CVE-2016-4493

The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.

Weakness

The product reads data past the end, or before the beginning, of the intended buffer.

Affected Software

Name	Vendor	Start Version	End Version
Libiberty	Gnu	*	*
Binutils	Ubuntu	esm-infra/xenial	*
Binutils	Ubuntu	precise	*
Binutils	Ubuntu	precise/esm	*
Binutils	Ubuntu	trusty	*
Binutils	Ubuntu	trusty/esm	*
Binutils	Ubuntu	upstream	*
Binutils	Ubuntu	wily	*
Binutils	Ubuntu	xenial	*
Binutils	Ubuntu	yakkety	*
Binutils-h8300-hms	Ubuntu	artful	*
Binutils-h8300-hms	Ubuntu	bionic	*
Binutils-h8300-hms	Ubuntu	cosmic	*
Binutils-h8300-hms	Ubuntu	devel	*
Binutils-h8300-hms	Ubuntu	disco	*
Binutils-h8300-hms	Ubuntu	eoan	*
Binutils-h8300-hms	Ubuntu	esm-apps/bionic	*
Binutils-h8300-hms	Ubuntu	esm-apps/focal	*
Binutils-h8300-hms	Ubuntu	esm-apps/jammy	*
Binutils-h8300-hms	Ubuntu	esm-apps/noble	*
Binutils-h8300-hms	Ubuntu	esm-apps/xenial	*
Binutils-h8300-hms	Ubuntu	focal	*
Binutils-h8300-hms	Ubuntu	groovy	*
Binutils-h8300-hms	Ubuntu	hirsute	*
Binutils-h8300-hms	Ubuntu	impish	*
Binutils-h8300-hms	Ubuntu	jammy	*
Binutils-h8300-hms	Ubuntu	kinetic	*
Binutils-h8300-hms	Ubuntu	lunar	*
Binutils-h8300-hms	Ubuntu	mantic	*
Binutils-h8300-hms	Ubuntu	noble	*
Binutils-h8300-hms	Ubuntu	oracular	*
Binutils-h8300-hms	Ubuntu	precise	*
Binutils-h8300-hms	Ubuntu	trusty	*
Binutils-h8300-hms	Ubuntu	wily	*
Binutils-h8300-hms	Ubuntu	xenial	*
Binutils-h8300-hms	Ubuntu	yakkety	*
Binutils-h8300-hms	Ubuntu	zesty	*
Gcc-arm-none-eabi	Ubuntu	artful	*
Gcc-arm-none-eabi	Ubuntu	bionic	*
Gcc-arm-none-eabi	Ubuntu	cosmic	*
Gcc-arm-none-eabi	Ubuntu	esm-apps/bionic	*
Gcc-arm-none-eabi	Ubuntu	esm-apps/xenial	*
Gcc-arm-none-eabi	Ubuntu	trusty	*
Gcc-arm-none-eabi	Ubuntu	wily	*
Gcc-arm-none-eabi	Ubuntu	xenial	*
Gcc-arm-none-eabi	Ubuntu	yakkety	*
Gcc-arm-none-eabi	Ubuntu	zesty	*
Gcc-h8300-hms	Ubuntu	artful	*
Gcc-h8300-hms	Ubuntu	bionic	*
Gcc-h8300-hms	Ubuntu	cosmic	*
Gcc-h8300-hms	Ubuntu	devel	*
Gcc-h8300-hms	Ubuntu	disco	*
Gcc-h8300-hms	Ubuntu	eoan	*
Gcc-h8300-hms	Ubuntu	esm-apps/bionic	*
Gcc-h8300-hms	Ubuntu	esm-apps/focal	*
Gcc-h8300-hms	Ubuntu	esm-apps/jammy	*
Gcc-h8300-hms	Ubuntu	esm-apps/noble	*
Gcc-h8300-hms	Ubuntu	esm-apps/xenial	*
Gcc-h8300-hms	Ubuntu	focal	*
Gcc-h8300-hms	Ubuntu	groovy	*
Gcc-h8300-hms	Ubuntu	hirsute	*
Gcc-h8300-hms	Ubuntu	impish	*
Gcc-h8300-hms	Ubuntu	jammy	*
Gcc-h8300-hms	Ubuntu	kinetic	*
Gcc-h8300-hms	Ubuntu	lunar	*
Gcc-h8300-hms	Ubuntu	mantic	*
Gcc-h8300-hms	Ubuntu	noble	*
Gcc-h8300-hms	Ubuntu	oracular	*
Gcc-h8300-hms	Ubuntu	precise	*
Gcc-h8300-hms	Ubuntu	trusty	*
Gcc-h8300-hms	Ubuntu	wily	*
Gcc-h8300-hms	Ubuntu	xenial	*
Gcc-h8300-hms	Ubuntu	yakkety	*
Gcc-h8300-hms	Ubuntu	zesty	*
Gccxml	Ubuntu	esm-apps/xenial	*
Gccxml	Ubuntu	precise	*
Gccxml	Ubuntu	trusty	*
Gccxml	Ubuntu	wily	*
Gccxml	Ubuntu	xenial	*
Gdb	Ubuntu	precise	*
Gdb	Ubuntu	trusty	*
Gdb	Ubuntu	vivid/stable-phone-overlay	*
Gdb	Ubuntu	vivid/ubuntu-core	*
Gdb	Ubuntu	wily	*
Gdb	Ubuntu	xenial	*
Ht	Ubuntu	artful	*
Ht	Ubuntu	esm-apps/xenial	*
Ht	Ubuntu	precise	*
Ht	Ubuntu	trusty	*
Ht	Ubuntu	wily	*
Ht	Ubuntu	xenial	*
Ht	Ubuntu	yakkety	*
Ht	Ubuntu	zesty	*
Libiberty	Ubuntu	trusty	*
Libiberty	Ubuntu	wily	*
Libiberty	Ubuntu	xenial	*
Libiberty	Ubuntu	yakkety	*
Nescc	Ubuntu	artful	*
Nescc	Ubuntu	bionic	*
Nescc	Ubuntu	cosmic	*
Nescc	Ubuntu	disco	*
Nescc	Ubuntu	eoan	*
Nescc	Ubuntu	esm-apps/bionic	*
Nescc	Ubuntu	esm-apps/focal	*
Nescc	Ubuntu	esm-apps/jammy	*
Nescc	Ubuntu	esm-apps/xenial	*
Nescc	Ubuntu	focal	*
Nescc	Ubuntu	groovy	*
Nescc	Ubuntu	hirsute	*
Nescc	Ubuntu	impish	*
Nescc	Ubuntu	jammy	*
Nescc	Ubuntu	kinetic	*
Nescc	Ubuntu	lunar	*
Nescc	Ubuntu	mantic	*
Nescc	Ubuntu	trusty	*
Nescc	Ubuntu	wily	*
Nescc	Ubuntu	xenial	*
Nescc	Ubuntu	yakkety	*
Nescc	Ubuntu	zesty	*
Sdcc	Ubuntu	artful	*
Sdcc	Ubuntu	bionic	*
Sdcc	Ubuntu	cosmic	*
Sdcc	Ubuntu	esm-apps/bionic	*
Sdcc	Ubuntu	esm-apps/xenial	*
Sdcc	Ubuntu	precise	*
Sdcc	Ubuntu	trusty	*
Sdcc	Ubuntu	wily	*
Sdcc	Ubuntu	xenial	*
Sdcc	Ubuntu	yakkety	*
Sdcc	Ubuntu	zesty	*
Valgrind	Ubuntu	precise	*
Valgrind	Ubuntu	trusty	*
Valgrind	Ubuntu	wily	*
Valgrind	Ubuntu	xenial	*
Valgrind	Ubuntu	yakkety	*

Potential Mitigations

Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.

https://cwe.mitre.org/data/definitions/540.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-4493
CWE	https://cwe.mitre.org/data/definitions/125.html

Out-of-bounds Read

Weakness

Affected Software

Potential Mitigations

References

CVE-2016-4493

Out-of-bounds Read

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References