aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Pluzhnikov <ppluzhnikov@google.com>2015-02-22 12:01:47 -0800
committerPaul Pluzhnikov <ppluzhnikov@google.com>2015-02-22 12:01:47 -0800
commitbdf1ff052a8e23d637f2c838fa5642d78fcedc33 (patch)
treeef595b80d3cf6d43a806b5bde425fcef434ac56a
parent9529611240b612fec59e289673d05f83396aede4 (diff)
downloadglibc-bdf1ff052a8e23d637f2c838fa5642d78fcedc33.tar
glibc-bdf1ff052a8e23d637f2c838fa5642d78fcedc33.tar.gz
glibc-bdf1ff052a8e23d637f2c838fa5642d78fcedc33.tar.bz2
glibc-bdf1ff052a8e23d637f2c838fa5642d78fcedc33.zip
Fix BZ #17269 -- _IO_wstr_overflow integer overflow
Diffstat
-rw-r--r--ChangeLog6
-rw-r--r--NEWS6
-rw-r--r--libio/wstrops.c8
3 files changed, 16 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index 18961d8031..9ae6b8b6db 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-02-22 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17269]
+ * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+ (enlarge_userbuf): Likewise.
+
2015-02-22 Chung-Lin Tang <cltang@codesourcery.com>
* libio/tst-memstream2.c (TIMEOUT): Define as 100.
diff --git a/NEWS b/NEWS
index 5eb79d2802..28ef45da55 100644
--- a/NEWS
+++ b/NEWS
@@ -9,9 +9,9 @@ Version 2.22
* The following bugs are resolved with this release:
- 4719, 13064, 14094, 15319, 15467, 15790, 16560, 17569, 17588, 17792,
- 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, 17987,
- 17991, 17996, 17998, 17999.
+ 4719, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569, 17588,
+ 17792, 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978,
+ 17987, 17991, 17996, 17998, 17999.
* Character encoding and ctype tables were updated to Unicode 7.0.0, using
new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 43d847d034..3993579bd1 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
size_t old_wblen = _IO_wblen (fp);
_IO_size_t new_size = 2 * old_wblen + 100;
- if (new_size < old_wblen)
+
+ if (__glibc_unlikely (new_size < old_wblen)
+ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
return EOF;
+
new_buf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
* sizeof (wchar_t));
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
return 1;
_IO_size_t newsize = offset + 100;
+ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+ return 1;
+
wchar_t *oldbuf = wd->_IO_buf_base;
wchar_t *newbuf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-18 00:57:26 +0000