This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[ping][PATCH 2/2][BZ #14547] Fix CVE-2012-4412


Ping!

On Sun, Jun 30, 2013 at 10:15:00PM +0530, Siddhesh Poyarekar wrote:
> Hi,
> 
> This is the second patch that completes the fix to CVE-2012-4412.  The
> reproducer in pr#14547 should be fixed with this patch.  I did not
> make a test case out of the reproducer since it would be much too
> slow.
> 
> I have also verified that there are no regressions in the testsuite
> due to this fix.
> 
> Siddhesh
> 
> 	[BZ #14547]
> 	* string/strcoll_l.c (STRCOLL): Skip allocating memory for
> 	cache if string sizes may cause integer overflow.
> 
> diff --git a/string/strcoll_l.c b/string/strcoll_l.c
> index 37f802e..ec630fe 100644
> --- a/string/strcoll_l.c
> +++ b/string/strcoll_l.c
> @@ -524,6 +524,14 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
>    memset (&seq1, 0, sizeof (seq1));
>    seq2 = seq1;
>  
> +  size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1);
> +
> +  /* If the strings are long enough to cause overflow in the size request, then
> +     skip the allocation and proceed with the non-cached routines.  */
> +  if (MIN (s1len, s2len) > size_max
> +      || MAX (s1len, s2len) > size_max - MIN (s1len, s2len))
> +    goto begin_collate;
> +
>    if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1)))
>      {
>        seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1));
> @@ -546,8 +554,10 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
>        seq2.rulearr = (unsigned char *) alloca (s2len);
>      }
>  
> -  int rule = 0;
> +  int rule;
>  
> + begin_collate:
> +  rule = 0;
>    /* Cache values in the first pass and if needed, use them in subsequent
>       passes.  */
>    for (int pass = 0; pass < nrules; ++pass)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]