From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <nsz@sourceware.org>
Received: by sourceware.org (Postfix, from userid 1944)
	id D136D3846421; Wed, 26 Oct 2022 15:18:16 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D136D3846421
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1666797496;
	bh=ksTvkSnIChkFSHAvsCk2w1jvZRyPOA9MuiTIFYWCy3w=;
	h=From:To:Subject:Date:From;
	b=SkKeYqIDlwOmES5jqIiTzBos4nd+CsDlbpGrYM563S+Z60UMSUsycODmKALtZAGzn
	 3/TXOzHWkK725f11THDf6Fuc7oIBGypQbnkxAaaUqWg/izGwkhBDA4rsJdj6EdMZ2G
	 sti7758HGXtltN+0nFyIpG7fUueVGAe8xDTsm8hU=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Szabolcs Nagy <nsz@sourceware.org>
To: glibc-cvs@sourceware.org
Subject: [glibc/arm/morello/main] cheri: fix invalid pointer use after realloc
 in localealias
X-Act-Checkin: glibc
X-Git-Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
X-Git-Refname: refs/heads/arm/morello/main
X-Git-Oldrev: ba60f2ef0c3a20ca3cc68aeb63d7d7f220b81ece
X-Git-Newrev: 9e285f1d642b5ea89710ef1882b89caa9fa2f6e4
Message-Id: <20221026151816.D136D3846421@sourceware.org>
Date: Wed, 26 Oct 2022 15:18:16 +0000 (GMT)
List-Id: <glibc-cvs.sourceware.org>

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e285f1d642b5ea89710ef1882b89caa9fa2f6e4

commit 9e285f1d642b5ea89710ef1882b89caa9fa2f6e4
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Fri Mar 18 06:55:31 2022 +0000

    cheri: fix invalid pointer use after realloc in localealias
    
    This code updates pointers to a reallocated buffer to point to the new
    buffer.  It is not conforming (does arithmetics with freed pointers),
    but it also creates invalid capabilities because the provenance is
    derived from the original freed pointers instead of the new buffer.
    
    Change the arithmetics so provenance is derived from the new buffer.
    The conformance issue is not fixed.

Diff:
---
 intl/localealias.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/intl/localealias.c b/intl/localealias.c
index b36092363a..0401f35f9d 100644
--- a/intl/localealias.c
+++ b/intl/localealias.c
@@ -340,8 +340,10 @@ read_alias_file (const char *fname, int fname_len)
 
 			  for (i = 0; i < nmap; i++)
 			    {
-			      map[i].alias += new_pool - string_space;
-			      map[i].value += new_pool - string_space;
+			      map[i].alias = new_pool
+					     + (map[i].alias - string_space);
+			      map[i].value = new_pool
+					     + (map[i].value - string_space);
 			    }
 			}