@@ -56,5 +56,11 @@ SRC_URI = "\
file://CVE-2023-25588.patch \
file://CVE-2021-46174.patch \
file://CVE-2023-25584.patch \
+ file://CVE-2022-47007.patch \
+ file://CVE-2022-47008.patch \
+ file://CVE-2022-47010.patch \
+ file://CVE-2022-47011.patch \
+ file://CVE-2022-48063.patch \
+ file://CVE-2022-47695.patch \
"
S = "${WORKDIR}/git"
new file mode 100644
@@ -0,0 +1,32 @@
+From 0ebc886149c22aceaf8ed74267821a59ca9d03eb Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 17 Jun 2022 09:00:41 +0930
+Subject: [PATCH] PR29254, memory leak in stab_demangle_v3_arg
+
+ PR 29254
+ * stabs.c (stab_demangle_v3_arg): Free dt on failure path.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb]
+CVE: CVE-2022-47007
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/stabs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index 2b5241637c1..796ff85b86a 100644
+--- a/binutils/stabs.c
++++ b/binutils/stabs.c
+@@ -5476,7 +5476,10 @@
+ dc->u.s_binary.right,
+ &varargs);
+ if (pargs == NULL)
+- return NULL;
++ {
++ free (dt);
++ return NULL;
++ }
+
+ return debug_make_function_type (dhandle, dt, pargs, varargs);
+ }
+
new file mode 100644
@@ -0,0 +1,64 @@
+From d6e1d48c83b165c129cb0aa78905f7ca80a1f682 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 17 Jun 2022 09:13:38 +0930
+Subject: [PATCH] PR29255, memory leak in make_tempdir
+
+ PR 29255
+ * bucomm.c (make_tempdir, make_tempname): Free template on all
+ failure paths.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682]
+CVE: CVE-2022-47008
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/bucomm.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/binutils/bucomm.c b/binutils/bucomm.c
+index fdc2209df9c..4395cb9f7f5 100644
+--- a/binutils/bucomm.c
++++ b/binutils/bucomm.c
+@@ -542,8 +542,9 @@
+ #else
+ tmpname = mktemp (tmpname);
+ if (tmpname == NULL)
+- return NULL;
+- fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
++ fd = -1;
++ else
++ fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600);
+ #endif
+ if (fd == -1)
+ {
+@@ -561,22 +562,23 @@
+ make_tempdir (const char *filename)
+ {
+ char *tmpname = template_in_dir (filename);
++ char *ret;
+
+ #ifdef HAVE_MKDTEMP
+- return mkdtemp (tmpname);
++ ret = mkdtemp (tmpname);
+ #else
+- tmpname = mktemp (tmpname);
+- if (tmpname == NULL)
+- return NULL;
++ ret = mktemp (tmpname);
+ #if defined (_WIN32) && !defined (__CYGWIN32__)
+ if (mkdir (tmpname) != 0)
+- return NULL;
++ ret = NULL;
+ #else
+ if (mkdir (tmpname, 0700) != 0)
+- return NULL;
++ ret = NULL;
+ #endif
+- return tmpname;
+ #endif
++ if (ret == NULL)
++ free (tmpname);
++ return ret;
+ }
+
+ /* Parse a string into a VMA, with a fatal error if it can't be
+
new file mode 100644
@@ -0,0 +1,34 @@
+From 0d02e70b197c786f26175b9a73f94e01d14abdab Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 20 Jun 2022 10:39:31 +0930
+Subject: [PATCH] PR29262, memory leak in pr_function_type
+
+ PR 29262
+ * prdbg.c (pr_function_type): Free "s" on failure path.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab]
+CVE: CVE-2022-47010
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/prdbg.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/binutils/prdbg.c b/binutils/prdbg.c
+index c1e41628d26..bb42a5b6c2d 100644
+--- a/binutils/prdbg.c
++++ b/binutils/prdbg.c
+@@ -778,12 +778,9 @@
+
+ strcat (s, ")");
+
+- if (! substitute_type (info, s))
+- return FALSE;
+-
++ bfd_boolean ret = substitute_type (info, s);
+ free (s);
+-
+- return TRUE;
++ return ret;
+ }
+
+ /* Turn the top type on the stack into a reference to that type. */
new file mode 100644
@@ -0,0 +1,31 @@
+From 8a24927bc8dbf6beac2000593b21235c3796dc35 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 20 Jun 2022 10:39:13 +0930
+Subject: [PATCH] PR29261, memory leak in parse_stab_struct_fields
+
+ PR 29261
+ * stabs.c (parse_stab_struct_fields): Free "fields" on failure path.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35]
+CVE: CVE-2022-47011
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/stabs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index 796ff85b86a..bf3f578cbcc 100644
+--- a/binutils/stabs.c
++++ b/binutils/stabs.c
+@@ -2368,7 +2368,10 @@
+
+ if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c,
+ staticsp, p_end))
+- return FALSE;
++ {
++ free (fields);
++ return FALSE;
++ }
+
+ ++c;
+ }
new file mode 100644
@@ -0,0 +1,57 @@
+From 3d3af4ba39e892b1c544d667ca241846bc3df386 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 4 Dec 2022 22:15:40 +1030
+Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols
+
+Fixes a fuzzed object file problem where plt relocs were manipulated
+in such a way that two synthetic symbols were generated at the same
+plt location. Won't occur in real object files.
+
+ PR 29846
+ PR 20337
+ * objdump.c (compare_symbols): Test symbol flags to exclude
+ section and synthetic symbols before attempting to check flavour.
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386]
+CVE: CVE-2022-47695
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/objdump.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index e8481b2d928..d95c8b68bf0 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -935,20 +935,17 @@
+ return 1;
+ }
+
+- if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour
++ /* Sort larger size ELF symbols before smaller. See PR20337. */
++ bfd_vma asz = 0;
++ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
++ && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour)
++ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
++ bfd_vma bsz = 0;
++ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
+ && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour)
+- {
+- bfd_vma asz, bsz;
+-
+- asz = 0;
+- if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+- asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
+- bsz = 0;
+- if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
+- bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
+- if (asz != bsz)
+- return asz > bsz ? -1 : 1;
+- }
++ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
++ if (asz != bsz)
++ return asz > bsz ? -1 : 1;
+
+ /* Symbols that start with '.' might be section names, so sort them
+ after symbols that don't start with '.'. */
+
new file mode 100644
@@ -0,0 +1,49 @@
+From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 21 Dec 2022 11:51:23 +0000
+Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of
+ memory when parsing a corrupt ELF file.
+
+ PR 29924
+ * objdump.c (load_specific_debug_section): Check for excessively
+ large sections.
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd]
+CVE: CVE-2022-48063
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Patch refreshed based on codebase.
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/objdump.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index e7f918d3f65..020e09f3700 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2022-12-21 Nick Clifton <nickc@redhat.com>
++
++ PR 29924
++ * objdump.c (load_specific_debug_section): Check for excessively
++ large sections.
++
+ 2021-02-11 Alan Modra <amodra@gmail.com>
+
+ PR 27290
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index d51abbe3858..2eb02de0e76 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -3479,7 +3479,9 @@
+ section->size = bfd_section_size (sec);
+ /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */
+ alloced = amt = section->size + 1;
+- if (alloced != amt || alloced == 0)
++ if (alloced != amt
++ || alloced == 0
++ || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd)))
+ {
+ section->start = NULL;
+ free_debug_section (debug);
+