Djam/glibc
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/glibc.git synced 2025-02-23 06:52:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Security fix

Browse source
This commit is contained in:
Danila Leontiev 2013-07-15 11:41:27 +04:00
parent b9b04af528
commit 62d5878cfa
9 changed files with 46071 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

204
glibc-CVE-2012-0864.patch Normal file
View file

@ -0,0 +1,204 @@
From 7c1f4834d398163d1ac8101e35e9c36fc3176e6e Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Mon, 5 Mar 2012 10:17:22 +0100
Subject: [PATCH] 2012-03-02 Kees Cook <keescook@chromium.org>
[BZ #13656]
* stdio-common/vfprintf.c (vfprintf): Check for nargs overflow and
possibly allocate from heap instead of stack.
* stdio-common/bug-vfprintf-nargs.c: New file.
* stdio-common/Makefile (tests): Add nargs overflow test.
---
ChangeLog | 8 ++++
stdio-common/Makefile | 3 +-
stdio-common/bug-vfprintf-nargs.c | 78 +++++++++++++++++++++++++++++++++++++
stdio-common/vfprintf.c | 47 ++++++++++++++++++----
4 files changed, 126 insertions(+), 10 deletions(-)
create mode 100644 stdio-common/bug-vfprintf-nargs.c
diff --git a/ChangeLog b/ChangeLog
index 4cf6446..dad26da 100644
diff --git a/stdio-common/Makefile b/stdio-common/Makefile
index a847b28..080badc 100644
--- a/stdio-common/Makefile
+++ b/stdio-common/Makefile
@@ -59,7 +59,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \
tst-fwrite bug16 bug17 tst-swscanf tst-sprintf2 bug18 bug18a \
bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
- scanf16 scanf17 tst-setvbuf1 tst-grouping
+ scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 \
+ bug-vfprintf-nargs
test-srcs = tst-unbputc tst-printf
diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c
new file mode 100644
index 0000000..13c66c0
--- /dev/null
+++ b/stdio-common/bug-vfprintf-nargs.c
@@ -0,0 +1,78 @@
+/* Test for vfprintf nargs allocation overflow (BZ #13656).
+ Copyright (C) 2012 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+ Contributed by Kees Cook <keescook@chromium.org>, 2012.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, write to the Free
+ Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+ 02111-1307 USA. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <string.h>
+#include <signal.h>
+
+static int
+format_failed (const char *fmt, const char *expected)
+{
+ char output[80];
+
+ printf ("%s : ", fmt);
+
+ memset (output, 0, sizeof output);
+ /* Having sprintf itself detect a failure is good. */
+ if (sprintf (output, fmt, 1, 2, 3, "test") > 0
+ && strcmp (output, expected) != 0)
+ {
+ printf ("FAIL (output '%s' != expected '%s')\n", output, expected);
+ return 1;
+ }
+ puts ("ok");
+ return 0;
+}
+
+static int
+do_test (void)
+{
+ int rc = 0;
+ char buf[64];
+
+ /* Regular positionals work. */
+ if (format_failed ("%1$d", "1") != 0)
+ rc = 1;
+
+ /* Regular width positionals work. */
+ if (format_failed ("%1$*2$d", " 1") != 0)
+ rc = 1;
+
+ /* Positional arguments are constructed via read_int, so nargs can only
+ overflow on 32-bit systems. On 64-bit systems, it will attempt to
+ allocate a giant amount of memory and possibly crash, which is the
+ expected situation. Since the 64-bit behavior is arch-specific, only
+ test this on 32-bit systems. */
+ if (sizeof (long int) == 4)
+ {
+ sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int));
+ if (format_failed (buf, "1 %$d") != 0)
+ rc = 1;
+ }
+
+ return rc;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 863cd5d..c802e46 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
0 if unknown. */
int readonly_format = 0;
+ /* For the argument descriptions, which may be allocated on the heap. */
+ void *args_malloced = NULL;
+
/* This table maps a character into a number representing a
class. In each step there is a destination label for each
class. */
@@ -1647,9 +1650,10 @@ do_positional:
determine the size of the array needed to store the argument
attributes. */
size_t nargs = 0;
- int *args_type;
- union printf_arg *args_value = NULL;
+ size_t bytes_per_arg;
+ union printf_arg *args_value;
int *args_size;
+ int *args_type;
/* Positional parameters refer to arguments directly. This could
also determine the maximum number of arguments. Track the
@@ -1698,13 +1702,38 @@ do_positional:
/* Determine the number of arguments the format string consumes. */
nargs = MAX (nargs, max_ref_arg);
+ /* Calculate total size needed to represent a single argument across
+ all three argument-related arrays. */
+ bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
+ + sizeof (*args_type);
+
+ /* Check for potential integer overflow. */
+ if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))
+ {
+ __set_errno (ERANGE);
+ done = -1;
+ goto all_done;
+ }
- /* Allocate memory for the argument descriptions. */
- args_type = alloca (nargs * sizeof (int));
+ /* Allocate memory for all three argument arrays. */
+ if (__libc_use_alloca (nargs * bytes_per_arg))
+ args_value = alloca (nargs * bytes_per_arg);
+ else
+ {
+ args_value = args_malloced = malloc (nargs * bytes_per_arg);
+ if (args_value == NULL)
+ {
+ done = -1;
+ goto all_done;
+ }
+ }
+
+ /* Set up the remaining two arrays to each point past the end of the
+ prior array, since space for all three has been allocated now. */
+ args_size = &args_value[nargs].pa_int;
+ args_type = &args_size[nargs];
memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
- nargs * sizeof (int));
- args_value = alloca (nargs * sizeof (union printf_arg));
- args_size = alloca (nargs * sizeof (int));
+ nargs * sizeof (*args_type));
/* XXX Could do sanity check here: If any element in ARGS_TYPE is
still zero after this loop, format is invalid. For now we
@@ -1973,8 +2002,8 @@ do_positional:
}
all_done:
- if (__builtin_expect (workstart != NULL, 0))
- free (workstart);
+ free (args_malloced);
+ free (workstart);
/* Unlock the stream. */
_IO_funlockfile (s);
_IO_cleanup_region_end (0);
--
1.7.1

67
glibc-CVE-2012-3404.patch Normal file
View file

@ -0,0 +1,67 @@
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index c802e46..85d1900 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -822,7 +822,7 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
\
if (function_done < 0) \
{ \
- /* Error in print handler. */ \
+ /* Error in print handler; up to handler to set errno. */ \
done = -1; \
goto all_done; \
} \
@@ -876,7 +876,7 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
\
if (function_done < 0) \
{ \
- /* Error in print handler. */ \
+ /* Error in print handler; up to handler to set errno. */ \
done = -1; \
goto all_done; \
} \
@@ -1117,7 +1117,7 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
&mbstate); \
if (len == (size_t) -1) \
{ \
- /* Something went wron gduring the conversion. Bail out. */ \
+ /* Something went wrong during the conversion. Bail out. */ \
done = -1; \
goto all_done; \
} \
@@ -1188,6 +1188,7 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
if (__mbsnrtowcs (ignore, &str2, strend - str2, \
ignore_size, &ps) == (size_t) -1) \
{ \
+ /* Conversion function has set errno. */ \
done = -1; \
goto all_done; \
} \
@@ -1605,6 +1606,7 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
if (spec == L_('\0'))
{
/* The format string ended before the specifier is complete. */
+ __set_errno (EINVAL);
done = -1;
goto all_done;
}
@@ -1948,6 +1950,7 @@ do_positional:
about # of chars. */
if (function_done < 0)
{
+ /* Function has set errno. */
done = -1;
goto all_done;
}
@@ -1982,6 +1985,7 @@ do_positional:
of chars. */
if (function_done < 0)
{
+ /* Function has set errno. */
done = -1;
goto all_done;
}
--
1.7.1

51
glibc-CVE-2012-3405.patch Normal file
View file

@ -0,0 +1,51 @@
diff --git a/stdio-common/bug23.c b/stdio-common/bug23.c
new file mode 100644
index 0000000..dcc5428
--- /dev/null
+++ b/stdio-common/bug23.c
@@ -0,0 +1,21 @@
+#include <stdio.h>
+#include <string.h>
+
+static char buf[32768];
+static const char expected[] = "\
+\n\
+a\n\
+abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n";
+
+static int
+do_test (void)
+{
+ snprintf (buf, sizeof (buf),
+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+ "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n",
+ "a", "b", "c", "d", 5);
+ return strcmp (buf, expected) != 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index fc370e8..cfa4c30 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 1991-2008, 2009, 2010 Free Software Foundation, Inc.
+/* Copyright (C) 1991-2008, 2009, 2010, 2011 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
@@ -1682,7 +1682,8 @@ do_positional:
{
/* Extend the array of format specifiers. */
struct printf_spec *old = specs;
- specs = extend_alloca (specs, nspecs_max, 2 * nspecs_max);
+ specs = extend_alloca (specs, nspecs_max,
+ 2 * nspecs_max * sizeof (*specs));
/* Copy the old array's elements to the new space. */
memmove (specs, old, nspecs * sizeof (struct printf_spec));
--
1.7.1

40
glibc-CVE-2012-3406.patch Normal file
View file

@ -0,0 +1,40 @@
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 753a5ac..952886b 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1640,9 +1640,9 @@ do_positional:
/* Array with information about the needed arguments. This has to
be dynamically extensible. */
size_t nspecs = 0;
- size_t nspecs_max = 32; /* A more or less arbitrary start value. */
- struct printf_spec *specs
- = alloca (nspecs_max * sizeof (struct printf_spec));
+ /* A more or less arbitrary start value. */
+ size_t nspecs_size = 32 * sizeof (struct printf_spec);
+ struct printf_spec *specs = alloca (nspecs_size);
/* The number of arguments the format string requests. This will
determine the size of the array needed to store the argument
@@ -1679,15 +1679,14 @@ do_positional:
for (f = lead_str_end; *f != L_('\0'); f = specs[nspecs++].next_fmt)
{
- if (nspecs >= nspecs_max)
+ if (nspecs * sizeof (*specs) >= nspecs_size)
{
/* Extend the array of format specifiers. */
struct printf_spec *old = specs;
- specs = extend_alloca (specs, nspecs_max,
- 2 * nspecs_max * sizeof (*specs));
+ specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
/* Copy the old array's elements to the new space. */
- memmove (specs, old, nspecs * sizeof (struct printf_spec));
+ memmove (specs, old, nspecs * sizeof (*specs));
}
/* Parse the format specifier. */
--
1.7.1

45152
glibc-CVE-2012-3480.patch Normal file
View file

File diff suppressed because it is too large Load diff

134
glibc-CVE-2013-0242.2.patch Normal file
View file

@ -0,0 +1,134 @@
diff --git a/posix/Makefile b/posix/Makefile
index 57672d8..6ceb440 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -86,7 +86,7 @@ tests := tstgetopt testfnm runtests runptests \
tst-rfc3484-3 \
tst-getaddrinfo3 tst-fnmatch2 tst-cpucount tst-cpuset \
bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \
- bug-getopt5
+ bug-getopt5 bug-regex34
xtests := bug-ga2
ifeq (yes,$(build-shared))
test-srcs := globtest
@@ -199,6 +199,7 @@ bug-regex26-ENV = LOCPATH=$(common-objpfx)localedata
bug-regex25-ENV = LOCPATH=$(common-objpfx)localedata
bug-regex26-ENV = LOCPATH=$(common-objpfx)localedata
bug-regex30-ENV = LOCPATH=$(common-objpfx)localedata
+bug-regex34-ENV = LOCPATH=$(common-objpfx)localedata
tst-rxspencer-ARGS = --utf8 rxspencer/tests
tst-rxspencer-ENV = LOCPATH=$(common-objpfx)localedata
tst-pcre-ARGS = PCRE.tests
diff --git a/posix/bug-regex34.c b/posix/bug-regex34.c
new file mode 100644
index 0000000..bb3b613
--- /dev/null
+++ b/posix/bug-regex34.c
@@ -0,0 +1,46 @@
+/* Test re_search with multi-byte characters in UTF-8.
+ Copyright (C) 2013 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#define _GNU_SOURCE 1
+#include <stdio.h>
+#include <string.h>
+#include <locale.h>
+#include <regex.h>
+
+static int
+do_test (void)
+{
+ struct re_pattern_buffer r;
+ /* ááááááááx */
+ const char *s = "\xe1\x80\x80\xe1\x80\xbb\xe1\x80\xbd\xe1\x80\x94\xe1\x80\xba\xe1\x80\xaf\xe1\x80\x95\xe1\x80\xbax";
+
+ if (setlocale (LC_ALL, "en_US.UTF-8") == NULL)
+ {
+ puts ("setlocale failed");
+ return 1;
+ }
+ memset (&r, 0, sizeof (r));
+
+ re_compile_pattern ("[^x]x", 5, &r);
+ /* This was triggering a buffer overflow. */
+ re_search (&r, s, strlen (s), 0, strlen (s), 0);
+ return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/posix/regexec.c b/posix/regexec.c
index 7f2de85..5ca2bf6 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -197,7 +197,7 @@ static int group_nodes_into_DFAstates (const re_dfa_t *dfa,
static int check_node_accept (const re_match_context_t *mctx,
const re_token_t *node, int idx)
internal_function;
-static reg_errcode_t extend_buffers (re_match_context_t *mctx)
+static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len)
internal_function;
/* Entry point for POSIX code. */
@@ -1160,7 +1160,7 @@ check_matching (re_match_context_t *mctx, int fl_longest_match,
|| (BE (next_char_idx >= mctx->input.valid_len, 0)
&& mctx->input.valid_len < mctx->input.len))
{
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, next_char_idx + 1);
if (BE (err != REG_NOERROR, 0))
{
assert (err == REG_ESPACE);
@@ -1738,7 +1738,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, int next_state_log_idx)
&& mctx->input.valid_len < mctx->input.len))
{
reg_errcode_t err;
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, next_state_log_idx + 1);
if (BE (err != REG_NOERROR, 0))
return err;
}
@@ -2792,7 +2792,7 @@ get_subexp (re_match_context_t *mctx, int bkref_node, int bkref_str_idx)
if (bkref_str_off >= mctx->input.len)
break;
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, bkref_str_off + 1);
if (BE (err != REG_NOERROR, 0))
return err;
@@ -4102,7 +4102,7 @@ check_node_accept (const re_match_context_t *mctx, const re_token_t *node,
static reg_errcode_t
internal_function __attribute_warn_unused_result__
-extend_buffers (re_match_context_t *mctx)
+extend_buffers (re_match_context_t *mctx, int min_len)
{
reg_errcode_t ret;
re_string_t *pstr = &mctx->input;
@@ -4111,8 +4111,10 @@ extend_buffers (re_match_context_t *mctx)
if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
return REG_ESPACE;
- /* Double the lengthes of the buffers. */
- ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2);
+ /* Double the lengthes of the buffers, but allocate at least MIN_LEN. */
+ ret = re_string_realloc_buffers (pstr,
+ MAX (min_len,
+ MIN (pstr->len, pstr->bufs_len * 2)));
if (BE (ret != REG_NOERROR, 0))
return ret;

43
glibc-CVE-2013-0242.patch Normal file
View file

@ -0,0 +1,43 @@
Bug 810637: fix stack overflow in getaddrinfo with many results
Index: glibc-2.4/sysdeps/posix/getaddrinfo.c
===================================================================
--- glibc-2.4.orig/sysdeps/posix/getaddrinfo.c
+++ glibc-2.4/sysdeps/posix/getaddrinfo.c
@@ -2099,10 +2099,24 @@ getaddrinfo (const char *name, const cha
__libc_once (once, gaiconf_init);
/* Sort results according to RFC 3484. */
- struct sort_result results[nresults];
+ struct sort_result *results;
size_t order[nresults];
struct addrinfo *q;
struct addrinfo *last = NULL;
char *canonname = NULL;
+ bool malloc_results;
+
+ malloc_results = !__libc_use_alloca (nresults * sizeof (*results));
+ if (malloc_results)
+ {
+ results = malloc (nresults * sizeof (*results));
+ if (results == NULL)
+ {
+ free (in6ai);
+ return EAI_MEMORY;
+ }
+ }
+ else
+ results = alloca (nresults * sizeof (*results));
/* If we have information about deprecated and temporary addresses
sort the array now. */
@@ -2269,6 +2283,9 @@ getaddrinfo (const char *name, const cha
/* Fill in the canonical name into the new first entry. */
p->ai_canonname = canonname;
+
+ if (malloc_results)
+ free (results);
}
free (in6ai);

357
glibc-CVE-2013-1914.patch Normal file
View file

@ -0,0 +1,357 @@
diff --git a/stdlib/Makefile b/stdlib/Makefile
index 10674f2..f94266e 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -71,7 +71,7 @@ tests := tst-strtol tst-strtod testmb t
tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \
tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2 \
tst-makecontext2 tst-strtod6 tst-unsetenv1 \
- tst-makecontext3
+ tst-makecontext3 tst-strtod-overflow
include ../Makeconfig
diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c
index 2166a08..bf0c781 100644
--- a/stdlib/strtod_l.c
+++ b/stdlib/strtod_l.c
@@ -60,6 +60,7 @@ extern unsigned long long int ____strtoull_l_internal (const char *, char **,
#include <math.h>
#include <stdlib.h>
#include <string.h>
+#include <stdint.h>
/* The gmp headers need some configuration frobs. */
#define HAVE_ALLOCA 1
@@ -174,19 +175,19 @@ extern const mp_limb_t _tens_in_limb[MAX_DIG_PER_LIMB + 1];
/* Return a floating point number of the needed type according to the given
multi-precision number after possible rounding. */
static FLOAT
-round_and_return (mp_limb_t *retval, int exponent, int negative,
+round_and_return (mp_limb_t *retval, intmax_t exponent, int negative,
mp_limb_t round_limb, mp_size_t round_bit, int more_bits)
{
if (exponent < MIN_EXP - 1)
{
- mp_size_t shift = MIN_EXP - 1 - exponent;
-
- if (shift > MANT_DIG)
+ if (exponent < MIN_EXP - 1 - MANT_DIG)
{
__set_errno (EDOM);
return 0.0;
}
+ mp_size_t shift = MIN_EXP - 1 - exponent;
+
more_bits |= (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0;
if (shift == MANT_DIG)
/* This is a special case to handle the very seldom case where
@@ -233,6 +234,9 @@ round_and_return (mp_limb_t *retval, int exponent, int negative,
__set_errno (ERANGE);
}
+ if (exponent > MAX_EXP)
+ goto overflow;
+
if ((round_limb & (((mp_limb_t) 1) << round_bit)) != 0
&& (more_bits || (retval[0] & 1) != 0
|| (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0))
@@ -258,6 +262,7 @@ round_and_return (mp_limb_t *retval, int exponent, int negative,
}
if (exponent > MAX_EXP)
+ overflow:
return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL;
return MPN2FLOAT (retval, exponent, negative);
@@ -271,7 +276,7 @@ round_and_return (mp_limb_t *retval, int exponent, int negative,
factor for the resulting number (see code) multiply by it. */
static const STRING_TYPE *
str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
- int *exponent
+ intmax_t *exponent
#ifndef USE_WIDE_CHAR
, const char *decimal, size_t decimal_len, const char *thousands
#endif
@@ -335,7 +340,7 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
}
while (--digcnt > 0);
- if (*exponent > 0 && cnt + *exponent <= MAX_DIG_PER_LIMB)
+ if (*exponent > 0 && *exponent <= MAX_DIG_PER_LIMB - cnt)
{
low *= _tens_in_limb[*exponent];
start = _tens_in_limb[cnt + *exponent];
@@ -413,7 +418,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
{
int negative; /* The sign of the number. */
MPN_VAR (num); /* MP representation of the number. */
- int exponent; /* Exponent of the number. */
+ intmax_t exponent; /* Exponent of the number. */
/* Numbers starting `0X' or `0x' have to be processed with base 16. */
int base = 10;
@@ -435,7 +440,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
/* Points at the character following the integer and fractional digits. */
const STRING_TYPE *expp;
/* Total number of digit and number of digits in integer part. */
- int dig_no, int_no, lead_zero;
+ size_t dig_no, int_no, lead_zero;
/* Contains the last character read. */
CHAR_TYPE c;
@@ -767,7 +772,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
are all or any is really a fractional digit will be decided
later. */
int_no = dig_no;
- lead_zero = int_no == 0 ? -1 : 0;
+ lead_zero = int_no == 0 ? (size_t) -1 : 0;
/* Read the fractional digits. A special case are the 'american
style' numbers like `16.' i.e. with decimal point but without
@@ -789,12 +794,13 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
(base == 16 && ({ CHAR_TYPE lo = TOLOWER (c);
lo >= L_('a') && lo <= L_('f'); })))
{
- if (c != L_('0') && lead_zero == -1)
+ if (c != L_('0') && lead_zero == (size_t) -1)
lead_zero = dig_no - int_no;
++dig_no;
c = *++cp;
}
}
+ assert (dig_no <= (uintmax_t) INTMAX_MAX);
/* Remember start of exponent (if any). */
expp = cp;
@@ -817,24 +823,80 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
if (c >= L_('0') && c <= L_('9'))
{
- int exp_limit;
+ intmax_t exp_limit;
/* Get the exponent limit. */
if (base == 16)
- exp_limit = (exp_negative ?
- -MIN_EXP + MANT_DIG + 4 * int_no :
- MAX_EXP - 4 * int_no + 4 * lead_zero + 3);
+ {
+ if (exp_negative)
+ {
+ assert (int_no <= (uintmax_t) (INTMAX_MAX
+ + MIN_EXP - MANT_DIG) / 4);
+ exp_limit = -MIN_EXP + MANT_DIG + 4 * (intmax_t) int_no;
+ }
+ else
+ {
+ if (int_no)
+ {
+ assert (lead_zero == 0
+ && int_no <= (uintmax_t) INTMAX_MAX / 4);
+ exp_limit = MAX_EXP - 4 * (intmax_t) int_no + 3;
+ }
+ else if (lead_zero == (size_t) -1)
+ {
+ /* The number is zero and this limit is
+ arbitrary. */
+ exp_limit = MAX_EXP + 3;
+ }
+ else
+ {
+ assert (lead_zero
+ <= (uintmax_t) (INTMAX_MAX - MAX_EXP - 3) / 4);
+ exp_limit = (MAX_EXP
+ + 4 * (intmax_t) lead_zero
+ + 3);
+ }
+ }
+ }
else
- exp_limit = (exp_negative ?
- -MIN_10_EXP + MANT_DIG + int_no :
- MAX_10_EXP - int_no + lead_zero + 1);
+ {
+ if (exp_negative)
+ {
+ assert (int_no
+ <= (uintmax_t) (INTMAX_MAX + MIN_10_EXP - MANT_DIG));
+ exp_limit = -MIN_10_EXP + MANT_DIG + (intmax_t) int_no;
+ }
+ else
+ {
+ if (int_no)
+ {
+ assert (lead_zero == 0
+ && int_no <= (uintmax_t) INTMAX_MAX);
+ exp_limit = MAX_10_EXP - (intmax_t) int_no + 1;
+ }
+ else if (lead_zero == (size_t) -1)
+ {
+ /* The number is zero and this limit is
+ arbitrary. */
+ exp_limit = MAX_10_EXP + 1;
+ }
+ else
+ {
+ assert (lead_zero
+ <= (uintmax_t) (INTMAX_MAX - MAX_10_EXP - 1));
+ exp_limit = MAX_10_EXP + (intmax_t) lead_zero + 1;
+ }
+ }
+ }
+
+ if (exp_limit < 0)
+ exp_limit = 0;
do
{
- exponent *= 10;
- exponent += c - L_('0');
-
- if (__builtin_expect (exponent > exp_limit, 0))
+ if (__builtin_expect ((exponent > exp_limit / 10
+ || (exponent == exp_limit / 10
+ && c - L_('0') > exp_limit % 10)), 0))
/* The exponent is too large/small to represent a valid
number. */
{
@@ -843,7 +905,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
/* We have to take care for special situation: a joker
might have written "0.0e100000" which is in fact
zero. */
- if (lead_zero == -1)
+ if (lead_zero == (size_t) -1)
result = negative ? -0.0 : 0.0;
else
{
@@ -862,6 +924,9 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
/* NOTREACHED */
}
+ exponent *= 10;
+ exponent += c - L_('0');
+
c = *++cp;
}
while (c >= L_('0') && c <= L_('9'));
@@ -930,7 +995,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
}
#endif
startp += lead_zero + decimal_len;
- exponent -= base == 16 ? 4 * lead_zero : lead_zero;
+ assert (lead_zero <= (base == 16
+ ? (uintmax_t) INTMAX_MAX / 4
+ : (uintmax_t) INTMAX_MAX));
+ assert (lead_zero <= (base == 16
+ ? ((uintmax_t) exponent
+ - (uintmax_t) INTMAX_MIN) / 4
+ : ((uintmax_t) exponent - (uintmax_t) INTMAX_MIN)));
+ exponent -= base == 16 ? 4 * (intmax_t) lead_zero : (intmax_t) lead_zero;
dig_no -= lead_zero;
}
@@ -972,7 +1044,10 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
}
/* Adjust the exponent for the bits we are shifting in. */
- exponent += bits - 1 + (int_no - 1) * 4;
+ assert (int_no <= (uintmax_t) (exponent < 0
+ ? (INTMAX_MAX - bits + 1) / 4
+ : (INTMAX_MAX - exponent - bits + 1) / 4));
+ exponent += bits - 1 + ((intmax_t) int_no - 1) * 4;
while (--dig_no > 0 && idx >= 0)
{
@@ -1024,13 +1099,15 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
really integer digits or belong to the fractional part; i.e. we normalize
123e-2 to 1.23. */
{
- register int incr = (exponent < 0 ? MAX (-int_no, exponent)
- : MIN (dig_no - int_no, exponent));
+ register intmax_t incr = (exponent < 0
+ ? MAX (-(intmax_t) int_no, exponent)
+ : MIN ((intmax_t) dig_no - (intmax_t) int_no,
+ exponent));
int_no += incr;
exponent -= incr;
}
- if (__builtin_expect (int_no + exponent > MAX_10_EXP + 1, 0))
+ if (__builtin_expect (exponent > MAX_10_EXP + 1 - (intmax_t) int_no, 0))
{
__set_errno (ERANGE);
return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL;
@@ -1215,7 +1292,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
digits we should have enough bits for the result. The remaining
decimal digits give us the information that more bits are following.
This can be used while rounding. (Two added as a safety margin.) */
- if (dig_no - int_no > (MANT_DIG - bits + 2) / 3 + 2)
+ if ((intmax_t) dig_no > (intmax_t) int_no + (MANT_DIG - bits + 2) / 3 + 2)
{
dig_no = int_no + (MANT_DIG - bits + 2) / 3 + 2;
more_bits = 1;
@@ -1223,7 +1300,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
else
more_bits = 0;
- neg_exp = dig_no - int_no - exponent;
+ neg_exp = (intmax_t) dig_no - (intmax_t) int_no - exponent;
/* Construct the denominator. */
densize = 0;
diff --git a/stdlib/tst-strtod-overflow.c b/stdlib/tst-strtod-overflow.c
new file mode 100644
index 0000000..668d55b
--- /dev/null
+++ b/stdlib/tst-strtod-overflow.c
@@ -0,0 +1,48 @@
+/* Test for integer/buffer overflow in strtod.
+ Copyright (C) 2012 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define EXPONENT "e-2147483649"
+#define SIZE 214748364
+
+static int
+do_test (void)
+{
+ char *p = malloc (1 + SIZE + sizeof (EXPONENT));
+ if (p == NULL)
+ {
+ puts ("malloc failed, cannot test for overflow");
+ return 0;
+ }
+ p[0] = '1';
+ memset (p + 1, '0', SIZE);
+ memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
+ double d = strtod (p, NULL);
+ if (d != 0)
+ {
+ printf ("strtod returned wrong value: %a\n", d);
+ return 1;
+ }
+ return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"

24
glibc.spec
View file

@ -3,7 +3,7 @@
# <epoch>:<version>-<release> tags for glibc main package
%define glibcversion 2.13
%define __glibcrelease 7
%define __glibcrelease 8
%define glibcepoch 6
# for added ports support for arches like arm
%define build_ports 0
@ -301,6 +301,16 @@ Patch49: 0001-x86_64-fix-for-new-memcpy-behavior.patch
# shamlessly taken in linaro. just look dirty woraround
Patch50: glibc_local-syscall-mcount.diff
Patch60: glibc-CVE-2012-0864.patch
Patch61: glibc-CVE-2012-3404.patch
Patch62: glibc-CVE-2012-3405.patch
Patch63: glibc-CVE-2012-3406.patch
Patch64: glibc-CVE-2012-3480.patch
Patch65: glibc-CVE-2013-1914.patch
Patch66: glibc-CVE-2013-0242.patch
Patch67: glibc-CVE-2013-0242.2.patch
# Determine minium kernel versions
%define enablekernel 2.6.9
%if %isarch ppc ppc64
@ -544,6 +554,7 @@ mv glibc-ports-%{glibcversion} ports
%patch47 -p0 -b .fix-compile-error
%patch48 -p1 -b .prelink
%patch49 -p1 -b .memcpy
%if %build_ports
%patch50 -p1 -b .mcount
%endif
@ -562,6 +573,14 @@ cp -a crypt_blowfish-%{crypt_bf_ver}/*.[chS] crypt/
%patch41 -p1 -b .avx-increase_BF_FRAME
# add sha256-crypt and sha512-crypt support to the Openwall wrapper
%patch43 -p0 -b .mdv-wrapper_handle_sha
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
%if %{build_selinux}
# XXX kludge to build nscd with selinux support as it added -nostdinc
@ -1663,6 +1682,9 @@ fi
%changelog
* Mon Jul 15 2013 Danila Leontiev <danila.leontiev@rosalab.ru>
- Security fix for CVE-2013-0242 CVE-2013-1914 glibc-CVE-2012-3480 glibc-CVE-2012-3406 glibc-CVE-2012-3405 glibc-CVE-2012-3404 glibc-CVE-2012-0864
* Fri Aug 19 2011 Paulo Andrade <pcpa@mandriva.com.br> 6:2.13-6mnb2
+ Revision: 695609
- Install gconv modules (#64019)