From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-stable-return-30-listarch-libc-stable=sourceware.org@sourceware.org>
Received: (qmail 41656 invoked by alias); 31 Dec 2015 12:52:04 -0000
Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:libc-stable@sourceware.org>
List-Help: <mailto:libc-stable-help@sourceware.org>
List-Subscribe: <mailto:libc-stable-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-stable/>
Sender: libc-stable-owner@sourceware.org
Received: (qmail 41641 invoked by uid 89); 31 Dec 2015 12:52:04 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.99 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.3 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RP_MATCHES_RCVD autolearn=no version=3.3.2 spammy=1899, 2.1.0, 218, picked
X-Spam-Status: No, score=-0.3 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RP_MATCHES_RCVD autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level: 
X-HELO: e24smtp05.br.ibm.com
X-IBM-Helo: d24dlp02.br.ibm.com
X-IBM-MailFrom: tuliom@linux.vnet.ibm.com
X-IBM-RcptTo: libc-stable@sourceware.org
From: "Tulio Magno Quites Machado Filho" <tuliom@linux.vnet.ibm.com>
To: libc-stable@sourceware.org
Cc: Paul Pluzhnikov <ppluzhnikov@google.com>
Subject: [COMMITTED 2.18] Fix BZ #17269 -- _IO_wstr_overflow integer overflow
Date: Thu, 01 Jan 2015 00:00:00 -0000
Message-Id: <1451566083-22533-4-git-send-email-tuliom@linux.vnet.ibm.com>
X-Mailer: git-send-email 2.1.0
In-Reply-To: <1451566083-22533-1-git-send-email-tuliom@linux.vnet.ibm.com>
References: <1451566083-22533-1-git-send-email-tuliom@linux.vnet.ibm.com>
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 15123112-0033-0000-0000-000004573E04
X-SW-Source: 2015-12/txt/msg00021.txt.bz2

From: Paul Pluzhnikov <ppluzhnikov@google.com>

(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)

Conflicts:
	NEWS
---
 ChangeLog       | 6 ++++++
 NEWS            | 2 +-
 libio/wstrops.c | 8 +++++++-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 79a59d5..435d189 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-12-30  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #17269]
+	* libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+	(enlarge_userbuf): Likewise.
+
 2015-12-30  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #18032]
diff --git a/NEWS b/NEWS
index 3ae4211..0196d04 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.18.1
 * The following bugs are resolved with this release:
 
   15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916,
-  16943, 16958, 18032, 18928, 19018.
+  16943, 16958, 17269, 18032, 18928, 19018.
 
 * The LD_POINTER_GUARD environment variable can no longer be used to
   disable the pointer guard feature.  It is always enabled.
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 8283930..19193e4 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
 	  wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
 	  size_t old_wblen = _IO_wblen (fp);
 	  _IO_size_t new_size = 2 * old_wblen + 100;
-	  if (new_size < old_wblen)
+
+	  if (__glibc_unlikely (new_size < old_wblen)
+	      || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
 	    return EOF;
+
 	  new_buf
 	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
 									* sizeof (wchar_t));
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
     return 1;
 
   _IO_size_t newsize = offset + 100;
+  if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+    return 1;
+
   wchar_t *oldbuf = wd->_IO_buf_base;
   wchar_t *newbuf
     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
-- 
2.1.0