From patchwork Mon Oct 19 09:50:25 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aurelien Jarno X-Patchwork-Id: 532212 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id EA51714010F for ; Mon, 19 Oct 2015 20:50:38 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b=LIMU+6Bk; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id; q=dns; s= default; b=dx4wg6SkjcNM38GEvAh3Tq6rJLa6dE6UXZEOFKyI6XiyJT+lwsMxh d1LnOdVPqIeGUxBzhwqxtkHaGWiDrYC5yTir1QaNTzZT3RHxdb7Nu69SpcU38mvE JIGonst3gqOz+E214jr5x7L0rkIGtQei0KZMMUoeW++Un4N/bW8FAI= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id; s=default; bh=z3k3ICdRJR7YYOpDMCcPYV2tN1M=; b=LIMU+6BkKbMcGt4bF06BgdW/tEGQ ZFXPlLPDZHXfm1VCiPb3ZRMmWWNj50EmuCyDaTUR8qmGBXAPirlJ8jq4CCOwUwbM G5W/IvSjh/RyUZ6YUtWaUcs3S6WWiCIP+dQ7yjipxsGjvKVfA6fAJcyKNN3SNorZ smKhqgeaMmB9J2Q= Received: (qmail 15083 invoked by alias); 19 Oct 2015 09:50:33 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 15052 invoked by uid 89); 19 Oct 2015 09:50:30 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.5 required=5.0 tests=BAYES_05, KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD autolearn=no version=3.3.2 X-HELO: hall.aurel32.net From: Aurelien Jarno To: libc-alpha@sourceware.org Cc: Paul Pluzhnikov Subject: [COMMITTED 2.19] Fix BZ #17269 -- _IO_wstr_overflow integer overflow Date: Mon, 19 Oct 2015 11:50:25 +0200 Message-Id: <1445248225-1784-1-git-send-email-aurelien@aurel32.net> From: Paul Pluzhnikov (cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33) Conflicts: ChangeLog NEWS --- ChangeLog | 6 ++++++ NEWS | 2 +- libio/wstrops.c | 8 +++++++- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index a4f4e0d..8d621b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2015-02-22 Paul Pluzhnikov + + [BZ #17269] + * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow + (enlarge_userbuf): Likewise. + 2015-02-26 Andreas Schwab [BZ #18032] diff --git a/NEWS b/NEWS index c017fa3..9e7316b 100644 --- a/NEWS +++ b/NEWS @@ -11,7 +11,7 @@ Version 2.19.1 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17069, 17079, 17137, 17153, 17213, - 17263, 17325, 17555, 18032, 18287. + 17263, 17269, 17325, 17555, 18032, 18287. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a diff --git a/libio/wstrops.c b/libio/wstrops.c index 399a377..9218d4a 100644 --- a/libio/wstrops.c +++ b/libio/wstrops.c @@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c) wchar_t *old_buf = fp->_wide_data->_IO_buf_base; size_t old_wblen = _IO_wblen (fp); _IO_size_t new_size = 2 * old_wblen + 100; - if (new_size < old_wblen) + + if (__glibc_unlikely (new_size < old_wblen) + || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t))) return EOF; + new_buf = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size * sizeof (wchar_t)); @@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading) return 1; _IO_size_t newsize = offset + 100; + if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t))) + return 1; + wchar_t *oldbuf = wd->_IO_buf_base; wchar_t *newbuf = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize