-5.2.0.orig/libiberty/cp-demangle.c
		44	+++ gcc-5.2.0/libiberty/cp-demangle.c
		45	@@ -124,6 +124,13 @@ extern char *alloca ();
		46	# endif /* alloca */
		47	#endif /* HAVE_ALLOCA_H */
		48
		49	+#ifdef HAVE_LIMITS_H
		50	+#include <limits.h>
		51	+#endif
		52	+#ifndef INT_MAX
		53	+# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
		54	+#endif
		55	+
		56	#include "ansidecl.h"
		57	#include "libiberty.h"
		58	#include "demangle.h"
		59	@@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v
		60	struct demangle_component *);
		61
		62	static struct demangle_component *
		63	-d_make_template_param (struct d_info *, long);
		64	+d_make_template_param (struct d_info *, int);
		65
		66	static struct demangle_component *
		67	d_make_sub (struct d_info , const char , int);
		68	@@ -417,7 +424,7 @@ static struct demangle_component *d_unqu
		69
		70	static struct demangle_component d_source_name (struct d_info );
		71
		72	-static long d_number (struct d_info *);
		73	+static int d_number (struct d_info *);
		74
		75	static struct demangle_component d_identifier (struct d_info , int);
		76
		77	@@ -1105,7 +1112,7 @@ d_make_dtor (struct d_info *di, enum gnu
		78	/* Add a new template parameter. */
		79
		80	static struct demangle_component *
		81	-d_make_template_param (struct d_info *di, long i)
		82	+d_make_template_param (struct d_info *di, int i)
		83	{
		84	struct demangle_component *p;
		85
		86	@@ -1121,7 +1128,7 @@ d_make_template_param (struct d_info *di
		87	/* Add a new function parameter. */
		88
		89	static struct demangle_component *
		90	-d_make_function_param (struct d_info *di, long i)
		91	+d_make_function_param (struct d_info *di, int i)
		92	{
		93	struct demangle_component *p;
		94
		95	@@ -1595,7 +1602,7 @@ d_unqualified_name (struct d_info *di)
		96	static struct demangle_component *
		97	d_source_name (struct d_info *di)
		98	{
		99	- long len;
		100	+ int len;
		101	struct demangle_component *ret;
		102
		103	len = d_number (di);
		104	@@ -1608,12 +1615,12 @@ d_source_name (struct d_info *di)
		105
		106	/* number ::= [n] <(non-negative decimal integer)> */
		107
		108	-static long
		109	+static int
		110	d_number (struct d_info *di)
		111	{
		112	int negative;
		113	char peek;
		114	- long ret;
		115	+ int ret;
		116
		117	negative = 0;
		118	peek = d_peek_char (di);
		119	@@ -1840,7 +1847,7 @@ d_java_resource (struct d_info *di)
		120	{
		121	struct demangle_component *p = NULL;
		122	struct demangle_component *next = NULL;
		123	- long len, i;
		124	+ int len, i;
		125	char c;
		126	const char *str;
		127
		128	@@ -1982,7 +1989,7 @@ d_special_name (struct d_info *di)
		129	case 'C':
		130	{
		131	struct demangle_component *derived_type;
		132	- long offset;
		133	+ int offset;
		134	struct demangle_component *base_type;
		135
		136	derived_type = cplus_demangle_type (di);
		137	@@ -2905,10 +2912,10 @@ d_pointer_to_member_type (struct d_info
		138
		139	/* <non-negative number> _ */
		140
		141	-static long
		142	+static int
		143	d_compact_number (struct d_info *di)
		144	{
		145	- long num;
		146	+ int num;
		147	if (d_peek_char (di) == '_')
		148	num = 0;
		149	else if (d_peek_char (di) == 'n')
		150	@@ -2916,7 +2923,7 @@ d_compact_number (struct d_info *di)
		151	else
		152	num = d_number (di) + 1;
		153
		154	- if (! d_check_char (di, '_'))
		155	+ if (num < 0 \|\| ! d_check_char (di, '_'))
		156	return -1;
		157	return num;
		158	}
		159	@@ -2928,7 +2935,7 @@ d_compact_number (struct d_info *di)
		160	static struct demangle_component *
		161	d_template_param (struct d_info *di)
		162	{
		163	- long param;
		164	+ int param;
		165
		166	if (! d_check_char (di, 'T'))
		167	return NULL;
		168	@@ -3130,9 +3137,10 @@ d_expression_1 (struct d_info *di)
		169	}
		170	else
		171	{
		172	- index = d_compact_number (di) + 1;
		173	- if (index == 0)
		174	+ index = d_compact_number (di);
		175	+ if (index == INT_MAX \|\| index == -1)
		176	return NULL;
		177	+ index ++;
		178	}
		179	return d_make_function_param (di, index);
		180	}
		181	@@ -3455,7 +3463,7 @@ d_local_name (struct d_info *di)
		182	static int
		183	d_discriminator (struct d_info *di)
		184	{
		185	- long discrim;
		186	+ int discrim;
		187
		188	if (d_peek_char (di) != '_')
		189	return 1;
		190	@@ -3511,7 +3519,7 @@ static struct demangle_component *
		191	d_unnamed_type (struct d_info *di)
		192	{
		193	struct demangle_component *ret;
		194	- long num;
		195	+ int num;
		196
		197	if (! d_check_char (di, 'U'))
		198	return NULL;
		199	@@ -4037,10 +4045,10 @@ d_append_string (struct d_print_info *dp
		200	}
		201
		202	static inline void
		203	-d_append_num (struct d_print_info *dpi, long l)
		204	+d_append_num (struct d_print_info *dpi, int l)
		205	{
		206	char buf[25];
		207	- sprintf (buf,"%ld", l);
		208	+ sprintf (buf,"%d", l);
		209	d_append_string (dpi, buf);
		210	}
		211
		212	Index: gcc-5.2.0/libiberty/testsuite/demangle-expected
		213	===================================================================
		214	--- gcc-5.2.0.orig/libiberty/testsuite/demangle-expected
		215	+++ gcc-5.2.0/libiberty/testsuite/demangle-expected
		216	@@ -4357,12 +4357,22 @@ _QueueNotification_QueueController__$4PP
		217	_Z1fSsB3fooS_
		218	f(std::string[abi:foo], std::string[abi:foo])
		219	#
		220	-# Tests a use-after-free problem
		221	+# Tests a use-after-free problem PR70481
		222
		223	_Q.__0
		224	::Q.(void)
		225	#
		226	-# Tests a use-after-free problem
		227	+# Tests a use-after-free problem PR70481
		228
		229	_Q10-__9cafebabe.
		230	cafebabe.::-(void)
		231	+#
		232	+# Tests integer overflow problem PR70492
		233	+
		234	+__vt_90000000000cafebabe
		235	+__vt_90000000000cafebabe
		236	+#
		237	+# Tests write access violation PR70498
		238	+
		239	+_Z80800000000000000000000
		240	+_Z80800000000000000000000
		241	Index: gcc-5.2.0/libiberty/ChangeLog
		242	===================================================================
		243	--- gcc-5.2.0.orig/libiberty/ChangeLog
		244	+++ gcc-5.2.0/libiberty/ChangeLog
		245	@@ -1,3 +1,22 @@
		246	+2016-05-02 Marcel Böhme <boehme.marcel@gmail.com>
		247	+
		248	+ PR c++/70498
		249	+ * cp-demangle.c: Parse numbers as integer instead of long to avoid
		250	+ overflow after sanity checks. Include <limits.h> if available.
		251	+ (INT_MAX): Define if necessary.
		252	+ (d_make_template_param): Takes integer argument instead of long.
		253	+ (d_make_function_param): Likewise.
		254	+ (d_append_num): Likewise.
		255	+ (d_identifier): Likewise.
		256	+ (d_number): Parse as and return integer.
		257	+ (d_compact_number): Handle overflow.
		258	+ (d_source_name): Change variable type to integer for parsed number.
		259	+ (d_java_resource): Likewise.
		260	+ (d_special_name): Likewise.
		261	+ (d_discriminator): Likewise.
		262	+ (d_unnamed_type): Likewise.
		263	+ * testsuite/demangle-expected: Add regression test cases.
		264	+
		265	2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
		266
		267	PR c++/69687