]> git.ipfire.org Git - thirdparty/glibc.git/commitdiff
projects / thirdparty / glibc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d5ef25a)
Fix BZ #17269 -- _IO_wstr_overflow integer overflow
authorPaul Pluzhnikov <ppluzhnikov@google.com>
Sun, 22 Feb 2015 20:01:47 +0000 (12:01 -0800)
committerTulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>
Thu, 25 Feb 2016 19:02:04 +0000 (16:02 -0300)
(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)

Conflicts:
NEWS

ChangeLog patch | blob | blame | history
NEWS patch | blob | blame | history
libio/wstrops.c patch | blob | blame | history

diff --git a/ChangeLog b/ChangeLog
index 95c077f3ae6bf9147f11ed2b7d402a6e92c576c6..a4917cd2398f97d443169d7614567c765780871c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2016-02-25  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+       [BZ #17269]
+       * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+       (enlarge_userbuf): Likewise.
+
 2016-02-25  Florian Weimer  <fweimer@redhat.com>
 
        [BZ #19018]
diff --git a/NEWS b/NEWS
index b0588be1950ce4eebd799de7a11c05bc0012fadf..57a7f11b1f21073413067d73d4370a1fbbf64cb8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,8 +9,8 @@ Version 2.20.1
 
 * The following bugs are resolved with this release:
 
-  16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625,
-  17630, 17801, 18694, 18928, 19018.
+  16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555,
+  17625, 17630, 17801, 18694, 18928, 19018.
 
 * The LD_POINTER_GUARD environment variable can no longer be used to
   disable the pointer guard feature.  It is always enabled.
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 399a3771047e8765c9f2b4ed6db308332eeb7da9..9218d4a5e3315574fa9bed3a93daaeaf8491efb5 100644 (file)
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
          wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
          size_t old_wblen = _IO_wblen (fp);
          _IO_size_t new_size = 2 * old_wblen + 100;
-         if (new_size < old_wblen)
+
+         if (__glibc_unlikely (new_size < old_wblen)
+             || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
            return EOF;
+
          new_buf
            = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
                                                                        * sizeof (wchar_t));
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
     return 1;
 
   _IO_size_t newsize = offset + 100;
+  if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+    return 1;
+
   wchar_t *oldbuf = wd->_IO_buf_base;
   wchar_t *newbuf
     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
A mirror of the official glibc repository