Fix BZ #17269 _IO_wstr_overflow integer overflow

Message ID	CALoOobNWgCzh0=5pRMoy39jorDiD4A1QcsyatFDXdCZpMA2X4Q@mail.gmail.com
State	New
Headers	show Return-Path: <libc-alpha-return-57202-incoming=patchwork.ozlabs.org@sourceware.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:from:date:message-id:subject:to :content-type; q=dns; s=default; b=t/iqVio3GAUYZgG4sik4gcj+EAg88 oa4ohVfQC7mZe3wsh3R7KiO3QA5NlipzeriivcGMHuTov8+taOICugxlIlCYeCBY NAHCA2Q5PjArhYF3NDkMCDDfOyj51zzw/VFhBTzyDoFfFGngeZ6ISaJmgfR+T+7j ud9JoyGc0F/aNg= Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org MIME-Version: 1.0 From: Paul Pluzhnikov <ppluzhnikov@gmail.com> Date: Sat, 21 Feb 2015 22:09:01 -0800 Message-ID: <CALoOobNWgCzh0=5pRMoy39jorDiD4A1QcsyatFDXdCZpMA2X4Q@mail.gmail.com> Subject: [patch] Fix BZ #17269 _IO_wstr_overflow integer overflow To: GLIBC Devel <libc-alpha@sourceware.org> Content-Type: multipart/mixed; boundary=089e01182b8804d6ba050fa7219e

Message ID

CALoOobNWgCzh0=5pRMoy39jorDiD4A1QcsyatFDXdCZpMA2X4Q@mail.gmail.com

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; q=dns; s=default; b=t/iqVio3GAUYZgG4sik4gcj+EAg88
	oa4ohVfQC7mZe3wsh3R7KiO3QA5NlipzeriivcGMHuTov8+taOICugxlIlCYeCBY
	NAHCA2Q5PjArhYF3NDkMCDDfOyj51zzw/VFhBTzyDoFfFGngeZ6ISaJmgfR+T+7j
	ud9JoyGc0F/aNg=
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
MIME-Version: 1.0
From: Paul Pluzhnikov <ppluzhnikov@gmail.com>
Date: Sat, 21 Feb 2015 22:09:01 -0800
Message-ID: <CALoOobNWgCzh0=5pRMoy39jorDiD4A1QcsyatFDXdCZpMA2X4Q@mail.gmail.com>
Subject: [patch] Fix BZ #17269 _IO_wstr_overflow integer overflow
To: GLIBC Devel <libc-alpha@sourceware.org>
Content-Type: multipart/mixed; boundary=089e01182b8804d6ba050fa7219e

Commit Message

Paul Pluzhnikov Feb. 22, 2015, 6:09 a.m. UTC

Greetings,

Attached is a rather obvious fix for BZ #17269

Tested on Linux/x86_64, no new failures.



2015-02-21  Paul Pluzhnikov  <ppluzhnikov@google.com>

        [BZ #17269]
        * NEWS: Mention 17269
        * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow

diff --git a/NEWS b/NEWS
index 5eb79d2..28ef45d 100644
--- a/NEWS
+++ b/NEWS
@@ -9,9 +9,9 @@  Version 2.22
 
 * The following bugs are resolved with this release:
 
-  4719, 13064, 14094, 15319, 15467, 15790, 16560, 17569, 17588, 17792,
-  17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, 17987,
-  17991, 17996, 17998, 17999.
+  4719, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569, 17588,
+  17792, 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978,
+  17987, 17991, 17996, 17998, 17999.
 
 * Character encoding and ctype tables were updated to Unicode 7.0.0, using
   new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 43d847d..750e58d 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@  _IO_wstr_overflow (fp, c)
 	  wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
 	  size_t old_wblen = _IO_wblen (fp);
 	  _IO_size_t new_size = 2 * old_wblen + 100;
-	  if (new_size < old_wblen)
+
+	  if (__glibc_unlikely(new_size < old_wblen)
+	      || __glibc_unlikely(new_size >= SIZE_MAX / sizeof (wchar_t)))
 	    return EOF;
+
 	  new_buf
 	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
 									* sizeof (wchar_t));

Fix BZ #17269 _IO_wstr_overflow integer overflow

Commit Message

Patch