[people/teissler/ipfire-2.x.git] / src / patches / glibc / glibc-rh767146.patch

diff -rup a/elf/dl-load.c b/elf/dl-load.c
--- a/elf/dl-load.c	2012-02-03 10:59:58.917870716 -0700
+++ b/elf/dl-load.c	2012-02-03 11:01:01.796580644 -0700
@@ -1130,6 +1130,16 @@ _dl_map_object_from_fd (const char *name
 		= N_("ELF load command address/offset not properly aligned");
 	      goto call_lose;
 	    }
+	  if (__builtin_expect ((ph->p_offset + ph->p_filesz > st.st_size), 0))
+	    {
+	      /* If the segment requires zeroing of part of its last
+		 page, we'll crash when accessing the unmapped page.
+		 There's still a possibility of a race, if the shared
+		 object is truncated between the fxstat above and the
+		 memset below.  */
+	      errstring = N_("ELF load command past end of file");
+	      goto call_lose;
+	    }
 
 	  c = &loadcmds[nloadcmds++];
 	  c->mapstart = ph->p_vaddr & ~(GLRO(dl_pagesize) - 1);
Only in b/elf: dl-load.c.orig
Commit	Line	Data
12788f63 MT	1	diff -rup a/elf/dl-load.c b/elf/dl-load.c
	2	--- a/elf/dl-load.c 2012-02-03 10:59:58.917870716 -0700
	3	+++ b/elf/dl-load.c 2012-02-03 11:01:01.796580644 -0700
	4	@@ -1130,6 +1130,16 @@ _dl_map_object_from_fd (const char *name
	5	= N_("ELF load command address/offset not properly aligned");
	6	goto call_lose;
	7	}
	8	+ if (__builtin_expect ((ph->p_offset + ph->p_filesz > st.st_size), 0))
	9	+ {
	10	+ /* If the segment requires zeroing of part of its last
	11	+ page, we'll crash when accessing the unmapped page.
	12	+ There's still a possibility of a race, if the shared
	13	+ object is truncated between the fxstat above and the
	14	+ memset below. */
	15	+ errstring = N_("ELF load command past end of file");
	16	+ goto call_lose;
	17	+ }
	18
	19	c = &loadcmds[nloadcmds++];
	20	c->mapstart = ph->p_vaddr & ~(GLRO(dl_pagesize) - 1);
	21	Only in b/elf: dl-load.c.orig