1fbbeff0c1
Fixes CVE-2014-8121, CVE-2015-1781 and two unnumbered problems (apparently). All these commits should be contained in the 2.22 release, but we don't want that yet due to unresolved locale incompatibilites.
40 lines
1.3 KiB
Diff
40 lines
1.3 KiB
Diff
From bdf1ff052a8e23d637f2c838fa5642d78fcedc33 Mon Sep 17 00:00:00 2001
|
|
From: Paul Pluzhnikov <ppluzhnikov@google.com>
|
|
Date: Sun, 22 Feb 2015 12:01:47 -0800
|
|
Subject: [PATCH] Fix BZ #17269 -- _IO_wstr_overflow integer overflow
|
|
|
|
---
|
|
ChangeLog | 6 ++++++
|
|
NEWS | 6 +++---
|
|
libio/wstrops.c | 8 +++++++-
|
|
3 files changed, 16 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/libio/wstrops.c b/libio/wstrops.c
|
|
index 43d847d..3993579 100644
|
|
--- a/libio/wstrops.c
|
|
+++ b/libio/wstrops.c
|
|
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
|
|
wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
|
|
size_t old_wblen = _IO_wblen (fp);
|
|
_IO_size_t new_size = 2 * old_wblen + 100;
|
|
- if (new_size < old_wblen)
|
|
+
|
|
+ if (__glibc_unlikely (new_size < old_wblen)
|
|
+ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
|
|
return EOF;
|
|
+
|
|
new_buf
|
|
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
|
|
* sizeof (wchar_t));
|
|
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
|
|
return 1;
|
|
|
|
_IO_size_t newsize = offset + 100;
|
|
+ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
|
|
+ return 1;
|
|
+
|
|
wchar_t *oldbuf = wd->_IO_buf_base;
|
|
wchar_t *newbuf
|
|
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
|
|
|