Tue Nov 20 23:13:04 2012 UTC ()

Patches for CVE-2006-4146
 from https://bugzilla.redhat.com/show_bug.cgi?id=204841


(tez)

diff -r1.29 -r1.30 pkgsrc/devel/gdb6/Makefile
diff -r1.13 -r1.14 pkgsrc/devel/gdb6/distinfo
diff -r0 -r1.1 pkgsrc/devel/gdb6/patches/patch-gdb_dwarf2read.c
diff -r0 -r1.1 pkgsrc/devel/gdb6/patches/patch-gdb_dwarfread.c

--- pkgsrc/devel/gdb6/Attic/Makefile 2012/10/31 11:16:59 1.29
+++ pkgsrc/devel/gdb6/Attic/Makefile 2012/11/20 23:13:03 1.30

 @@ -1,18 +1,18 @@
-# $NetBSD: Makefile,v 1.29 2012/10/31 11:16:59 asau Exp $
+# $NetBSD: Makefile,v 1.30 2012/11/20 23:13:03 tez Exp $
+#
 DISTNAME=		gdb-6.2.1
-PKGREVISION=		6
+PKGREVISION=		7
 CATEGORIES=		devel
 MASTER_SITES=		ftp://sources.redhat.com/pub/gdb/releases/
 EXTRACT_SUFX=		.tar.bz2
 MAINTAINER=		shannonjr@NetBSD.org
 HOMEPAGE=		http://www.gnu.org/software/gdb/gdb.html
 COMMENT=		The GNU Project Debugger
 NOT_FOR_PLATFORM=	Darwin-*-* DragonFly-*-*
 USE_TOOLS+=		gmake makeinfo msgfmt
 USE_LIBTOOL=		yes
 USE_PKGLOCALEDIR=	yes

--- pkgsrc/devel/gdb6/Attic/distinfo 2009/09/09 12:50:58 1.13
+++ pkgsrc/devel/gdb6/Attic/distinfo 2012/11/20 23:13:04 1.14

 @@ -1,14 +1,14 @@
-$NetBSD: distinfo,v 1.13 2009/09/09 12:50:58 wiz Exp $
+$NetBSD: distinfo,v 1.14 2012/11/20 23:13:04 tez Exp $
 SHA1 (gdb-6.2.1.tar.bz2) = 50cee3887744c4140aafcc0e4eb579d94464dfd7
 RMD160 (gdb-6.2.1.tar.bz2) = 6fe9f3bbef076c55cbcdf05143e7d5f98f61f889
 Size (gdb-6.2.1.tar.bz2) = 12820148 bytes
 SHA1 (patch-aa) = afb8d7805c2c01c131bc4a7949a532e5372817c0
 SHA1 (patch-ab) = b5c98fc990606e2f5c566864d02565d8fc9adeb4
 SHA1 (patch-ac) = bc9a4e5d77d571a6f06b88984fb2030beec37654
 SHA1 (patch-ad) = 7fddbe93dda4ddb659b050b0b511f5cb19e2777e
 SHA1 (patch-ae) = 19dbdb326643bf32a3d0c26cfea056cca19deb13
 SHA1 (patch-af) = 976cbe2b27c23a113c43cab791562a04d9e6d7e3
 SHA1 (patch-ag) = c53cc22ac5a2c5d5b2c1a7b0825558d8787b2bed
 SHA1 (patch-ah) = 048c03512a18f3234422a3afc00d6c45f2dea58d
 SHA1 (patch-ai) = 66e40920b5de734cbcf66c0b357e82a74f3c48c0
 @@ -36,13 +36,15 @@ SHA1 (patch-bd) = 840ce6ceb34afea4c8b789
 SHA1 (patch-be) = dd353978d62cc45aadf6259e8b5f7b2895317f9c
 SHA1 (patch-bf) = 1c56789841982089a32bdcca8465f6d2112503b0
 SHA1 (patch-bg) = 8a7c8e5d081d261b7493d633931d7003f49001ae
 SHA1 (patch-bh) = c62928b6b8c4857ddb373ab3ac7f111442672b9d
 SHA1 (patch-bi) = 96f44172271f9a45f9136bda159371ee709da59a
 SHA1 (patch-bj) = 43cf376dddf9f91dceee8d1eba853171fd873905
 SHA1 (patch-bk) = 98f836c7007a668b812d119be294842a957cb507
 SHA1 (patch-bl) = 12a9846fc08e8c3110897644d7803f67999b68f8
 SHA1 (patch-bm) = baf198e86cb5e9d8b9f6b0bd6d7ccd1ca61227b4
 SHA1 (patch-bn) = cfeee69148028782b9ab6580f0f619d5f3327325
 SHA1 (patch-bo) = 92221afaa93d9362057783c20100ce7ff1b5df9b
 SHA1 (patch-bp) = bff41b3fb0f5952cbcd37797ec4bb63f6f79da8d
 SHA1 (patch-br) = f1e1a0b16721cdc8b1379685a0598211e71cee49
 SHA1 (patch-gdb_dwarf2read.c) = 811455c31b004a35ba557244037cde55c0161777
 SHA1 (patch-gdb_dwarfread.c) = 56a2210a50e31d464eb4ca295b3021d010f738d2

$NetBSD: patch-gdb_dwarf2read.c,v 1.1 2012/11/20 23:13:04 tez Exp $

Patch for CVE-2006-4146 from https://bugzilla.redhat.com/show_bug.cgi?id=204841

--- gdb/dwarf2read.c.orig	2004-07-06 19:29:30.000000000 +0000
+++ gdb/dwarf2read.c
@@ -8027,8 +8027,7 @@ dwarf2_fundamental_type (struct objfile
    When the result is a register number, the global isreg flag is set,
    otherwise it is cleared.
 
-   Note that stack[0] is unused except as a default error return.
-   Note that stack overflow is not yet handled.  */
+   Note that stack[0] is unused except as a default error return. */
 
 static CORE_ADDR
 decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu)
@@ -8045,7 +8044,7 @@ decode_locdesc (struct dwarf_block *blk,
 
   i = 0;
   stacki = 0;
-  stack[stacki] = 0;
+  stack[++stacki] = 0;
   isreg = 0;
 
   while (i < size)
@@ -8227,6 +8226,16 @@ decode_locdesc (struct dwarf_block *blk,
 		     dwarf_stack_op_name (op));
 	  return (stack[stacki]);
 	}
+      /* Enforce maximum stack depth of size-1 to avoid ++stacki writing
+         outside of the allocated space. Also enforce minimum > 0.
+         -- wad@google.com 14 Aug 2006 */
+      if (stacki >= sizeof (stack) / sizeof (*stack) - 1)
+	internal_error (__FILE__, __LINE__,
+	                _("location description stack too deep: %d"),
+	                stacki);
+      if (stacki <= 0)
+	internal_error (__FILE__, __LINE__,
+	                _("location description stack too shallow"));
     }
   return (stack[stacki]);
 }

$NetBSD: patch-gdb_dwarfread.c,v 1.1 2012/11/20 23:13:04 tez Exp $

Patch for CVE-2006-4146 from https://bugzilla.redhat.com/show_bug.cgi?id=204841

--- gdb/dwarfread.c.orig	2004-07-17 14:16:14.000000000 +0000
+++ gdb/dwarfread.c
@@ -2137,9 +2137,7 @@ decode_line_numbers (char *linetable)
 
    NOTES
 
-   Note that stack[0] is unused except as a default error return.
-   Note that stack overflow is not yet handled.
- */
+   Note that stack[0] is unused except as a default error return. */
 
 static int
 locval (struct dieinfo *dip)
@@ -2159,7 +2157,7 @@ locval (struct dieinfo *dip)
   loc += nbytes;
   end = loc + locsize;
   stacki = 0;
-  stack[stacki] = 0;
+  stack[++stacki] = 0;
   dip->isreg = 0;
   dip->offreg = 0;
   dip->optimized_out = 1;
@@ -2223,6 +2221,16 @@ locval (struct dieinfo *dip)
 	  stacki--;
 	  break;
 	}
+      /* Enforce maximum stack depth of size-1 to avoid ++stacki writing
+         outside of the allocated space. Also enforce minimum > 0.
+         -- wad@google.com 14 Aug 2006 */
+      if (stacki >= sizeof (stack) / sizeof (*stack) - 1)
+	internal_error (__FILE__, __LINE__,
+	                _("location description stack too deep: %d"),
+	                stacki);
+      if (stacki <= 0)
+	internal_error (__FILE__, __LINE__,
+	                _("location description stack too shallow"));
     }
   return (stack[stacki]);
 }