@@ -69,5 +69,6 @@ SRC_URI = "\
file://0032-CVE-2022-47010.patch \
file://0033-CVE-2022-47007.patch \
file://0034-CVE-2022-48064.patch \
+ file://0035-CVE-2023-39129.patch \
"
S = "${WORKDIR}/git"
new file mode 100644
@@ -0,0 +1,51 @@
+From: Keith Seitz <keiths@redhat.com>
+Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700)
+Subject: Verify COFF symbol stringtab offset
+X-Git-Tag: gdb-14-branchpoint~473
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a
+
+Verify COFF symbol stringtab offset
+
+This patch addresses an issue with malformed/fuzzed debug information that
+was recently reported in gdb/30639. That bug specifically deals with
+an ASAN issue, but the reproducer provided by the reporter causes a
+another failure outside of ASAN:
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a]
+
+CVE: CVE-2023-39129
+
+Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com>
+
+diff --git a/gdb/coffread.c b/gdb/coffread.c
+index f8e14d8ad93..ae7632d49cb 100644
+--- a/gdb/coffread.c
++++ b/gdb/coffread.c
+@@ -159,6 +159,7 @@ static file_ptr linetab_offset;
+ static file_ptr linetab_size;
+
+ static char *stringtab = NULL;
++static long stringtab_length = 0;
+
+ extern void stabsread_clear_cache (void);
+
+@@ -1303,6 +1304,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora
+ /* This is in target format (probably not very useful, and not
+ currently used), not host format. */
+ memcpy (stringtab, lengthbuf, sizeof lengthbuf);
++ stringtab_length = length;
+ if (length == sizeof length) /* Empty table -- just the count. */
+ return 0;
+
+@@ -1322,8 +1324,9 @@ getsymname (struct internal_syment *symbol_entry)
+
+ if (symbol_entry->_n._n_n._n_zeroes == 0)
+ {
+- /* FIXME: Probably should be detecting corrupt symbol files by
+- seeing whether offset points to within the stringtab. */
++ if (symbol_entry->_n._n_n._n_offset > stringtab_length)
++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"),
++ symbol_entry->_n._n_n._n_offset, stringtab_length);
+ result = stringtab + symbol_entry->_n._n_n._n_offset;
+ }
+ else