lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-07-28 00:21:52 +03:00
Code Activity

Check for integer overflow in cache size computation in strcoll

Browse Source 
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again.  For very large string
inputs, the cache size computation could overflow.  In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.

Fixes CVE-2012-4412.
This commit is contained in:
Siddhesh Poyarekar
2013-09-23 11:24:30 +05:30
parent 141f3a77fe
commit 303e567a80
5 changed files with 84 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
string/strcoll_l.c
View File

@ -524,7 +524,15 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
memset (&seq1, 0, sizeof (seq1));
seq2 = seq1;
if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1)))
size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1);
if (MIN (s1len, s2len) > size_max
|| MAX (s1len, s2len) > size_max - MIN (s1len, s2len))
{
/* If the strings are long enough to cause overflow in the size request,
then skip the allocation and proceed with the non-cached routines. */
}
else if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1)))
{
seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1));