From patchwork Sun Feb 22 06:09:01 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Pluzhnikov X-Patchwork-Id: 442254 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 8DD00140151 for ; Sun, 22 Feb 2015 17:09:41 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:from:date:message-id:subject:to :content-type; q=dns; s=default; b=t/iqVio3GAUYZgG4sik4gcj+EAg88 oa4ohVfQC7mZe3wsh3R7KiO3QA5NlipzeriivcGMHuTov8+taOICugxlIlCYeCBY NAHCA2Q5PjArhYF3NDkMCDDfOyj51zzw/VFhBTzyDoFfFGngeZ6ISaJmgfR+T+7j ud9JoyGc0F/aNg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:from:date:message-id:subject:to :content-type; s=default; bh=GKi0+geuJ851He2Y5q8SeJwMFS0=; b=uQM +lBS6y7SudGu3vmUdXs05E8jYG0a6I8PpzGrhvEj/4vVvVArEiPkibkeZD+HF+Ur 5ty0GmQL37UqMpgr7Lt1l4kWsAqviQIlVmx3LOMlvnGKD649CtSHRcv76h/LalFH 3G+ZFdKvsBphoeikxMGxUcxvSgdCr2GfnhBoaQfk= Received: (qmail 23325 invoked by alias); 22 Feb 2015 06:09:36 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 23312 invoked by uid 89); 22 Feb 2015 06:09:34 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.7 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, KAM_FROM_URIBL_PCCC, RCVD_IN_DNSWL_LOW, SPF_PASS, T_RP_MATCHES_RCVD autolearn=no version=3.3.2 X-HELO: mail-ob0-f172.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:content-type; bh=fjsae/twRqj8uOpf9ILPqH8ayPY30fvuePLYL6k4XxY=; b=ZDn5h728lWy8BkdD2WILy6WAdhAJe5i/Hm+dQK/hMgu2hZLxv74VpatIt3GJtTTJmC hpmBKKogwXTu7oVJIgGwuaVaMVVS6rKJ9cJDVN3A/fYuPi8/wQUz55/qjo2IUn46yoBH G5Bgnq4jf53SCt9TI+jnbByCZoyOZDgR8fHljWbDCy7WfOGHi1fmibDKCLu1nLmuMoNU xaCzaZc+DxN+Oo3BgQ3rtg5YDib6wXAlWnUj0j7d4c1Hu7MOKj+lTZ+xxtTlm9X15+RP INZJgGQeTDDrJOpVvOFj4mA2NtafwwAObVQzv5Qja/NFQ+G7OJKkytUut23EZlsB8hiD 8DWQ== X-Gm-Message-State: ALoCoQng93DbzpvlixgMaA9sG/vq+2r4sbwj9StcWdlwMx9sxRP6vMJmvR/0k9T9RvLBVcfFlV2q X-Received: by 10.60.176.34 with SMTP id cf2mr3576874oec.52.1424585371456; Sat, 21 Feb 2015 22:09:31 -0800 (PST) MIME-Version: 1.0 From: Paul Pluzhnikov Date: Sat, 21 Feb 2015 22:09:01 -0800 Message-ID: Subject: [patch] Fix BZ #17269 _IO_wstr_overflow integer overflow To: GLIBC Devel Greetings, Attached is a rather obvious fix for BZ #17269 Tested on Linux/x86_64, no new failures. 2015-02-21 Paul Pluzhnikov [BZ #17269] * NEWS: Mention 17269 * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow diff --git a/NEWS b/NEWS index 5eb79d2..28ef45d 100644 --- a/NEWS +++ b/NEWS @@ -9,9 +9,9 @@ Version 2.22 * The following bugs are resolved with this release: - 4719, 13064, 14094, 15319, 15467, 15790, 16560, 17569, 17588, 17792, - 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, 17987, - 17991, 17996, 17998, 17999. + 4719, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569, 17588, + 17792, 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, + 17987, 17991, 17996, 17998, 17999. * Character encoding and ctype tables were updated to Unicode 7.0.0, using new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red diff --git a/libio/wstrops.c b/libio/wstrops.c index 43d847d..750e58d 100644 --- a/libio/wstrops.c +++ b/libio/wstrops.c @@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c) wchar_t *old_buf = fp->_wide_data->_IO_buf_base; size_t old_wblen = _IO_wblen (fp); _IO_size_t new_size = 2 * old_wblen + 100; - if (new_size < old_wblen) + + if (__glibc_unlikely(new_size < old_wblen) + || __glibc_unlikely(new_size >= SIZE_MAX / sizeof (wchar_t))) return EOF; + new_buf = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size * sizeof (wchar_t));