r2407 - in glibc-package/trunk/debian: . patches patches/any
Author: aurel32
Date: 2007-07-10 03:46:33 +0000 (Tue, 10 Jul 2007)
New Revision: 2407
Added:
glibc-package/trunk/debian/patches/any/cvs-ld-integer-overflow.diff
Modified:
glibc-package/trunk/debian/changelog
glibc-package/trunk/debian/patches/series
Log:
* Add any/cvs-ld-integer-overflow.diff: fix an integer
overflow in ld.so. Closes: bug#431858.
Modified: glibc-package/trunk/debian/changelog
===================================================================
--- glibc-package/trunk/debian/changelog 2007-07-09 09:56:14 UTC (rev 2406)
+++ glibc-package/trunk/debian/changelog 2007-07-10 03:46:33 UTC (rev 2407)
@@ -1,12 +1,17 @@
glibc (2.6-2) UNRELEASED; urgency=low
+ [ Clint Adams ]
* Add any/cvs-nis-nss-default.diff: preserve errno.
* Add any/cvs-vfscanf.diff: add additional test for EOF
in loop to look for conversion specifier to avoid testing of
wrong errno value.
- -- Clint Adams <schizo@debian.org> Mon, 09 Jul 2007 05:50:14 -0400
+ [ Aurelien Jarno ]
+ * Add any/cvs-ld-integer-overflow.diff: fix an integer
+ overflow in ld.so. Closes: bug#431858.
+ -- Aurelien Jarno <aurel32@debian.org> Tue, 10 Jul 2007 05:44:55 +0200
+
glibc (2.6-1) unstable; urgency=low
[ Pierre Habouzit ]
Added: glibc-package/trunk/debian/patches/any/cvs-ld-integer-overflow.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-ld-integer-overflow.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-ld-integer-overflow.diff 2007-07-10 03:46:33 UTC (rev 2407)
@@ -0,0 +1,98 @@
+2007-07-01 Jakub Jelinek <jakub@redhat.com>
+
+ * elf/dl-sysdep.c (_dl_important_hwcaps): Add integer overflow check.
+ * elf/dl-minimal.c (__libc_memalign): Likewise. Handle malloc (0).
+ Return NULL if mmap failed instead of asserting it does not.
+ (calloc): Check for integer overflow.
+
+ * elf/dl-minimal.c (__strtoul_internal): Fix parsing of numbers bigger
+ than LONG_MAX / 10.
+
+===================================================================
+RCS file: /cvs/glibc/libc/elf/dl-sysdep.c,v
+retrieving revision 1.1.2.2
+retrieving revision 1.1.2.3
+diff -u -r1.1.2.2 -r1.1.2.3
+--- libc/elf/dl-sysdep.c 2006/10/29 22:03:21 1.1.2.2
++++ libc/elf/dl-sysdep.c 2007/07/07 17:37:06 1.1.2.3
+@@ -460,9 +460,21 @@
+ total = temp[0].len + 1;
+ else
+ {
+- total = (1UL << (cnt - 2)) * (temp[0].len + temp[cnt - 1].len + 2);
+- for (n = 1; n + 1 < cnt; ++n)
+- total += (1UL << (cnt - 3)) * (temp[n].len + 1);
++ total = temp[0].len + temp[cnt - 1].len + 2;
++ if (cnt > 2)
++ {
++ total <<= 1;
++ for (n = 1; n + 1 < cnt; ++n)
++ total += temp[n].len + 1;
++ if (cnt > 3
++ && (cnt >= sizeof (size_t) * 8
++ || total + (sizeof (*result) << 3)
++ >= (1UL << (sizeof (size_t) * 8 - cnt + 3))))
++ _dl_signal_error (ENOMEM, NULL, NULL,
++ N_("cannot create capability list"));
++
++ total <<= cnt - 3;
++ }
+ }
+
+ /* The result structure: we use a very compressed way to store the
+===================================================================
+RCS file: /cvs/glibc/libc/elf/dl-minimal.c,v
+retrieving revision 1.48.2.4
+retrieving revision 1.48.2.5
+diff -u -r1.48.2.4 -r1.48.2.5
+--- libc/elf/dl-minimal.c 2007/02/02 09:48:22 1.48.2.4
++++ libc/elf/dl-minimal.c 2007/07/07 17:37:06 1.48.2.5
+@@ -75,14 +75,21 @@
+ alloc_ptr = (void *) 0 + (((alloc_ptr - (void *) 0) + align - 1)
+ & ~(align - 1));
+
+- if (alloc_ptr + n >= alloc_end)
++ if (alloc_ptr + n >= alloc_end || n >= -(uintptr_t) alloc_ptr)
+ {
+ /* Insufficient space left; allocate another page. */
+ caddr_t page;
+ size_t nup = (n + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
++ if (__builtin_expect (nup == 0, 0))
++ {
++ if (n)
++ return NULL;
++ nup = GLRO(dl_pagesize);
++ }
+ page = __mmap (0, nup, PROT_READ|PROT_WRITE,
+ MAP_ANON|MAP_PRIVATE, _dl_zerofd, 0);
+- assert (page != MAP_FAILED);
++ if (page == MAP_FAILED)
++ return NULL;
+ if (page != alloc_end)
+ alloc_ptr = page;
+ alloc_end = page + nup;
+@@ -108,7 +115,14 @@
+ /* New memory from the trivial malloc above is always already cleared.
+ (We make sure that's true in the rare occasion it might not be,
+ by clearing memory in free, below.) */
+- return malloc (nmemb * size);
++ size_t bytes = nmemb * size;
++
++#define HALF_SIZE_T (((size_t) 1) << (8 * sizeof (size_t) / 2))
++ if (__builtin_expect ((nmemb | size) >= HALF_SIZE_T, 0)
++ && size != 0 && bytes / size != nmemb)
++ return NULL;
++
++ return malloc (bytes);
+ }
+
+ /* This will rarely be called. */
+@@ -264,7 +278,7 @@
+ while (*nptr >= '0' && *nptr <= '9')
+ {
+ unsigned long int digval = *nptr - '0';
+- if (result > LONG_MAX / 10
++ if (result > ULONG_MAX / 10
+ || (result == ULONG_MAX / 10 && digval > ULONG_MAX % 10))
+ {
+ errno = ERANGE;
Modified: glibc-package/trunk/debian/patches/series
===================================================================
--- glibc-package/trunk/debian/patches/series 2007-07-09 09:56:14 UTC (rev 2406)
+++ glibc-package/trunk/debian/patches/series 2007-07-10 03:46:33 UTC (rev 2407)
@@ -92,6 +92,7 @@
all/local-ru_RU.diff
all/local-pt_BR.diff
+any/cvs-ld-integer-overflow.diff -p1
any/cvs-malloc.diff
any/cvs-nscd-short-replies.diff
any/cvs-nis-nss-default.diff
Reply to: