From 708d7d0d11f0f2d776171979aa3479e8e12a38a0 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 28 Oct 2014 10:48:14 +0000
Subject: [PATCH] This patch fixes a flaw in the SREC parser which could cause
 a stack overflow and potential secuiryt breach.

	PR binutils/17510
	* srec.c (srec_bad_byte): Increase size of buf to allow for
	negative values.
	(srec_scan): Use an unsigned char buffer to hold header bytes.
---
 bfd/ChangeLog  | 8 ++++++++
 bfd/elf.c      | 2 +-
 bfd/peXXigen.c | 1 -
 bfd/srec.c     | 4 ++--
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 547ef1c..0a4d0b1 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2014-10-28  Andreas Schwab  <schwab@suse.de>
+	    Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/17510
+	* srec.c (srec_bad_byte): Increase size of buf to allow for
+	negative values.
+	(srec_scan): Use an unsigned char buffer to hold header bytes.
+
 2014-10-27  Nick Clifton  <nickc@redhat.com>
 
 	PR binutils/17512
diff --git a/bfd/elf.c b/bfd/elf.c
index 3fcf2d8..949221f 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -629,7 +629,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
 		      memset (shdr->contents, 0, amt);
 		      continue;
 		    }
-		  
+
 		  /* Translate raw contents, a flag word followed by an
 		     array of elf section indices all in target byte order,
 		     to the flag word followed by an array of elf section
diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c
index c7d6067..6129085 100644
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -515,7 +515,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd,
 	a->NumberOfRvaAndSizes = 0;
       }
 
-
     for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++)
       {
         /* If data directory is empty, rva also should be 0.  */
diff --git a/bfd/srec.c b/bfd/srec.c
index 9ed2080..5f9a546 100644
--- a/bfd/srec.c
+++ b/bfd/srec.c
@@ -246,7 +246,7 @@ srec_bad_byte (bfd *abfd,
     }
   else
     {
-      char buf[10];
+      char buf[40];
 
       if (! ISPRINT (c))
 	sprintf (buf, "\\%03o", (unsigned int) c);
@@ -452,7 +452,7 @@ srec_scan (bfd *abfd)
 	case 'S':
 	  {
 	    file_ptr pos;
-	    char hdr[3];
+	    unsigned char hdr[3];
 	    unsigned int bytes, min_bytes;
 	    bfd_vma address;
 	    bfd_byte *data;
-- 
2.7.4