1 |
vapier 12/01/01 09:42:45 |
2 |
|
3 |
Added: 0080_all_glibc-2.14-tzfile-bz13506.patch |
4 |
Log: |
5 |
fix from upstream for tzfile vulns #393477 |
6 |
|
7 |
Revision Changes Path |
8 |
1.1 src/patchsets/glibc/2.14.1/0080_all_glibc-2.14-tzfile-bz13506.patch |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.14.1/0080_all_glibc-2.14-tzfile-bz13506.patch?rev=1.1&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.14.1/0080_all_glibc-2.14-tzfile-bz13506.patch?rev=1.1&content-type=text/plain |
12 |
|
13 |
Index: 0080_all_glibc-2.14-tzfile-bz13506.patch |
14 |
=================================================================== |
15 |
https://bugs.gentoo.org/393477 |
16 |
http://sourceware.org/bugzilla/show_bug.cgi?id=13506 |
17 |
|
18 |
From 97ac2654b2d831acaa18a2b018b0736245903fd2 Mon Sep 17 00:00:00 2001 |
19 |
From: Ulrich Drepper <drepper@×××××.com> |
20 |
Date: Sat, 17 Dec 2011 20:18:42 -0500 |
21 |
Subject: [PATCH] Check values from TZ file header |
22 |
|
23 |
--- |
24 |
ChangeLog | 5 +++++ |
25 |
NEWS | 2 +- |
26 |
time/tzfile.c | 53 ++++++++++++++++++++++++++++++++++++++++++++--------- |
27 |
3 files changed, 50 insertions(+), 10 deletions(-) |
28 |
|
29 |
2011-12-17 Ulrich Drepper <drepper@×××××.com> |
30 |
|
31 |
[BZ #13506] |
32 |
* time/tzfile.c (__tzfile_read): Check values from file header. |
33 |
|
34 |
diff --git a/time/tzfile.c b/time/tzfile.c |
35 |
index 144e20b..402389c 100644 |
36 |
--- a/time/tzfile.c |
37 |
+++ b/time/tzfile.c |
38 |
@@ -22,6 +22,7 @@ |
39 |
#include <stdio.h> |
40 |
#include <stdio_ext.h> |
41 |
#include <stdlib.h> |
42 |
+#include <stdint.h> |
43 |
#include <string.h> |
44 |
#include <time.h> |
45 |
#include <unistd.h> |
46 |
@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap) |
47 |
goto read_again; |
48 |
} |
49 |
|
50 |
+ if (__builtin_expect (num_transitions |
51 |
+ > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1)) |
52 |
+ / (sizeof (time_t) + 1)), 0)) |
53 |
+ goto lose; |
54 |
total_size = num_transitions * (sizeof (time_t) + 1); |
55 |
total_size = ((total_size + __alignof__ (struct ttinfo) - 1) |
56 |
& ~(__alignof__ (struct ttinfo) - 1)); |
57 |
types_idx = total_size; |
58 |
- total_size += num_types * sizeof (struct ttinfo) + chars; |
59 |
+ if (__builtin_expect (num_types |
60 |
+ > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0)) |
61 |
+ goto lose; |
62 |
+ total_size += num_types * sizeof (struct ttinfo); |
63 |
+ if (__builtin_expect (chars > SIZE_MAX - total_size, 0)) |
64 |
+ goto lose; |
65 |
+ total_size += chars; |
66 |
+ if (__builtin_expect (__alignof__ (struct leap) - 1 |
67 |
+ > SIZE_MAX - total_size, 0)) |
68 |
+ goto lose; |
69 |
total_size = ((total_size + __alignof__ (struct leap) - 1) |
70 |
& ~(__alignof__ (struct leap) - 1)); |
71 |
leaps_idx = total_size; |
72 |
+ if (__builtin_expect (num_leaps |
73 |
+ > (SIZE_MAX - total_size) / sizeof (struct leap), 0)) |
74 |
+ goto lose; |
75 |
total_size += num_leaps * sizeof (struct leap); |
76 |
- tzspec_len = (sizeof (time_t) == 8 && trans_width == 8 |
77 |
- ? st.st_size - (ftello (f) |
78 |
- + num_transitions * (8 + 1) |
79 |
- + num_types * 6 |
80 |
- + chars |
81 |
- + num_leaps * 12 |
82 |
- + num_isstd |
83 |
- + num_isgmt) - 1 : 0); |
84 |
+ tzspec_len = 0; |
85 |
+ if (sizeof (time_t) == 8 && trans_width == 8) |
86 |
+ { |
87 |
+ off_t rem = st.st_size - ftello (f); |
88 |
+ if (__builtin_expect (rem < 0 |
89 |
+ || (size_t) rem < (num_transitions * (8 + 1) |
90 |
+ + num_types * 6 |
91 |
+ + chars), 0)) |
92 |
+ goto lose; |
93 |
+ tzspec_len = (size_t) rem - (num_transitions * (8 + 1) |
94 |
+ + num_types * 6 |
95 |
+ + chars); |
96 |
+ if (__builtin_expect (num_leaps > SIZE_MAX / 12 |
97 |
+ || tzspec_len < num_leaps * 12, 0)) |
98 |
+ goto lose; |
99 |
+ tzspec_len -= num_leaps * 12; |
100 |
+ if (__builtin_expect (tzspec_len < num_isstd, 0)) |
101 |
+ goto lose; |
102 |
+ tzspec_len -= num_isstd; |
103 |
+ if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0)) |
104 |
+ goto lose; |
105 |
+ tzspec_len -= num_isgmt + 1; |
106 |
+ if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0)) |
107 |
+ goto lose; |
108 |
+ } |
109 |
+ if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0)) |
110 |
+ goto lose; |
111 |
|
112 |
/* Allocate enough memory including the extra block requested by the |
113 |
caller. */ |
114 |
-- |
115 |
1.7.6.1 |