Sophie: glibc-6:2.14.1-11.2.mga2 src

glibc-2.14.1-11.2.mga2.src.rpm

diff -Nurp glibc-2.14.1/malloc/malloc.c glibc-2.14.1-cve/malloc/malloc.c
--- glibc-2.14.1/malloc/malloc.c	2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1-cve/malloc/malloc.c	2013-10-06 17:34:41.671415253 +0300
@@ -3874,6 +3874,13 @@ public_mEMALIGn(size_t alignment, size_t
   /* Otherwise, ensure that it is at least a minimum chunk size */
   if (alignment <  MINSIZE) alignment = MINSIZE;
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - alignment - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   arena_get(ar_ptr, bytes + alignment + MINSIZE);
   if(!ar_ptr)
     return 0;
@@ -3919,6 +3926,13 @@ public_vALLOc(size_t bytes)
 
   size_t pagesz = mp_.pagesize;
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
 					__const __malloc_ptr_t)) =
     force_reg (__memalign_hook);
@@ -3967,6 +3981,13 @@ public_pVALLOc(size_t bytes)
   size_t page_mask = mp_.pagesize - 1;
   size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
 					__const __malloc_ptr_t)) =
     force_reg (__memalign_hook);