r5093 - in glibc-package/trunk/debian: . patches patches/any
Author: aurel32
Date: 2011-12-18 16:28:26 +0000 (Sun, 18 Dec 2011)
New Revision: 5093
Added:
glibc-package/trunk/debian/patches/any/cvs-tzfile.diff
Modified:
glibc-package/trunk/debian/changelog
glibc-package/trunk/debian/patches/series
Log:
* patches/any/cvs-tzfile.diff: fix integer overflow in timezone code.
Closes: #650790.
Modified: glibc-package/trunk/debian/changelog
===================================================================
--- glibc-package/trunk/debian/changelog 2011-12-18 15:52:39 UTC (rev 5092)
+++ glibc-package/trunk/debian/changelog 2011-12-18 16:28:26 UTC (rev 5093)
@@ -5,6 +5,8 @@
* Add m68k expected tests results.
* Update Russian debconf translation, by Yuri Kozlov. Closes: #652428.
* Update German debconf translation, by Helge Kreutzman. Closes: #652556.
+ * patches/any/cvs-tzfile.diff: fix integer overflow in timezone code.
+ Closes: #650790.
-- Aurelien Jarno <aurel32@debian.org> Wed, 14 Dec 2011 00:42:25 +0100
Added: glibc-package/trunk/debian/patches/any/cvs-tzfile.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-tzfile.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-tzfile.diff 2011-12-18 16:28:26 UTC (rev 5093)
@@ -0,0 +1,77 @@
+2011-12-17 Ulrich Drepper <drepper@gmail.com>
+
+ [BZ #13506]
+ * time/tzfile.c (__tzfile_read): Check values from file header.
+
+diff --git a/time/tzfile.c b/time/tzfile.c
+index 144e20b..402389c 100644
+--- a/time/tzfile.c
++++ b/time/tzfile.c
+@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
+ goto read_again;
+ }
+
++ if (__builtin_expect (num_transitions
++ > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
++ / (sizeof (time_t) + 1)), 0))
++ goto lose;
+ total_size = num_transitions * (sizeof (time_t) + 1);
+ total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
+ & ~(__alignof__ (struct ttinfo) - 1));
+ types_idx = total_size;
+- total_size += num_types * sizeof (struct ttinfo) + chars;
++ if (__builtin_expect (num_types
++ > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
++ goto lose;
++ total_size += num_types * sizeof (struct ttinfo);
++ if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
++ goto lose;
++ total_size += chars;
++ if (__builtin_expect (__alignof__ (struct leap) - 1
++ > SIZE_MAX - total_size, 0))
++ goto lose;
+ total_size = ((total_size + __alignof__ (struct leap) - 1)
+ & ~(__alignof__ (struct leap) - 1));
+ leaps_idx = total_size;
++ if (__builtin_expect (num_leaps
++ > (SIZE_MAX - total_size) / sizeof (struct leap), 0))
++ goto lose;
+ total_size += num_leaps * sizeof (struct leap);
+- tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
+- ? st.st_size - (ftello (f)
+- + num_transitions * (8 + 1)
+- + num_types * 6
+- + chars
+- + num_leaps * 12
+- + num_isstd
+- + num_isgmt) - 1 : 0);
++ tzspec_len = 0;
++ if (sizeof (time_t) == 8 && trans_width == 8)
++ {
++ off_t rem = st.st_size - ftello (f);
++ if (__builtin_expect (rem < 0
++ || (size_t) rem < (num_transitions * (8 + 1)
++ + num_types * 6
++ + chars), 0))
++ goto lose;
++ tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
++ + num_types * 6
++ + chars);
++ if (__builtin_expect (num_leaps > SIZE_MAX / 12
++ || tzspec_len < num_leaps * 12, 0))
++ goto lose;
++ tzspec_len -= num_leaps * 12;
++ if (__builtin_expect (tzspec_len < num_isstd, 0))
++ goto lose;
++ tzspec_len -= num_isstd;
++ if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
++ goto lose;
++ tzspec_len -= num_isgmt + 1;
++ if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
++ goto lose;
++ }
++ if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
++ goto lose;
+
+ /* Allocate enough memory including the extra block requested by the
+ caller. */
Modified: glibc-package/trunk/debian/patches/series
===================================================================
--- glibc-package/trunk/debian/patches/series 2011-12-18 15:52:39 UTC (rev 5092)
+++ glibc-package/trunk/debian/patches/series 2011-12-18 16:28:26 UTC (rev 5093)
@@ -311,3 +311,4 @@
any/cvs-dl_close-scope-handling.diff
any/cvs-nptl-pthread-race.diff
any/local-linuxthreads-XPG7.diff
+any/cvs-tzfile.diff
Reply to: