src/patches/glibc/glibc-rh767693.patch

   1 commit 97ac2654b2d831acaa18a2b018b0736245903fd2
   2 Author: Ulrich Drepper <drepper@gmail.com>
   3 Date:   Sat Dec 17 20:18:42 2011 -0500
   4
   5     Check values from TZ file header
   6
   7
   8         [BZ #13506]
   9         * time/tzfile.c (__tzfile_read): Check values from file header.
  10
  11 diff -ru a/time/tzfile.c b/time/tzfile.c
  12 --- a/time/tzfile.c     2010-05-04 11:27:23.000000000 +0000
  13 +++ b/time/tzfile.c     2011-12-19 06:39:49.875358578 +0000
  14 @@ -19,6 +19,7 @@
  15
  16  #include <assert.h>
  17  #include <limits.h>
  18 +#include <stdint.h>
  19  #include <stdio.h>
  20  #include <stdio_ext.h>
  21  #include <stdlib.h>
  22 @@ -234,23 +235,58 @@
  23        goto read_again;
  24      }
  25
  26 +  if (__builtin_expect (num_transitions
  27 +                       > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
  28 +                          / (sizeof (time_t) + 1)), 0))
  29 +    goto lose;
  30    total_size = num_transitions * (sizeof (time_t) + 1);
  31    total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
  32                 & ~(__alignof__ (struct ttinfo) - 1));
  33    types_idx = total_size;
  34 -  total_size += num_types * sizeof (struct ttinfo) + chars;
  35 +  if (__builtin_expect (num_types
  36 +                       > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
  37 +    goto lose;
  38 +  total_size += num_types * sizeof (struct ttinfo);
  39 +  if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
  40 +    goto lose;
  41 +  total_size += chars;
  42 +  if (__builtin_expect (__alignof__ (struct leap) - 1
  43 +                       > SIZE_MAX - total_size, 0))
  44 +    goto lose;
  45    total_size = ((total_size + __alignof__ (struct leap) - 1)
  46                 & ~(__alignof__ (struct leap) - 1));
  47    leaps_idx = total_size;
  48 +  if (__builtin_expect (num_leaps
  49 +                       > (SIZE_MAX - total_size) / sizeof (struct leap), 0))
  50 +    goto lose;
  51    total_size += num_leaps * sizeof (struct leap);
  52 -  tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
  53 -               ? st.st_size - (ftello (f)
  54 -                               + num_transitions * (8 + 1)
  55 -                               + num_types * 6
  56 -                               + chars
  57 -                               + num_leaps * 12
  58 -                               + num_isstd
  59 -                               + num_isgmt) - 1 : 0);
  60 +  tzspec_len = 0;
  61 +  if (sizeof (time_t) == 8 && trans_width == 8)
  62 +    {
  63 +      off_t rem = st.st_size - ftello (f);
  64 +      if (__builtin_expect (rem < 0
  65 +                           || (size_t) rem < (num_transitions * (8 + 1)
  66 +                                              + num_types * 6
  67 +                                              + chars), 0))
  68 +       goto lose;
  69 +      tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
  70 +                                  + num_types * 6
  71 +                                  + chars);
  72 +      if (__builtin_expect (num_leaps > SIZE_MAX / 12
  73 +                           || tzspec_len < num_leaps * 12, 0))
  74 +       goto lose;
  75 +      tzspec_len -= num_leaps * 12;
  76 +      if (__builtin_expect (tzspec_len < num_isstd, 0))
  77 +       goto lose;
  78 +      tzspec_len -= num_isstd;
  79 +      if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0))
  80 +       goto lose;
  81 +      tzspec_len -= num_isgmt + 1;
  82 +      if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
  83 +       goto lose;
  84 +    }
  85 +  if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
  86 +    goto lose;
  87
  88    /* Allocate enough memory including the extra block requested by the
  89       caller.  */