From patchwork Mon Oct 19 09:50:25 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aurelien Jarno <aurelien@aurel32.net>
X-Patchwork-Id: 9222
Received: (qmail 15083 invoked by alias); 19 Oct 2015 09:50:33 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 15052 invoked by uid 89); 19 Oct 2015 09:50:30 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.5 required=5.0 tests=BAYES_05,
	KAM_LAZY_DOMAIN_SECURITY,
	RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: hall.aurel32.net
From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-alpha@sourceware.org
Cc: Paul Pluzhnikov <ppluzhnikov@google.com>
Subject: [COMMITTED 2.19] Fix BZ #17269 -- _IO_wstr_overflow integer overflow
Date: Mon, 19 Oct 2015 11:50:25 +0200
Message-Id: <1445248225-1784-1-git-send-email-aurelien@aurel32.net>

From: Paul Pluzhnikov <ppluzhnikov@google.com>

(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)

Conflicts:
	ChangeLog
	NEWS
---
 ChangeLog       | 6 ++++++
 NEWS            | 2 +-
 libio/wstrops.c | 8 +++++++-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a4f4e0d..8d621b2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-02-22  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #17269]
+	* libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+	(enlarge_userbuf): Likewise.
+
 2015-02-26  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #18032]
diff --git a/NEWS b/NEWS
index c017fa3..9e7316b 100644
--- a/NEWS
+++ b/NEWS
@@ -11,7 +11,7 @@ Version 2.19.1
 
   15946, 16545, 16574, 16623, 16657, 16695, 16743, 16878, 16882, 16885,
   16916, 16932, 16943, 16958, 17048, 17069, 17079, 17137, 17153, 17213,
-  17263, 17325, 17555, 18032, 18287.
+  17263, 17269, 17325, 17555, 18032, 18287.
 
 * A buffer overflow in gethostbyname_r and related functions performing DNS
   requests has been fixed.  If the NSS functions were called with a
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 399a377..9218d4a 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
 	  wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
 	  size_t old_wblen = _IO_wblen (fp);
 	  _IO_size_t new_size = 2 * old_wblen + 100;
-	  if (new_size < old_wblen)
+
+	  if (__glibc_unlikely (new_size < old_wblen)
+	      || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
 	    return EOF;
+
 	  new_buf
 	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
 									* sizeof (wchar_t));
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
     return 1;
 
   _IO_size_t newsize = offset + 100;
+  if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+    return 1;
+
   wchar_t *oldbuf = wd->_IO_buf_base;
   wchar_t *newbuf
     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize