glibc40/glibc-CVE-2011-1659.diff

From 8126d90480fa3e0c5c5cd0d02cb1c93174b45485 Mon Sep 17 00:00:00 2001
From: Ulrich Drepper <drepper@gmail.com>
Date: Fri, 18 Mar 2011 05:29:20 -0400
Subject: [PATCH] Check size of pattern in wide character representation in fnmatch.

diff --git a/posix/fnmatch.c b/posix/fnmatch.c
index 0af5ee6..819a6a7 100644
--- a/posix/fnmatch.c
+++ b/posix/fnmatch.c
@@ -375,6 +375,11 @@ fnmatch (pattern, string, flags)
 	       XXX Do we have to set `errno' to something which mbsrtows hasn't
 	       already done?  */
 	    return -1;
+	  if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0))
+	    {
+	      __set_errno (ENOMEM);
+	      return -2;
+	    }
 	  wpattern_malloc = wpattern
 	    = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t));
 	  assert (mbsinit (&ps));
@@ -419,6 +424,12 @@ fnmatch (pattern, string, flags)
 	       XXX Do we have to set `errno' to something which mbsrtows hasn't
 	       already done?  */
 	    goto free_return;
+	  if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0))
+	    {
+	      free (wpattern_malloc);
+	      __set_errno (ENOMEM);
+	      return -2;
+	    }
 
 	  wstring_malloc = wstring
 	    = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t));
-- 
1.7.3.4
Automatic import for version 2.13-6.1 2012-08-07 10:04:49 +00:00			`From 8126d90480fa3e0c5c5cd0d02cb1c93174b45485 Mon Sep 17 00:00:00 2001`
			`From: Ulrich Drepper <drepper@gmail.com>`
			`Date: Fri, 18 Mar 2011 05:29:20 -0400`
			`Subject: [PATCH] Check size of pattern in wide character representation in fnmatch.`

			`diff --git a/posix/fnmatch.c b/posix/fnmatch.c`
			`index 0af5ee6..819a6a7 100644`
			`--- a/posix/fnmatch.c`
			`+++ b/posix/fnmatch.c`
			`@@ -375,6 +375,11 @@ fnmatch (pattern, string, flags)`
			XXX Do we have to set `errno' to something which mbsrtows hasn't
			`already done? */`
			`return -1;`
			`+ if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0))`
			`+ {`
			`+ __set_errno (ENOMEM);`
			`+ return -2;`
			`+ }`
			`wpattern_malloc = wpattern`
			`= (wchar_t ) malloc ((n + 1) sizeof (wchar_t));`
			`assert (mbsinit (&ps));`
			`@@ -419,6 +424,12 @@ fnmatch (pattern, string, flags)`
			XXX Do we have to set `errno' to something which mbsrtows hasn't
			`already done? */`
			`goto free_return;`
			`+ if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0))`
			`+ {`
			`+ free (wpattern_malloc);`
			`+ __set_errno (ENOMEM);`
			`+ return -2;`
			`+ }`

			`wstring_malloc = wstring`
			`= (wchar_t ) malloc ((n + 1) sizeof (wchar_t));`
			`--`
			`1.7.3.4`