Author: aurel32
Date: 2015-10-19 16:10:29 +0000 (Mon, 19 Oct 2015)
New Revision: 6664
Added:
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-_IO_wstr_overflow.diff
Modified:
glibc-package/branches/glibc-branch-wheezy/debian/changelog
glibc-package/branches/glibc-branch-wheezy/debian/patches/series
Log:
patches/any/cvs-_IO_wstr_overflow.diff: new patch from upstream to fix
an integer overlow in IO_wstr_overflow.
Modified: glibc-package/branches/glibc-branch-wheezy/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/changelog 2015-10-19
15:59:38 UTC (rev 6663)
+++ glibc-package/branches/glibc-branch-wheezy/debian/changelog 2015-10-19
16:10:29 UTC (rev 6664)
@@ -4,6 +4,8 @@
a buffer overflow in getanswer_r (CVE-2015-1781). Closes: #796105.
* patches/any/cvs-fnmatch-overflow.diff: new patch from upstream to fix
a buffer overflow (read past end of buffer) in internal_fnmatch.
+ * patches/any/cvs-_IO_wstr_overflow.diff: new patch from upstream to fix
+ an integer overlow in IO_wstr_overflow.
* patches/any/cvs-CVE-2014-8121.diff: new patch from upstream to fix
an unexpected closing of nss_files databases after lookups, causing
denial of service (CVE-2014-8121). Closes: #779587.
Added:
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-_IO_wstr_overflow.diff
===================================================================
---
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-_IO_wstr_overflow.diff
(rev 0)
+++
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-_IO_wstr_overflow.diff
2015-10-19 16:10:29 UTC (rev 6664)
@@ -0,0 +1,31 @@
+2015-02-22 Paul Pluzhnikov <[email protected]>
+
+ [BZ #17269]
+ * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+ (enlarge_userbuf): Likewise.
+
+--- a/libio/wstrops.c
++++ b/libio/wstrops.c
+@@ -96,8 +96,11 @@ _IO_wstr_overflow (fp, c)
+ wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
+ size_t old_wblen = _IO_wblen (fp);
+ _IO_size_t new_size = 2 * old_wblen + 100;
+- if (new_size < old_wblen)
++
++ if (__builtin_expect ((new_size < old_wblen), 0)
++ || __builtin_expect ((new_size > SIZE_MAX / sizeof (wchar_t)), 0))
+ return EOF;
++
+ new_buf
+ = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
+ *
sizeof (wchar_t));
+@@ -187,6 +190,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int
reading)
+ return 1;
+
+ _IO_size_t newsize = offset + 100;
++ if (__builtin_expect ((newsize > SIZE_MAX / sizeof (wchar_t)), 0))
++ return 1;
++
+ wchar_t *oldbuf = wd->_IO_buf_base;
+ wchar_t *newbuf
+ = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series
2015-10-19 15:59:38 UTC (rev 6663)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series
2015-10-19 16:10:29 UTC (rev 6664)
@@ -406,3 +406,4 @@
any/cvs-CVE-2015-1781.diff
any/cvs-CVE-2014-8121.diff
any/cvs-fnmatch-overflow.diff
+any/cvs-_IO_wstr_overflow.diff
