From: "Tulio Magno Quites Machado Filho" <tuliom@linux.vnet.ibm.com>
To: libc-stable@sourceware.org
Cc: Paul Pluzhnikov <ppluzhnikov@google.com>
Subject: [COMMITTED 2.20] Fix BZ #17269 -- _IO_wstr_overflow integer overflow
Date: Fri, 01 Jan 2016 00:00:00 -0000 [thread overview]
Message-ID: <1456427204-1730-3-git-send-email-tuliom@linux.vnet.ibm.com> (raw)
In-Reply-To: <1456427204-1730-1-git-send-email-tuliom@linux.vnet.ibm.com>
From: Paul Pluzhnikov <ppluzhnikov@google.com>
(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)
Conflicts:
NEWS
---
ChangeLog | 6 ++++++
NEWS | 4 ++--
libio/wstrops.c | 8 +++++++-
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 95c077f..a4917cd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2016-02-25 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17269]
+ * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+ (enlarge_userbuf): Likewise.
+
2016-02-25 Florian Weimer <fweimer@redhat.com>
[BZ #19018]
diff --git a/NEWS b/NEWS
index b0588be..57a7f11 100644
--- a/NEWS
+++ b/NEWS
@@ -9,8 +9,8 @@ Version 2.20.1
* The following bugs are resolved with this release:
- 16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625,
- 17630, 17801, 18694, 18928, 19018.
+ 16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555,
+ 17625, 17630, 17801, 18694, 18928, 19018.
* The LD_POINTER_GUARD environment variable can no longer be used to
disable the pointer guard feature. It is always enabled.
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 399a377..9218d4a 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
size_t old_wblen = _IO_wblen (fp);
_IO_size_t new_size = 2 * old_wblen + 100;
- if (new_size < old_wblen)
+
+ if (__glibc_unlikely (new_size < old_wblen)
+ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
return EOF;
+
new_buf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
* sizeof (wchar_t));
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
return 1;
_IO_size_t newsize = offset + 100;
+ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+ return 1;
+
wchar_t *oldbuf = wd->_IO_buf_base;
wchar_t *newbuf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
--
2.1.0
prev parent reply other threads:[~2016-02-25 19:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-01 0:00 [COMMITTED 2.20] Always enable pointer guard [BZ #18928] Tulio Magno Quites Machado Filho
2016-01-01 0:00 ` [COMMITTED 2.20] CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665) Tulio Magno Quites Machado Filho
2016-01-01 0:00 ` [COMMITTED 2.20] Harden tls_dtor_list with pointer mangling [BZ #19018] Tulio Magno Quites Machado Filho
2016-01-01 0:00 ` [COMMITTED 2.20] Fix read past end of pattern in fnmatch (bug 18032) Tulio Magno Quites Machado Filho
2016-01-01 0:00 ` Tulio Magno Quites Machado Filho [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1456427204-1730-3-git-send-email-tuliom@linux.vnet.ibm.com \
--to=tuliom@linux.vnet.ibm.com \
--cc=libc-stable@sourceware.org \
--cc=ppluzhnikov@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).