commit 1cef1b19089528db11f221e938f60b9b048945d7
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Mar 21 15:50:27 2013 +0100

    Fix stack overflow in getaddrinfo with many results

* CVE-2013-1914 Stack overflow in getaddrinfo with many results has been
  fixed (Bugzilla #15330).

 sysdeps/posix/getaddrinfo.c |   23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff -Nurp glibc-2.14.1/sysdeps/posix/getaddrinfo.c glibc-2.14.1.CVE-2013-1914/sysdeps/posix/getaddrinfo.c
--- glibc-2.14.1/sysdeps/posix/getaddrinfo.c	2013-05-02 01:34:18.460657756 +0300
+++ glibc-2.14.1.CVE-2013-1914/sysdeps/posix/getaddrinfo.c	2013-05-02 01:40:56.897753351 +0300
@@ -2454,11 +2454,27 @@ getaddrinfo (const char *name, const cha
       __typeof (once) old_once = once;
       __libc_once (once, gaiconf_init);
       /* Sort results according to RFC 3484.  */
-      struct sort_result results[nresults];
-      size_t order[nresults];
+      struct sort_result *results;
+      size_t *order;
       struct addrinfo *q;
       struct addrinfo *last = NULL;
       char *canonname = NULL;
+      bool malloc_results;
+
+      malloc_results
+	= !__libc_use_alloca (nresults * (sizeof (*results) + sizeof (size_t)));
+      if (malloc_results)
+	{
+	  results = malloc (nresults * (sizeof (*results) + sizeof (size_t)));
+	  if (results == NULL)
+	    {
+	      free (in6ai);
+	      return EAI_MEMORY;
+	    }
+	}
+      else
+	results = alloca (nresults * (sizeof (*results) + sizeof (size_t)));
+      order = (size_t *) (results + nresults);
 
       /* If we have information about deprecated and temporary addresses
 	 sort the array now.  */
@@ -2625,6 +2641,9 @@ getaddrinfo (const char *name, const cha
 
       /* Fill in the canonical name into the new first entry.  */
       p->ai_canonname = canonname;
+
+      if (malloc_results)
+	free (results);
     }
 
   free (in6ai);