lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-08-07 06:43:00 +03:00
Code Activity

Fix iogetdelim.c (latent) integer overflow (bug 9914).

Browse Source
This commit is contained in:
Joseph Myers
2012-09-04 11:24:43 +00:00
parent bcd6c8dc64
commit 60160d83a0
3 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@@ -1,3 +1,10 @@
2012-09-04 Joseph Myers <joseph@codesourcery.com>
[BZ #9914]
* libio/iogetdelim.c: Include <limits.h>.
(_IO_getdelim): Avoid integer overflow in testing whether cur_len
+ len + 1 would overflow.
2012-09-03 Andreas Jaeger <aj@suse.de> 2012-09-03 Andreas Jaeger <aj@suse.de>
* sysdeps/x86_64/fpu/libm-test-ulps: Update. * sysdeps/x86_64/fpu/libm-test-ulps: Update.

8
NEWS
View File

@@ -9,10 +9,10 @@ Version 2.17
* The following bugs are resolved with this release: * The following bugs are resolved with this release:
3479, 5400, 6778, 6808, 9685, 11607, 13412, 13717, 13696, 13939, 14042, 3479, 5400, 6778, 6808, 9685, 9914, 11607, 13412, 13717, 13696, 13939,
14090, 14166, 14150, 14151, 14154, 14157, 14166, 14173, 14195, 14252, 14042, 14090, 14166, 14150, 14151, 14154, 14157, 14166, 14173, 14195,
14283, 14298, 14303, 14307, 14328, 14331, 14336, 14337, 14347, 14349, 14252, 14283, 14298, 14303, 14307, 14328, 14331, 14336, 14337, 14347,
14459, 14476, 14505, 14516, 14519, 14532, 14538 14349, 14459, 14476, 14505, 14516, 14519, 14532, 14538
* Support for STT_GNU_IFUNC symbols added for s390 and s390x. * Support for STT_GNU_IFUNC symbols added for s390 and s390x.
Optimized versions of memcpy, memset, and memcmp added for System z10 and Optimized versions of memcpy, memset, and memcmp added for System z10 and

3
libio/iogetdelim.c
View File

@@ -29,6 +29,7 @@
#include "libioP.h" #include "libioP.h"
#include <string.h> #include <string.h>
#include <errno.h> #include <errno.h>
#include <limits.h>
/* Read up to (and including) a TERMINATOR from FP into *LINEPTR /* Read up to (and including) a TERMINATOR from FP into *LINEPTR
(and null-terminate it). *LINEPTR is a pointer returned from malloc (or (and null-terminate it). *LINEPTR is a pointer returned from malloc (or
@@ -89,7 +90,7 @@ _IO_getdelim (lineptr, n, delimiter, fp)
t = (char *) memchr ((void *) fp->_IO_read_ptr, delimiter, len); t = (char *) memchr ((void *) fp->_IO_read_ptr, delimiter, len);
if (t != NULL) if (t != NULL)
len = (t - fp->_IO_read_ptr) + 1; len = (t - fp->_IO_read_ptr) + 1;
if (__builtin_expect (cur_len + len + 1 < 0, 0)) if (__builtin_expect (len >= SSIZE_MAX - cur_len, 0))
{ {
__set_errno (EOVERFLOW); __set_errno (EOVERFLOW);
result = -1; result = -1;