Sophie

Sophie

distrib > Mageia > 5 > x86_64 > media > core-release-src > by-pkgid > a4a0d1c8399898809d0c2e3f4ac34ae9 > files > 19

glibc-2.20-20.mga5.src.rpm

From bdf1ff052a8e23d637f2c838fa5642d78fcedc33 Mon Sep 17 00:00:00 2001
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sun, 22 Feb 2015 12:01:22 -0800
Subject: [PATCH] Fix BZ #17269 -- _IO_wstr_overflow integer overflow

---
 ChangeLog       | 6 ++++++
 NEWS            | 6 +++---
 libio/wstrops.c | 8 +++++++-
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 18961d8..9ae6b8b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-02-22  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #17269]
+	* libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+	(enlarge_userbuf): Likewise.
+
 2015-02-16  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
 	[BZ #16618]
diff --git a/NEWS b/NEWS
index 5eb79d2..28ef45d 100644
--- a/NEWS
+++ b/NEWS
@@ -9,8 +9,8 @@ Version 2.20.1
 
 * The following bugs are resolved with this release:
 
-  16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625,
-  17630, 17801.
+  16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555,
+  17625, 17630, 17801.
 
 * CVE-2015-1472 Under certain conditions wscanf can allocate too little
   memory for the to-be-scanned arguments and overflow the allocated
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 43d847d..3993579 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
 	  wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
 	  size_t old_wblen = _IO_wblen (fp);
 	  _IO_size_t new_size = 2 * old_wblen + 100;
-	  if (new_size < old_wblen)
+
+	  if (__glibc_unlikely (new_size < old_wblen)
+	      || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
 	    return EOF;
+
 	  new_buf
 	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
 									* sizeof (wchar_t));
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
     return 1;
 
   _IO_size_t newsize = offset + 100;
+  if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+    return 1;
+
   wchar_t *oldbuf = wd->_IO_buf_base;
   wchar_t *newbuf
     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
-- 
2.3.1

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional