]>
Commit | Line | Data |
---|---|---|
12788f63 MT |
1 | commit 97ac2654b2d831acaa18a2b018b0736245903fd2 |
2 | Author: Ulrich Drepper <drepper@gmail.com> | |
3 | Date: Sat Dec 17 20:18:42 2011 -0500 | |
4 | ||
5 | Check values from TZ file header | |
6 | ||
7 | ||
8 | [BZ #13506] | |
9 | * time/tzfile.c (__tzfile_read): Check values from file header. | |
10 | ||
11 | diff -ru a/time/tzfile.c b/time/tzfile.c | |
12 | --- a/time/tzfile.c 2010-05-04 11:27:23.000000000 +0000 | |
13 | +++ b/time/tzfile.c 2011-12-19 06:39:49.875358578 +0000 | |
14 | @@ -19,6 +19,7 @@ | |
15 | ||
16 | #include <assert.h> | |
17 | #include <limits.h> | |
18 | +#include <stdint.h> | |
19 | #include <stdio.h> | |
20 | #include <stdio_ext.h> | |
21 | #include <stdlib.h> | |
22 | @@ -234,23 +235,58 @@ | |
23 | goto read_again; | |
24 | } | |
25 | ||
26 | + if (__builtin_expect (num_transitions | |
27 | + > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1)) | |
28 | + / (sizeof (time_t) + 1)), 0)) | |
29 | + goto lose; | |
30 | total_size = num_transitions * (sizeof (time_t) + 1); | |
31 | total_size = ((total_size + __alignof__ (struct ttinfo) - 1) | |
32 | & ~(__alignof__ (struct ttinfo) - 1)); | |
33 | types_idx = total_size; | |
34 | - total_size += num_types * sizeof (struct ttinfo) + chars; | |
35 | + if (__builtin_expect (num_types | |
36 | + > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0)) | |
37 | + goto lose; | |
38 | + total_size += num_types * sizeof (struct ttinfo); | |
39 | + if (__builtin_expect (chars > SIZE_MAX - total_size, 0)) | |
40 | + goto lose; | |
41 | + total_size += chars; | |
42 | + if (__builtin_expect (__alignof__ (struct leap) - 1 | |
43 | + > SIZE_MAX - total_size, 0)) | |
44 | + goto lose; | |
45 | total_size = ((total_size + __alignof__ (struct leap) - 1) | |
46 | & ~(__alignof__ (struct leap) - 1)); | |
47 | leaps_idx = total_size; | |
48 | + if (__builtin_expect (num_leaps | |
49 | + > (SIZE_MAX - total_size) / sizeof (struct leap), 0)) | |
50 | + goto lose; | |
51 | total_size += num_leaps * sizeof (struct leap); | |
52 | - tzspec_len = (sizeof (time_t) == 8 && trans_width == 8 | |
53 | - ? st.st_size - (ftello (f) | |
54 | - + num_transitions * (8 + 1) | |
55 | - + num_types * 6 | |
56 | - + chars | |
57 | - + num_leaps * 12 | |
58 | - + num_isstd | |
59 | - + num_isgmt) - 1 : 0); | |
60 | + tzspec_len = 0; | |
61 | + if (sizeof (time_t) == 8 && trans_width == 8) | |
62 | + { | |
63 | + off_t rem = st.st_size - ftello (f); | |
64 | + if (__builtin_expect (rem < 0 | |
65 | + || (size_t) rem < (num_transitions * (8 + 1) | |
66 | + + num_types * 6 | |
67 | + + chars), 0)) | |
68 | + goto lose; | |
69 | + tzspec_len = (size_t) rem - (num_transitions * (8 + 1) | |
70 | + + num_types * 6 | |
71 | + + chars); | |
72 | + if (__builtin_expect (num_leaps > SIZE_MAX / 12 | |
73 | + || tzspec_len < num_leaps * 12, 0)) | |
74 | + goto lose; | |
75 | + tzspec_len -= num_leaps * 12; | |
76 | + if (__builtin_expect (tzspec_len < num_isstd, 0)) | |
77 | + goto lose; | |
78 | + tzspec_len -= num_isstd; | |
79 | + if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0)) | |
80 | + goto lose; | |
81 | + tzspec_len -= num_isgmt + 1; | |
82 | + if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0)) | |
83 | + goto lose; | |
84 | + } | |
85 | + if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0)) | |
86 | + goto lose; | |
87 | ||
88 | /* Allocate enough memory including the extra block requested by the | |
89 | caller. */ |