This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[ping][PATCH 2/2][BZ #14547] Fix CVE-2012-4412
- From: Siddhesh Poyarekar <siddhesh at redhat dot com>
- To: libc-alpha at sourceware dot org
- Date: Tue, 30 Jul 2013 10:34:04 +0530
- Subject: [ping][PATCH 2/2][BZ #14547] Fix CVE-2012-4412
- References: <20130630164500 dot GF2654 at spoyarek dot pnq dot redhat dot com>
Ping!
On Sun, Jun 30, 2013 at 10:15:00PM +0530, Siddhesh Poyarekar wrote:
> Hi,
>
> This is the second patch that completes the fix to CVE-2012-4412. The
> reproducer in pr#14547 should be fixed with this patch. I did not
> make a test case out of the reproducer since it would be much too
> slow.
>
> I have also verified that there are no regressions in the testsuite
> due to this fix.
>
> Siddhesh
>
> [BZ #14547]
> * string/strcoll_l.c (STRCOLL): Skip allocating memory for
> cache if string sizes may cause integer overflow.
>
> diff --git a/string/strcoll_l.c b/string/strcoll_l.c
> index 37f802e..ec630fe 100644
> --- a/string/strcoll_l.c
> +++ b/string/strcoll_l.c
> @@ -524,6 +524,14 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
> memset (&seq1, 0, sizeof (seq1));
> seq2 = seq1;
>
> + size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1);
> +
> + /* If the strings are long enough to cause overflow in the size request, then
> + skip the allocation and proceed with the non-cached routines. */
> + if (MIN (s1len, s2len) > size_max
> + || MAX (s1len, s2len) > size_max - MIN (s1len, s2len))
> + goto begin_collate;
> +
> if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1)))
> {
> seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1));
> @@ -546,8 +554,10 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
> seq2.rulearr = (unsigned char *) alloca (s2len);
> }
>
> - int rule = 0;
> + int rule;
>
> + begin_collate:
> + rule = 0;
> /* Cache values in the first pass and if needed, use them in subsequent
> passes. */
> for (int pass = 0; pass < nrules; ++pass)