lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-07-29 11:41:21 +03:00
Code Activity

Fix BZ #17269 -- _IO_wstr_overflow integer overflow

Browse Source
This commit is contained in:
Paul Pluzhnikov
2015-02-22 12:01:47 -08:00
parent 9529611240
commit bdf1ff052a
3 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -1,3 +1,9 @@
2015-02-22 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #17269]
* libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
(enlarge_userbuf): Likewise.
2015-02-22 Chung-Lin Tang <cltang@codesourcery.com> 2015-02-22 Chung-Lin Tang <cltang@codesourcery.com>
* libio/tst-memstream2.c (TIMEOUT): Define as 100. * libio/tst-memstream2.c (TIMEOUT): Define as 100.

6
NEWS
View File

@ -9,9 +9,9 @@ Version 2.22
* The following bugs are resolved with this release: * The following bugs are resolved with this release:
4719, 13064, 14094, 15319, 15467, 15790, 16560, 17569, 17588, 17792, 4719, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569, 17588,
17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, 17987, 17792, 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978,
17991, 17996, 17998, 17999. 17987, 17991, 17996, 17998, 17999.
* Character encoding and ctype tables were updated to Unicode 7.0.0, using * Character encoding and ctype tables were updated to Unicode 7.0.0, using
new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red

8
libio/wstrops.c
View File

@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
wchar_t *old_buf = fp->_wide_data->_IO_buf_base; wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
size_t old_wblen = _IO_wblen (fp); size_t old_wblen = _IO_wblen (fp);
_IO_size_t new_size = 2 * old_wblen + 100; _IO_size_t new_size = 2 * old_wblen + 100;
if (new_size < old_wblen)
if (__glibc_unlikely (new_size < old_wblen)
|| __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
return EOF; return EOF;
new_buf new_buf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
* sizeof (wchar_t)); * sizeof (wchar_t));
@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
return 1; return 1;
_IO_size_t newsize = offset + 100; _IO_size_t newsize = offset + 100;
if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
return 1;
wchar_t *oldbuf = wd->_IO_buf_base; wchar_t *oldbuf = wd->_IO_buf_base;
wchar_t *newbuf wchar_t *newbuf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize