r5094 - in glibc-package/branches/glibc-branch-squeeze/debian: . patches patches/any

Aurelien Jarno Sun, 18 Dec 2011 08:53:51 -0800

Author: aurel32
Date: 2011-12-18 16:36:14 +0000 (Sun, 18 Dec 2011)
New Revision: 5094


Added:
   
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-tzfile.diff
Modified:
   glibc-package/branches/glibc-branch-squeeze/debian/changelog
   glibc-package/branches/glibc-branch-squeeze/debian/patches/series
Log:
  * patches/any/cvs-tzfile.diff: fix integer overflow in timezone code.
    Closes: #650790.



Modified: glibc-package/branches/glibc-branch-squeeze/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-squeeze/debian/changelog        
2011-12-18 16:28:26 UTC (rev 5093)
+++ glibc-package/branches/glibc-branch-squeeze/debian/changelog        
2011-12-18 16:36:14 UTC (rev 5094)
@@ -1,3 +1,10 @@
+eglibc (2.11.3-3) UNRELEASED; urgency=low
+
+  * patches/any/cvs-tzfile.diff: fix integer overflow in timezone code.
+    Closes: #650790.
+
+ -- Aurelien Jarno <[email protected]>  Sun, 18 Dec 2011 17:33:40 +0100
+
 eglibc (2.11.3-2) stable; urgency=low
 
   * Add patches/arm/cvs-tls-unallocated.diff and

Added: 
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-tzfile.diff
===================================================================
--- 
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-tzfile.diff  
                            (rev 0)
+++ 
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-tzfile.diff  
    2011-12-18 16:36:14 UTC (rev 5094)
@@ -0,0 +1,77 @@
+2011-12-17  Ulrich Drepper  <[email protected]>
+
+       [BZ #13506]
+       * time/tzfile.c (__tzfile_read): Check values from file header.
+
+diff --git a/time/tzfile.c b/time/tzfile.c
+index 144e20b..402389c 100644
+--- a/time/tzfile.c
++++ b/time/tzfile.c
+@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char 
**extrap)
+       goto read_again;
+     }
+ 
++  if (__builtin_expect (num_transitions
++                      > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
++                         / (sizeof (time_t) + 1)), 0))
++    goto lose;
+   total_size = num_transitions * (sizeof (time_t) + 1);
+   total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
+               & ~(__alignof__ (struct ttinfo) - 1));
+   types_idx = total_size;
+-  total_size += num_types * sizeof (struct ttinfo) + chars;
++  if (__builtin_expect (num_types
++                      > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
++    goto lose;
++  total_size += num_types * sizeof (struct ttinfo);
++  if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
++    goto lose;
++  total_size += chars;
++  if (__builtin_expect (__alignof__ (struct leap) - 1
++                      > SIZE_MAX - total_size, 0))
++    goto lose;
+   total_size = ((total_size + __alignof__ (struct leap) - 1)
+               & ~(__alignof__ (struct leap) - 1));
+   leaps_idx = total_size;
++  if (__builtin_expect (num_leaps
++                      > (SIZE_MAX - total_size) / sizeof (struct leap), 0))
++    goto lose;
+   total_size += num_leaps * sizeof (struct leap);
+-  tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
+-              ? st.st_size - (ftello (f)
+-                              + num_transitions * (8 + 1)
+-                              + num_types * 6
+-                              + chars
+-                              + num_leaps * 12
+-                              + num_isstd
+-                              + num_isgmt) - 1 : 0);
++  tzspec_len = 0;
++  if (sizeof (time_t) == 8 && trans_width == 8)
++    {
++      off_t rem = st.st_size - ftello (f);
++      if (__builtin_expect (rem < 0
++                          || (size_t) rem < (num_transitions * (8 + 1)
++                                             + num_types * 6
++                                             + chars), 0))
++      goto lose;
++      tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
++                                 + num_types * 6
++                                 + chars);
++      if (__builtin_expect (num_leaps > SIZE_MAX / 12
++                          || tzspec_len < num_leaps * 12, 0))
++      goto lose;
++      tzspec_len -= num_leaps * 12;
++      if (__builtin_expect (tzspec_len < num_isstd, 0))
++      goto lose;
++      tzspec_len -= num_isstd;
++      if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
++      goto lose;
++      tzspec_len -= num_isgmt + 1;
++      if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
++      goto lose;
++    }
++  if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
++    goto lose;
+ 
+   /* Allocate enough memory including the extra block requested by the
+      caller.  */

Modified: glibc-package/branches/glibc-branch-squeeze/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-squeeze/debian/patches/series   
2011-12-18 16:28:26 UTC (rev 5093)
+++ glibc-package/branches/glibc-branch-squeeze/debian/patches/series   
2011-12-18 16:36:14 UTC (rev 5094)
@@ -270,3 +270,4 @@
 any/cvs-dl_close-scope-handling.diff
 any/cvs-nptl-pthread-race.diff
 any/cvs-statvfs-mount-flags.diff
+any/cvs-tzfile.diff


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]

r5094 - in glibc-package/branches/glibc-branch-squeeze/debian: . patches patches/any

Reply via email to