This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[COMMITTED 2.19] Fix BZ #17269 -- _IO_wstr_overflow integer overflow
- From: Aurelien Jarno <aurelien at aurel32 dot net>
- To: libc-alpha at sourceware dot org
- Cc: Paul Pluzhnikov <ppluzhnikov at google dot com>
- Date: Mon, 19 Oct 2015 11:50:25 +0200
- Subject: [COMMITTED 2.19] Fix BZ #17269 -- _IO_wstr_overflow integer overflow
- Authentication-results: sourceware.org; auth=none
From: Paul Pluzhnikov <ppluzhnikov@google.com>
(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)
Conflicts:
ChangeLog
NEWS
---
ChangeLog | 6 ++++++
NEWS | 2 +-
libio/wstrops.c | 8 +++++++-
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index a4f4e0d..8d621b2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-02-22 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17269]
+ * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+ (enlarge_userbuf): Likewise.
+
2015-02-26 Andreas Schwab <schwab@suse.de>
[BZ #18032]
diff --git a/NEWS b/NEWS
index c017fa3..9e7316b 100644
--- a/NEWS
+++ b/NEWS
@@ -11,7 +11,7 @@ Version 2.19.1
15946, 16545, 16574, 16623, 16657, 16695, 16743, 16878, 16882, 16885,
16916, 16932, 16943, 16958, 17048, 17069, 17079, 17137, 17153, 17213,
- 17263, 17325, 17555, 18032, 18287.
+ 17263, 17269, 17325, 17555, 18032, 18287.
* A buffer overflow in gethostbyname_r and related functions performing DNS
requests has been fixed. If the NSS functions were called with a
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 399a377..9218d4a 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
size_t old_wblen = _IO_wblen (fp);
_IO_size_t new_size = 2 * old_wblen + 100;
- if (new_size < old_wblen)
+
+ if (__glibc_unlikely (new_size < old_wblen)
+ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
return EOF;
+
new_buf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
* sizeof (wchar_t));
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
return 1;
_IO_size_t newsize = offset + 100;
+ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+ return 1;
+
wchar_t *oldbuf = wd->_IO_buf_base;
wchar_t *newbuf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
--
2.1.4