[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

r2407 - in glibc-package/trunk/debian: . patches patches/any

Author: aurel32
Date: 2007-07-10 03:46:33 +0000 (Tue, 10 Jul 2007)
New Revision: 2407

Added:
   glibc-package/trunk/debian/patches/any/cvs-ld-integer-overflow.diff
Modified:
   glibc-package/trunk/debian/changelog
   glibc-package/trunk/debian/patches/series
Log:
  * Add any/cvs-ld-integer-overflow.diff: fix an integer
    overflow in ld.so.  Closes: bug#431858.



Modified: glibc-package/trunk/debian/changelog
===================================================================
--- glibc-package/trunk/debian/changelog	2007-07-09 09:56:14 UTC (rev 2406)
+++ glibc-package/trunk/debian/changelog	2007-07-10 03:46:33 UTC (rev 2407)
@@ -1,12 +1,17 @@
 glibc (2.6-2) UNRELEASED; urgency=low
 
+  [ Clint Adams ]
   * Add any/cvs-nis-nss-default.diff: preserve errno.
   * Add any/cvs-vfscanf.diff: add additional test for EOF
     in loop to look for conversion specifier to avoid testing of
     wrong errno value.
 
- -- Clint Adams <schizo@debian.org>  Mon, 09 Jul 2007 05:50:14 -0400
+  [ Aurelien Jarno ]
+  * Add any/cvs-ld-integer-overflow.diff: fix an integer
+    overflow in ld.so.  Closes: bug#431858.
 
+ -- Aurelien Jarno <aurel32@debian.org>  Tue, 10 Jul 2007 05:44:55 +0200
+
 glibc (2.6-1) unstable; urgency=low
 
   [ Pierre Habouzit ]

Added: glibc-package/trunk/debian/patches/any/cvs-ld-integer-overflow.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-ld-integer-overflow.diff	                        (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-ld-integer-overflow.diff	2007-07-10 03:46:33 UTC (rev 2407)
@@ -0,0 +1,98 @@
+2007-07-01  Jakub Jelinek  <jakub@redhat.com>
+
+        * elf/dl-sysdep.c (_dl_important_hwcaps): Add integer overflow check.
+        * elf/dl-minimal.c (__libc_memalign): Likewise.  Handle malloc (0).
+        Return NULL if mmap failed instead of asserting it does not.
+        (calloc): Check for integer overflow.
+
+        * elf/dl-minimal.c (__strtoul_internal): Fix parsing of numbers bigger
+        than LONG_MAX / 10.
+
+===================================================================
+RCS file: /cvs/glibc/libc/elf/dl-sysdep.c,v
+retrieving revision 1.1.2.2
+retrieving revision 1.1.2.3
+diff -u -r1.1.2.2 -r1.1.2.3
+--- libc/elf/dl-sysdep.c	2006/10/29 22:03:21	1.1.2.2
++++ libc/elf/dl-sysdep.c	2007/07/07 17:37:06	1.1.2.3
+@@ -460,9 +460,21 @@
+     total = temp[0].len + 1;
+   else
+     {
+-      total = (1UL << (cnt - 2)) * (temp[0].len + temp[cnt - 1].len + 2);
+-      for (n = 1; n + 1 < cnt; ++n)
+-	total += (1UL << (cnt - 3)) * (temp[n].len + 1);
++      total = temp[0].len + temp[cnt - 1].len + 2;
++      if (cnt > 2)
++	{
++	  total <<= 1;
++	  for (n = 1; n + 1 < cnt; ++n)
++	    total += temp[n].len + 1;
++	  if (cnt > 3
++	      && (cnt >= sizeof (size_t) * 8
++		  || total + (sizeof (*result) << 3)
++		     >= (1UL << (sizeof (size_t) * 8 - cnt + 3))))
++	    _dl_signal_error (ENOMEM, NULL, NULL,
++			      N_("cannot create capability list"));
++
++	  total <<= cnt - 3;
++	}
+     }
+ 
+   /* The result structure: we use a very compressed way to store the
+===================================================================
+RCS file: /cvs/glibc/libc/elf/dl-minimal.c,v
+retrieving revision 1.48.2.4
+retrieving revision 1.48.2.5
+diff -u -r1.48.2.4 -r1.48.2.5
+--- libc/elf/dl-minimal.c	2007/02/02 09:48:22	1.48.2.4
++++ libc/elf/dl-minimal.c	2007/07/07 17:37:06	1.48.2.5
+@@ -75,14 +75,21 @@
+   alloc_ptr = (void *) 0 + (((alloc_ptr - (void *) 0) + align - 1)
+ 			    & ~(align - 1));
+ 
+-  if (alloc_ptr + n >= alloc_end)
++  if (alloc_ptr + n >= alloc_end || n >= -(uintptr_t) alloc_ptr)
+     {
+       /* Insufficient space left; allocate another page.  */
+       caddr_t page;
+       size_t nup = (n + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
++      if (__builtin_expect (nup == 0, 0))
++	{
++	  if (n)
++	    return NULL;
++	  nup = GLRO(dl_pagesize);
++	}
+       page = __mmap (0, nup, PROT_READ|PROT_WRITE,
+ 		     MAP_ANON|MAP_PRIVATE, _dl_zerofd, 0);
+-      assert (page != MAP_FAILED);
++      if (page == MAP_FAILED)
++	return NULL;
+       if (page != alloc_end)
+ 	alloc_ptr = page;
+       alloc_end = page + nup;
+@@ -108,7 +115,14 @@
+   /* New memory from the trivial malloc above is always already cleared.
+      (We make sure that's true in the rare occasion it might not be,
+      by clearing memory in free, below.)  */
+-  return malloc (nmemb * size);
++  size_t bytes = nmemb * size;
++
++#define HALF_SIZE_T (((size_t) 1) << (8 * sizeof (size_t) / 2))
++  if (__builtin_expect ((nmemb | size) >= HALF_SIZE_T, 0)
++      && size != 0 && bytes / size != nmemb)
++    return NULL;
++
++  return malloc (bytes);
+ }
+ 
+ /* This will rarely be called.  */
+@@ -264,7 +278,7 @@
+   while (*nptr >= '0' && *nptr <= '9')
+     {
+       unsigned long int digval = *nptr - '0';
+-      if (result > LONG_MAX / 10
++      if (result > ULONG_MAX / 10
+ 	  || (result == ULONG_MAX / 10 && digval > ULONG_MAX % 10))
+ 	{
+ 	  errno = ERANGE;

Modified: glibc-package/trunk/debian/patches/series
===================================================================
--- glibc-package/trunk/debian/patches/series	2007-07-09 09:56:14 UTC (rev 2406)
+++ glibc-package/trunk/debian/patches/series	2007-07-10 03:46:33 UTC (rev 2407)
@@ -92,6 +92,7 @@
 all/local-ru_RU.diff 
 all/local-pt_BR.diff 
 
+any/cvs-ld-integer-overflow.diff -p1
 any/cvs-malloc.diff 
 any/cvs-nscd-short-replies.diff 
 any/cvs-nis-nss-default.diff
Reply to: