This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH][BZ #18240] Handle overflow in __hcreate_r
- From: OndÅej BÃlka <neleai at seznam dot cz>
- To: libc-alpha at sourceware dot org
- Date: Sat, 11 Jul 2015 17:44:10 +0200
- Subject: [PATCH][BZ #18240] Handle overflow in __hcreate_r
- Authentication-results: sourceware.org; auth=none
Hi,
As in bugzilla entry there is overflow in hsearch when looking for prime
number as SIZE_MAX - 1 is divisible by 5. We fix that by rejecting large
inputs before looking for prime.
* misc/hsearch_r.c (__hcreate_r): Handle overflow.
diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c
index 9f55e84..559df29 100644
--- a/misc/hsearch_r.c
+++ b/misc/hsearch_r.c
@@ -19,7 +19,7 @@
#include <errno.h>
#include <malloc.h>
#include <string.h>
-
+#include <stdint.h>
#include <search.h>
/* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986
@@ -73,6 +73,13 @@ __hcreate_r (nel, htab)
return 0;
}
+ if (nel >= SIZE_MAX / sizeof (_ENTRY))
+ {
+ __set_errno (ENOMEM);
+ return 0;
+ }
+
+
/* There is still another table active. Return with error. */
if (htab->table != NULL)
return 0;