From patchwork Sun Feb 22 06:24:19 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Pluzhnikov X-Patchwork-Id: 5224 X-Patchwork-Delegate: ppluzhnikov@google.com Received: (qmail 4527 invoked by alias); 22 Feb 2015 06:24:56 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 4511 invoked by uid 89); 22 Feb 2015 06:24:55 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.8 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, KAM_FROM_URIBL_PCCC, RCVD_IN_DNSWL_LOW, SPF_PASS, T_RP_MATCHES_RCVD autolearn=no version=3.3.2 X-HELO: mail-oi0-f49.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-type; bh=R6/DpiWwwkmPz9dOMKFchALI2JSnZOYlb+667uP4XbU=; b=QfUtTQStJYX3g3oN7VyMIhTWBcEj8kPI2UYw1Lg39AVj17wnIUlyzfA/jpB7yFbJ3b MEqTtUHgLkU+xLkqmuXdMAoFsORB4SasTmRvqSI7pmZunODLtgAobVsaNRuQDw57ch7u YvSTSuT9EnLsXnOMecoiytZPCH1dVmn7DxDTDnLpwArXcoig2rsyE0TLj+MHY9X9Dxjz x7x+jZ+flTf+8/Bi5Zix99xoZwQw82nuxUorWuKjgTIs0suJEcEsFmUbzAnyRZz571Eo VHqB7wgh07PULs5280IdknFSam1/O7E2p7nxvvtm1utxwcnJ98eSwNP/pO+SGmEbZ/Dl SoZA== X-Gm-Message-State: ALoCoQlHRAL4uqKtSXBWRoXH/uFnC27w9lPwSt8u85uPP4MWKNe5UBJNsCnIfHkhyolYyC30QUy/ X-Received: by 10.202.223.6 with SMTP id w6mr3293632oig.89.1424586292204; Sat, 21 Feb 2015 22:24:52 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: From: Paul Pluzhnikov Date: Sat, 21 Feb 2015 22:24:19 -0800 Message-ID: Subject: Re: [patch] Fix BZ #17269 _IO_wstr_overflow integer overflow To: GLIBC Devel On Sat, Feb 21, 2015 at 10:09 PM, Paul Pluzhnikov wrote: > Attached is a rather obvious fix for BZ #17269 Hmm, it seems the same problem could also happen in enlarge_userbuf. Also fixed "space before paren". 2015-02-21 Paul Pluzhnikov [BZ #17269] * NEWS: Mention 17269 * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow (enlarge_userbuf): Likewise. diff --git a/NEWS b/NEWS index 5eb79d2..28ef45d 100644 --- a/NEWS +++ b/NEWS @@ -9,9 +9,9 @@ Version 2.22 * The following bugs are resolved with this release: - 4719, 13064, 14094, 15319, 15467, 15790, 16560, 17569, 17588, 17792, - 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, 17987, - 17991, 17996, 17998, 17999. + 4719, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569, 17588, + 17792, 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, + 17987, 17991, 17996, 17998, 17999. * Character encoding and ctype tables were updated to Unicode 7.0.0, using new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red diff --git a/libio/wstrops.c b/libio/wstrops.c index 43d847d..f68a990 100644 --- a/libio/wstrops.c +++ b/libio/wstrops.c @@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c) wchar_t *old_buf = fp->_wide_data->_IO_buf_base; size_t old_wblen = _IO_wblen (fp); _IO_size_t new_size = 2 * old_wblen + 100; - if (new_size < old_wblen) + + if (__glibc_unlikely (new_size < old_wblen) + || __glibc_unlikely (new_size >= SIZE_MAX / sizeof (wchar_t))) return EOF; + new_buf = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size * sizeof (wchar_t)); @@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading) return 1; _IO_size_t newsize = offset + 100; + if (__glibc_unlikely (newsize >= SIZE_MAX / sizeof (wchar_t))) + return 1; + wchar_t *oldbuf = wd->_IO_buf_base; wchar_t *newbuf = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize