diff options
Diffstat (limited to 'pkgs/development/libraries/glibc/security-bdf1ff05.patch')
-rw-r--r-- | pkgs/development/libraries/glibc/security-bdf1ff05.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/pkgs/development/libraries/glibc/security-bdf1ff05.patch b/pkgs/development/libraries/glibc/security-bdf1ff05.patch new file mode 100644 index 00000000000..b4175694f91 --- /dev/null +++ b/pkgs/development/libraries/glibc/security-bdf1ff05.patch @@ -0,0 +1,39 @@ +From bdf1ff052a8e23d637f2c838fa5642d78fcedc33 Mon Sep 17 00:00:00 2001 +From: Paul Pluzhnikov <ppluzhnikov@google.com> +Date: Sun, 22 Feb 2015 12:01:47 -0800 +Subject: [PATCH] Fix BZ #17269 -- _IO_wstr_overflow integer overflow + +--- + ChangeLog | 6 ++++++ + NEWS | 6 +++--- + libio/wstrops.c | 8 +++++++- + 3 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/libio/wstrops.c b/libio/wstrops.c +index 43d847d..3993579 100644 +--- a/libio/wstrops.c ++++ b/libio/wstrops.c +@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c) + wchar_t *old_buf = fp->_wide_data->_IO_buf_base; + size_t old_wblen = _IO_wblen (fp); + _IO_size_t new_size = 2 * old_wblen + 100; +- if (new_size < old_wblen) ++ ++ if (__glibc_unlikely (new_size < old_wblen) ++ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t))) + return EOF; ++ + new_buf + = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size + * sizeof (wchar_t)); +@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading) + return 1; + + _IO_size_t newsize = offset + 100; ++ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t))) ++ return 1; ++ + wchar_t *oldbuf = wd->_IO_buf_base; + wchar_t *newbuf + = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize + |