diff mbox

Fix BZ #17269 _IO_wstr_overflow integer overflow

Message ID	CALoOobNvKAhQ2+r1yUZiYVsKChd7KTcHcpb_shMTNnMMTLQj5Q@mail.gmail.com
State	Superseded
Delegated to:	Paul Pluzhnikov
Headers	Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org MIME-Version: 1.0 In-Reply-To: <CALoOobNWgCzh0=5pRMoy39jorDiD4A1QcsyatFDXdCZpMA2X4Q@mail.gmail.com> References: <CALoOobNWgCzh0=5pRMoy39jorDiD4A1QcsyatFDXdCZpMA2X4Q@mail.gmail.com> From: Paul Pluzhnikov <ppluzhnikov@gmail.com> Date: Sat, 21 Feb 2015 22:24:19 -0800 Message-ID: <CALoOobNvKAhQ2+r1yUZiYVsKChd7KTcHcpb_shMTNnMMTLQj5Q@mail.gmail.com> Subject: Re: [patch] Fix BZ #17269 _IO_wstr_overflow integer overflow To: GLIBC Devel <libc-alpha@sourceware.org> Content-Type: multipart/mixed; boundary=001a113d631ee6463e050fa757ed

Commit Message

Paul Pluzhnikov Feb. 22, 2015, 6:24 a.m. UTC

  On Sat, Feb 21, 2015 at 10:09 PM, Paul Pluzhnikov <ppluzhnikov@gmail.com> wrote:

> Attached is a rather obvious fix for BZ #17269

Hmm, it seems the same problem could also happen in enlarge_userbuf.

Also fixed "space before paren".


2015-02-21  Paul Pluzhnikov  <ppluzhnikov@google.com>

        [BZ #17269]
        * NEWS: Mention 17269
        * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
        (enlarge_userbuf): Likewise.

Comments

Florian Weimer Feb. 22, 2015, 10:20 a.m. UTC | #1

* Paul Pluzhnikov:

> On Sat, Feb 21, 2015 at 10:09 PM, Paul Pluzhnikov <ppluzhnikov@gmail.com> wrote:
>
>> Attached is a rather obvious fix for BZ #17269
>
> Hmm, it seems the same problem could also happen in enlarge_userbuf.
>

+	  if (__glibc_unlikely (new_size < old_wblen)
+	      || __glibc_unlikely (new_size >= SIZE_MAX / sizeof (wchar_t)))

“new_size == SIZE_MAX / sizeof (wchar_t)” should still be okay,
shouldn't it?  So the check should use “>” instead of “>=”.

> Also fixed "space before paren".

Some say that it doesn't apply to macros. :-/ But your version is fine
by me.

diff mbox

Patch

diff --git a/NEWS b/NEWS
index 5eb79d2..28ef45d 100644
--- a/NEWS
+++ b/NEWS
@@ -9,9 +9,9 @@  Version 2.22
 
 * The following bugs are resolved with this release:
 
-  4719, 13064, 14094, 15319, 15467, 15790, 16560, 17569, 17588, 17792,
-  17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, 17987,
-  17991, 17996, 17998, 17999.
+  4719, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569, 17588,
+  17792, 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978,
+  17987, 17991, 17996, 17998, 17999.
 
 * Character encoding and ctype tables were updated to Unicode 7.0.0, using
   new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 43d847d..f68a990 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@  _IO_wstr_overflow (fp, c)
 	  wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
 	  size_t old_wblen = _IO_wblen (fp);
 	  _IO_size_t new_size = 2 * old_wblen + 100;
-	  if (new_size < old_wblen)
+
+	  if (__glibc_unlikely (new_size < old_wblen)
+	      || __glibc_unlikely (new_size >= SIZE_MAX / sizeof (wchar_t)))
 	    return EOF;
+
 	  new_buf
 	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
 									* sizeof (wchar_t));
@@ -186,6 +189,9 @@  enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
     return 1;
 
   _IO_size_t newsize = offset + 100;
+  if (__glibc_unlikely (newsize >= SIZE_MAX / sizeof (wchar_t)))
+    return 1;
+
   wchar_t *oldbuf = wd->_IO_buf_base;
   wchar_t *newbuf
     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize