diff options
author | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-02-22 12:01:47 -0800 |
---|---|---|
committer | Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com> | 2016-02-25 16:02:04 -0300 |
commit | 6ef92b982aef69f05a3faa481c34699bfa55f1dd (patch) | |
tree | 282b5cb37c4e11586a5e7ced1b6ca5dc4caedb19 | |
parent | d5ef25a8d894fa5833854588afaacdf8771972a8 (diff) | |
download | glibc-6ef92b982aef69f05a3faa481c34699bfa55f1dd.tar glibc-6ef92b982aef69f05a3faa481c34699bfa55f1dd.tar.gz glibc-6ef92b982aef69f05a3faa481c34699bfa55f1dd.tar.bz2 glibc-6ef92b982aef69f05a3faa481c34699bfa55f1dd.zip |
Fix BZ #17269 -- _IO_wstr_overflow integer overflow
(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)
Conflicts:
NEWS
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | libio/wstrops.c | 8 |
3 files changed, 15 insertions, 3 deletions
@@ -1,3 +1,9 @@ +2016-02-25 Paul Pluzhnikov <ppluzhnikov@google.com> + + [BZ #17269] + * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow + (enlarge_userbuf): Likewise. + 2016-02-25 Florian Weimer <fweimer@redhat.com> [BZ #19018] @@ -9,8 +9,8 @@ Version 2.20.1 * The following bugs are resolved with this release: - 16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625, - 17630, 17801, 18694, 18928, 19018. + 16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555, + 17625, 17630, 17801, 18694, 18928, 19018. * The LD_POINTER_GUARD environment variable can no longer be used to disable the pointer guard feature. It is always enabled. diff --git a/libio/wstrops.c b/libio/wstrops.c index 399a377104..9218d4a5e3 100644 --- a/libio/wstrops.c +++ b/libio/wstrops.c @@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c) wchar_t *old_buf = fp->_wide_data->_IO_buf_base; size_t old_wblen = _IO_wblen (fp); _IO_size_t new_size = 2 * old_wblen + 100; - if (new_size < old_wblen) + + if (__glibc_unlikely (new_size < old_wblen) + || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t))) return EOF; + new_buf = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size * sizeof (wchar_t)); @@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading) return 1; _IO_size_t newsize = offset + 100; + if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t))) + return 1; + wchar_t *oldbuf = wd->_IO_buf_base; wchar_t *newbuf = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize |