From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 2923 invoked by alias); 17 Feb 2015 07:25:18 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 2908 invoked by uid 89); 17 Feb 2015 07:25:17 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.98.6 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: smtp.gentoo.org Date: Thu, 01 Jan 2015 00:00:00 -0000 From: Mike Frysinger To: libc-stable@sourceware.org Subject: [glibc-2.20] Fix memory handling in strxfrm_l [BZ #16009] Message-ID: <20150217072749.GB20008@vapier> Mail-Followup-To: libc-stable@sourceware.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="f2QGlHpHGjS2mn6Y" Content-Disposition: inline X-SW-Source: 2015-02/txt/msg00002.txt.bz2 --f2QGlHpHGjS2mn6Y Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 2324 i've backported these two commits to the 2.20 branch -mike commit f9e0f439b72e0b2fb035be1bc60aaceeed7f6ed0 Author: Leonhard Holz Date: Tue Jan 13 11:33:56 2015 +0530 Fix memory handling in strxfrm_l [BZ #16009] =20=20=20=20 [Modified from the original email by Siddhesh Poyarekar] =20=20=20=20 This patch solves bug #16009 by implementing an additional path in strxfrm that does not depend on caching the weight and rule indices. =20=20=20=20 In detail the following changed: =20=20=20=20 * The old main loop was factored out of strxfrm_l into the function do_xfrm_cached to be able to alternativly use the non-caching version do_xfrm. =20=20=20=20 * strxfrm_l allocates a a fixed size array on the stack. If this is not sufficiant to store the weight and rule indices, the non-caching path is taken. As the cache size is not dependent on the input there can be no problems with integer overflows or stack allocations greater than __MAX_ALLOCA_CUTOFF. Note that malloc-ing is not possible because the definition of strxfrm does not allow an oom errorhandling. =20=20=20=20 * The uncached path determines the weight and rule index for every char and for every pass again. =20=20=20=20 * Passing all the locale data array by array resulted in very long parameter lists, so I introduced a structure that holds them. =20=20=20=20 * Checking for zero src string has been moved a bit upwards, it is before the locale data initialization now. =20=20=20=20 * To verify that the non-caching path works correct I added a test run to localedata/sort-test.sh & localedata/xfrm-test.c where all strings are patched up with spaces so that they are too large for the caching p= ath. =20=20=20=20 (cherry picked from commit 0f9e585480edcdf1e30dc3d79e24b84aeee516fa) =20=20=20=20 Conflicts: ChangeLog NEWS commit b0694b9e98ee64cb25490de0921ce307f3872749 Author: Roland McGrath Date: Thu Sep 11 16:02:17 2014 -0700 Move findidx nested functions to top-level. =20=20=20=20 Needed in order to backport strxfrm_l security fix cleanly. =20=20=20=20 (cherry picked from commit 8c0ab919f63dc03a420751172602a52d2bea59a8) =20=20=20=20 Conflicts: ChangeLog --f2QGlHpHGjS2mn6Y Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJU4u11AAoJEEFjO5/oN/WBksYQANtOEocViieXFitWBYKejANi GYxC1AmBhubbpWrgTaoCNf6iECxhWEBDlA0qVN7qZscyMe6+ziQgG9BxTOEoLg+s EJ3cbhL/BFFmP2Q//9FFL/4snbq3MDNGLEiq0/+BHJxVAKiS4eFVaMphi+etkYMR iKjemI26ngYlSnwqHQo62BuN5c2tBJGHLvyTSv3L7tF1mSCKBuVm96J17C9kfO6S lXwjEmnPG4+3sve2SOpq3K1EYy9V/mlgQI1VDOoDXZTSugMsl9XH0faL9yq0OK3d j/ta13GH1laiJXJU9GetsodVfbC/TZflQUFEaI6Bjm+56Yke9WG79WvG/NTbjZV7 ZsEUNp/SWEcIaeQfaGtHYb1QK82nzrMAW+MDccW+JctV57D1TPJPlvdwSc4w5JJP SGLy69+KLYvT9q7dO8RR6SoDMvY57J4bN1EbOTr+xK3GPhTGkEBOnr1EgCP6v0TR 1P5a1D+QUeZjZ3DXnk3IBUlvq/1mjp174yq5GFopync+J+vG4XufsmNUICBKevml g29FcrPn8u3RiV+oHyhGGq4mUs4cnv5byWcUe0c90S75gYz8dE6xcQ2L5nYR08PD nV8uoWhXLt0fwZVcgxjhtEPgOIR+0JxgqxkCNPqywyr9bOAw0y/Yii6FRreyvUkg mIb0uoCw4DcOEoPkpwAm =EfKd -----END PGP SIGNATURE----- --f2QGlHpHGjS2mn6Y--