r2225 - glibc-package/branches/glibc-branch-etch/debian/patches/any
Author: madcoder
Date: 2007-05-15 12:30:58 +0000 (Tue, 15 May 2007)
New Revision: 2225
Added:
glibc-package/branches/glibc-branch-etch/debian/patches/any/cvs-vfprintf-stack-smashing.diff
Log:
missing file
Added: glibc-package/branches/glibc-branch-etch/debian/patches/any/cvs-vfprintf-stack-smashing.diff
===================================================================
--- glibc-package/branches/glibc-branch-etch/debian/patches/any/cvs-vfprintf-stack-smashing.diff (rev 0)
+++ glibc-package/branches/glibc-branch-etch/debian/patches/any/cvs-vfprintf-stack-smashing.diff 2007-05-15 12:30:58 UTC (rev 2225)
@@ -0,0 +1,55 @@
+2007-05-02 Jakub Jelinek <jakub@redhat.com>
+
+ * stdio-common/vfprintf.c (process_string_arg): Use a VLA rather than
+ fixed length array for ignore.
+
+2007-04-30 Ulrich Drepper <drepper@redhat.com>
+
+ [BZ #4438]
+ * stdio-common/vfprintf.c (process_string_arg): Don't overflow the
+ stack for large precisions.
+
+===================================================================
+RCS file: /cvs/glibc/libc/stdio-common/vfprintf.c,v
+retrieving revision 1.135
+retrieving revision 1.137
+Index: glibc-2.5/stdio-common/vfprintf.c
+===================================================================
+--- glibc-2.5.orig/stdio-common/vfprintf.c 2006-05-02 22:25:15.000000000 +0200
++++ glibc-2.5/stdio-common/vfprintf.c 2007-05-04 11:26:16.049828248 +0200
+@@ -1159,19 +1159,26 @@
+ else \
+ { \
+ /* In case we have a multibyte character set the \
+- situation is more compilcated. We must not copy \
++ situation is more complicated. We must not copy \
+ bytes at the end which form an incomplete character. */\
+- wchar_t ignore[prec]; \
++ size_t ignore_size = (unsigned) prec > 1024 ? 1024 : prec;\
++ wchar_t ignore[ignore_size]; \
+ const char *str2 = string; \
+- mbstate_t ps; \
++ const char *strend = string + prec; \
++ if (strend < string) \
++ strend = (const char *) UINTPTR_MAX; \
+ \
++ mbstate_t ps; \
+ memset (&ps, '\0', sizeof (ps)); \
+- if (__mbsnrtowcs (ignore, &str2, prec, prec, &ps) \
+- == (size_t) -1) \
+- { \
+- done = -1; \
+- goto all_done; \
+- } \
++ \
++ while (str2 != NULL && str2 < strend) \
++ if (__mbsnrtowcs (ignore, &str2, strend - str2, \
++ ignore_size, &ps) == (size_t) -1) \
++ { \
++ done = -1; \
++ goto all_done; \
++ } \
++ \
+ if (str2 == NULL) \
+ len = strlen (string); \
+ else \
Reply to: