This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

GNU C Library master sources branch, master, updated. glibc-2.14-129-g90bb203

From: drepper at sourceware dot org
To: glibc-cvs at sourceware dot org
Date: 21 Jul 2011 02:54:37 -0000
Subject: GNU C Library master sources branch, master, updated. glibc-2.14-129-g90bb203

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  90bb2039e93c6b7e95531cf9a9dfc23bbb50f860 (commit)
      from  5644ef5461b5d3ff266206d8ee70d4b575ea6658 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sources.redhat.com/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=90bb2039e93c6b7e95531cf9a9dfc23bbb50f860

commit 90bb2039e93c6b7e95531cf9a9dfc23bbb50f860
Author: Ulrich Drepper <drepper@gmail.com>
Date:   Wed Jul 20 22:53:58 2011 -0400

    Check for overflows in expressions
    
    Some passed in values might cause overflows in expressions.

diff --git a/ChangeLog b/ChangeLog
index f47300f..a76483a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 2011-07-20  Ulrich Drepper  <drepper@gmail.com>
 
+	[BZ #12852]
+	* posix/glob.c (glob): Check passed in values before using them in
+	expressions to avoid some overflows.
+	(glob_in_dir): Likewise.
+
 	[BZ #13007]
 	* sysdeps/x86_64/dl-trampoline.S (_dl_runtime_profile): More complete
 	check for AVX enablement so that we don't crash with old kernels and
diff --git a/NEWS b/NEWS
index 2dd7bea..0be2e91 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.15
 
 * The following bugs are resolved with this release:
 
-  9696, 12868, 12874, 12885, 12907, 12922, 12935, 13007
+  9696, 12868, 12852, 12874, 12885, 12907, 12922, 12935, 13007
 
 * New program pldd to list loaded object of a process
   Implemented by Ulrich Drepper.
diff --git a/posix/glob.c b/posix/glob.c
index 2cd5290..89c8775 100644
--- a/posix/glob.c
+++ b/posix/glob.c
@@ -46,6 +46,12 @@
 
 #include <pwd.h>
 
+#if defined HAVE_STDINT_H || defined _LIBC
+# include <stdint.h>
+#elif !defined UINTPTR_MAX
+# define UINTPTR_MAX (~((size_t) 0))
+#endif
+
 #include <errno.h>
 #ifndef __set_errno
 # define __set_errno(val) errno = (val)
@@ -436,6 +442,10 @@ glob (pattern, flags, errfunc, pglob)
       else
 	{
 	  size_t i;
+
+	  if (pglob->gl_offs >= ~((size_t) 0) / sizeof (char *))
+	    return GLOB_NOSPACE;
+
 	  pglob->gl_pathv = (char **) malloc ((pglob->gl_offs + 1)
 					      * sizeof (char *));
 	  if (pglob->gl_pathv == NULL)
@@ -954,10 +964,8 @@ glob (pattern, flags, errfunc, pglob)
 	  int newcount = pglob->gl_pathc + pglob->gl_offs;
 	  char **new_gl_pathv;
 
-	  new_gl_pathv
-	    = (char **) realloc (pglob->gl_pathv,
-				 (newcount + 1 + 1) * sizeof (char *));
-	  if (new_gl_pathv == NULL)
+	  if (newcount > UINTPTR_MAX - (1 + 1)
+	      || newcount + 1 + 1 > ~((size_t) 0) / sizeof (char *))
 	    {
 	    nospace:
 	      free (pglob->gl_pathv);
@@ -965,6 +973,12 @@ glob (pattern, flags, errfunc, pglob)
 	      pglob->gl_pathc = 0;
 	      return GLOB_NOSPACE;
 	    }
+
+	  new_gl_pathv
+	    = (char **) realloc (pglob->gl_pathv,
+				 (newcount + 1 + 1) * sizeof (char *));
+	  if (new_gl_pathv == NULL)
+	    goto nospace;
 	  pglob->gl_pathv = new_gl_pathv;
 
 	  if (flags & GLOB_MARK)
@@ -1104,14 +1118,19 @@ glob (pattern, flags, errfunc, pglob)
 	      int newcount = pglob->gl_pathc + pglob->gl_offs;
 	      char **new_gl_pathv;
 
-	      new_gl_pathv = (char **) realloc (pglob->gl_pathv,
-						(newcount + 2)
-						* sizeof (char *));
-	      if (new_gl_pathv == NULL)
+	      if (newcount > UINTPTR_MAX - 2
+		  || newcount + 2 > ~((size_t) 0) / sizeof (char *))
 		{
+		nospace2:
 		  globfree (&dirs);
 		  return GLOB_NOSPACE;
 		}
+
+	      new_gl_pathv = (char **) realloc (pglob->gl_pathv,
+						(newcount + 2)
+						* sizeof (char *));
+	      if (new_gl_pathv == NULL)
+		goto nospace2;
 	      pglob->gl_pathv = new_gl_pathv;
 
 	      pglob->gl_pathv[newcount] = __strdup (pattern);
@@ -1636,6 +1655,13 @@ glob_in_dir (const char *pattern, const char *directory, int flags,
     {
       result = 0;
 
+      if (pglob->gl_pathc > UINTPTR_MAX - pglob->gl_offs
+	  || pglob->gl_pathc + pglob->gl_offs > UINTPTR_MAX - nfound
+	  || pglob->gl_pathc + pglob->gl_offs + nfound > UINTPTR_MAX - 1
+	  || (pglob->gl_pathc + pglob->gl_offs + nfound + 1
+	      > UINTPTR_MAX / sizeof (char *)))
+	goto memory_error;
+
       char **new_gl_pathv;
       new_gl_pathv
 	= (char **) realloc (pglob->gl_pathv,

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog    |    5 +++++
 NEWS         |    2 +-
 posix/glob.c |   42 ++++++++++++++++++++++++++++++++++--------
 3 files changed, 40 insertions(+), 9 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]