2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-5.2.inc b/meta/recipes-devtools/gcc/gcc-5.2.inc
index 2e870629fb..46369c70ee 100644
--- a/meta/recipes-devtools/gcc/gcc-5.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.2.inc
@@ -76,6 +76,7 @@ SRC_URI = "\
           file://0042-cxxflags-for-build.patch \
           file://CVE-2016-4488.patch \
           file://CVE-2016-4489.patch \
+           file://CVE-2016-2226.patch \
          "
 BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-2226.patch
new file mode 100644
index 0000000000..42fc09aca1
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-2226.patch
@@ -0,0 +1,103 @@
+From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
+From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 8 Apr 2016 12:10:21 +0000
+Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
+ =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+        PR c++/69687
+        * cplus-dem.c: Include <limits.h> if available.
+        (INT_MAX): Define if necessary.
+        (remember_type, remember_Ktype, register_Btype, string_need):
+        Abort if we detect cases where we the size of the allocation would
+        overflow.
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
+Upstream-Status: Backport
+CVE: CVE-2016-2226
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libiberty/ChangeLog   |  7 +++++++
+ libiberty/cplus-dem.c | 15 +++++++++++++++
+ 2 files changed, 22 insertions(+)
+diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
+index 8e82a5f..2a34356 100644
+--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
+@@ -1,5 +1,12 @@
+ 2016-04-08  Marcel Böhme  <boehme.marcel@gmail.com>
+ 
+       PR c++/69687
+       * cplus-dem.c: Include <limits.h> if available.
+       (INT_MAX): Define if necessary.
+       (remember_type, remember_Ktype, register_Btype, string_need):
+       Abort if we detect cases where we the size of the allocation would
+       overflow.
+
+        PR c++/70498
+        * cplus-dem.c (gnu_special): Handle case where consume_count returns
+        -1.
+diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
+index abba234..7514e57 100644
+--- a/libiberty/cplus-dem.c
+++ b/libiberty/cplus-dem.c
+@@ -56,6 +56,13 @@ void * malloc ();
+ void * realloc ();
+ #endif
+ 
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+#ifndef INT_MAX
+# define INT_MAX       (int)(((unsigned int) ~0) >> 1)          /* 0x7FFFFFFF */ 
+#endif
+
+ #include <demangle.h>
+ #undef CURRENT_DEMANGLING_STYLE
+ #define CURRENT_DEMANGLING_STYLE work->options
+@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
+        }
+       else
+        {
+          if (work -> typevec_size > INT_MAX / 2)
+           xmalloc_failed (INT_MAX);
+          work -> typevec_size *= 2;
+          work -> typevec
+            = XRESIZEVEC (char *, work->typevec, work->typevec_size);
+@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
+        }
+       else
+        {
+          if (work -> ksize > INT_MAX / 2)
+           xmalloc_failed (INT_MAX);
+          work -> ksize *= 2;
+          work -> ktypevec
+            = XRESIZEVEC (char *, work->ktypevec, work->ksize);
+@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
+        }
+       else
+        {
+          if (work -> bsize > INT_MAX / 2)
+           xmalloc_failed (INT_MAX);
+          work -> bsize *= 2;
+          work -> btypevec
+            = XRESIZEVEC (char *, work->btypevec, work->bsize);
+@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
+   else if (s->e - s->p < n)
+     {
+       tem = s->p - s->b;
+      if (n > INT_MAX / 2 - tem)
+        xmalloc_failed (INT_MAX); 
+       n += tem;
+       n *= 2;
+       s->b = XRESIZEVEC (char, s->b, n);
+-- 
+2.3.5

diff --git a/meta/recipes-devtools/gcc/gcc-5.2.inc b/meta/recipes-devtools/gcc/gcc-5.2.inc index 2e870629fb..46369c70ee 100644 --- a/meta/recipes-devtools/gcc/gcc-5.2.inc +++ b/meta/recipes-devtools/gcc/gcc-5.2.inc
@@ -76,6 +76,7 @@ SRC_URI = "\
76	file://0042-cxxflags-for-build.patch \	76	file://0042-cxxflags-for-build.patch \
77	file://CVE-2016-4488.patch \	77	file://CVE-2016-4488.patch \
78	file://CVE-2016-4489.patch \	78	file://CVE-2016-4489.patch \
		79	file://CVE-2016-2226.patch \
79	"	80	"
80		81
81	BACKPORTS = ""	82	BACKPORTS = ""


diff --git a/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-2226.patch new file mode 100644 index 0000000000..42fc09aca1 --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-2226.patch
@@ -0,0 +1,103 @@
		1	From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
		2	From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
		3	Date: Fri, 8 Apr 2016 12:10:21 +0000
		4	Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
		5	=?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	PR c++/69687
		11	* cplus-dem.c: Include <limits.h> if available.
		12	(INT_MAX): Define if necessary.
		13	(remember_type, remember_Ktype, register_Btype, string_need):
		14	Abort if we detect cases where we the size of the allocation would
		15	overflow.
		16
		17
		18
		19	git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
		20
		21	Upstream-Status: Backport
		22
		23	CVE: CVE-2016-2226
		24	Signed-off-by: Armin Kuster <akuster@mvista.com>
		25	---
		26	libiberty/ChangeLog \| 7 +++++++
		27	libiberty/cplus-dem.c \| 15 +++++++++++++++
		28	2 files changed, 22 insertions(+)
		29
		30	diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
		31	index 8e82a5f..2a34356 100644
		32	--- a/libiberty/ChangeLog
		33	+++ b/libiberty/ChangeLog
		34	@@ -1,5 +1,12 @@
		35	2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
		36
		37	+ PR c++/69687
		38	+ * cplus-dem.c: Include <limits.h> if available.
		39	+ (INT_MAX): Define if necessary.
		40	+ (remember_type, remember_Ktype, register_Btype, string_need):
		41	+ Abort if we detect cases where we the size of the allocation would
		42	+ overflow.
		43	+
		44	PR c++/70498
		45	* cplus-dem.c (gnu_special): Handle case where consume_count returns
		46	-1.
		47	diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
		48	index abba234..7514e57 100644
		49	--- a/libiberty/cplus-dem.c
		50	+++ b/libiberty/cplus-dem.c
		51	@@ -56,6 +56,13 @@ void * malloc ();
		52	void * realloc ();
		53	#endif
		54
		55	+#ifdef HAVE_LIMITS_H
		56	+#include <limits.h>
		57	+#endif
		58	+#ifndef INT_MAX
		59	+# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
		60	+#endif
		61	+
		62	#include <demangle.h>
		63	#undef CURRENT_DEMANGLING_STYLE
		64	#define CURRENT_DEMANGLING_STYLE work->options
		65	@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff work, const char start, int len)
		66	}
		67	else
		68	{
		69	+ if (work -> typevec_size > INT_MAX / 2)
		70	+ xmalloc_failed (INT_MAX);
		71	work -> typevec_size *= 2;
		72	work -> typevec
		73	= XRESIZEVEC (char *, work->typevec, work->typevec_size);
		74	@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff work, const char start, int len)
		75	}
		76	else
		77	{
		78	+ if (work -> ksize > INT_MAX / 2)
		79	+ xmalloc_failed (INT_MAX);
		80	work -> ksize *= 2;
		81	work -> ktypevec
		82	= XRESIZEVEC (char *, work->ktypevec, work->ksize);
		83	@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
		84	}
		85	else
		86	{
		87	+ if (work -> bsize > INT_MAX / 2)
		88	+ xmalloc_failed (INT_MAX);
		89	work -> bsize *= 2;
		90	work -> btypevec
		91	= XRESIZEVEC (char *, work->btypevec, work->bsize);
		92	@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
		93	else if (s->e - s->p < n)
		94	{
		95	tem = s->p - s->b;
		96	+ if (n > INT_MAX / 2 - tem)
		97	+ xmalloc_failed (INT_MAX);
		98	n += tem;
		99	n *= 2;
		100	s->b = XRESIZEVEC (char, s->b, n);
		101	--
		102	2.3.5
		103