This is sources Bugzilla
Bugzilla Version 2.17.5
Bugzilla Bug 2792
  Overflow in dl-deps.c : expand_dst() with patch Last modified: 2006-06-17 16:52:41
     Query page      Enter new bug
Bug#: 2792   Hardware:   Reporter: Douglas Greiman <dgreiman@google.com>
Host: Target: Build:
Product:     Add CC:
Component:   Version:   CC:
Remove selected CCs
Status: RESOLVED   Priority:  
Resolution: FIXED   Severity:  
Assigned To: Ulrich Drepper <drepper@redhat.com>   Target Milestone:  
Flags: Requestee:
  backport ()
  examined ()
  testsuite ()
Summary:
Keywords:

Attachment Description Type Created Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 2792 depends on: Show dependency tree
Show dependency graph
Bug 2792 blocks:

Additional Comments:


Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED

View Bug Activity   |   Format For Printing

Description:   Last confirmed: 0000-00-00 00:00 Opened: 2006-06-16 22:04 
The expand_dst() macro calls the DL_DST_REQUIRED() macro.  They both use a
variable __cnt which leads to the following source line after preprocessing:
  size_t __cnt = (__cnt);
Thus __cnt is not initialized properly.  __cnt is later used to compute the size
of an array, which may not be long enough to hold the strings written into the
array.

This bug manifests as sporadic segmentation faults in ld.so when loading ELF
executables which have DT_NEEDED entries containing the strings $ORIGIN or
$PLATFORM.

Linux 2.4.22-gg13
gcc version 3.2.2 20030222
GNU ld version 2.13.90.0.18 20030206

Fix is to rename one of the two variables:

--- glibc-2.3.5/elf/dl-deps.c.orig      2006-06-16 14:47:50.000000000 -0700
+++ glibc-2.3.5/elf/dl-deps.c   2006-06-16 14:48:06.000000000 -0700
@@ -101,9 +101,9 @@
   ({                                                                         \
     const char *__str = (str);                                               \
     const char *__result = __str;                                            \
-    size_t __cnt = DL_DST_COUNT(__str, 0);                                   \
+    size_t __dst_cnt = DL_DST_COUNT(__str, 0);                               \
                                                                              \
-    if (__cnt != 0)                                                          \
+    if (__dst_cnt != 0)                                                       
      \
       {                                                                       
      \
        char *__newp;                                                         \
                                                                              \
@@ -113,7 +113,7 @@
 DST not allowed in SUID/SGID programs"));                                    \
                                                                              \
        __newp = (char *) alloca (DL_DST_REQUIRED (l, __str, strlen (__str),  \
-                                                  __cnt));                   \
+                                                  __dst_cnt));               \
                                                                              \
        __result = _dl_dst_substitute (l, __str, __newp, 0);          \

------- Additional Comment #1 From Ulrich Drepper 2006-06-17 16:52 ------- 
I made the change.
     Query page      Enter new bug
Actions: New | Query | bug # | Reports | Requests   New Account | Log In