ports/core
4
3
Fork 0
Code Issues Pull Requests Activity

glibc: cleaned up obsolete patches

Browse Source
This commit is contained in:
Fredrik Rinnestam 2014-02-15 23:39:27 +01:00
parent 4112d95a81
commit 65ca291e6b
6 changed files with 0 additions and 713 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
glibc/glibc-2.16.0-multilib-dirs.patch
View File

@ -1,38 +0,0 @@
diff -urN glibc-2.16.0.orig/sysdeps/gnu/configure glibc-2.16.0/sysdeps/gnu/configure
--- glibc-2.16.0.orig/sysdeps/gnu/configure 2012-06-30 14:12:34.000000000 -0500
+++ glibc-2.16.0/sysdeps/gnu/configure 2012-07-02 08:19:20.330001028 -0500
@@ -14,9 +14,9 @@
test -n "$libc_cv_slibdir" || \
case $machine in
sparc/sparc64 | x86_64* | powerpc/powerpc64 | s390/s390-64)
- libc_cv_slibdir=/lib64
+ libc_cv_slibdir=/lib
if test "$libdir" = '${exec_prefix}/lib'; then
- libdir='${exec_prefix}/lib64';
+ libdir='${exec_prefix}/lib';
# Locale data can be shared between 32bit and 64bit libraries
libc_cv_localedir='${exec_prefix}/lib/locale'
fi
diff -urN glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldconfig.h glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldconfig.h
--- glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldconfig.h 2012-06-30 14:12:34.000000000 -0500
+++ glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldconfig.h 2012-07-02 08:19:45.560001124 -0500
@@ -18,9 +18,9 @@
#include <sysdeps/generic/ldconfig.h>
#define SYSDEP_KNOWN_INTERPRETER_NAMES \
- { "/lib/ld-linux.so.2", FLAG_ELF_LIBC6 }, \
+ { "/lib32/ld-linux.so.2", FLAG_ELF_LIBC6 }, \
{ "/libx32/ld-linux-x32.so.2", FLAG_ELF_LIBC6 }, \
- { "/lib64/ld-linux-x86-64.so.2", FLAG_ELF_LIBC6 },
+ { "/lib/ld-linux-x86-64.so.2", FLAG_ELF_LIBC6 },
#define SYSDEP_KNOWN_LIBRARY_NAMES \
{ "libc.so.6", FLAG_ELF_LIBC6 }, \
{ "libm.so.6", FLAG_ELF_LIBC6 },
diff -urN glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed
--- glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed 2012-06-30 14:12:34.000000000 -0500
+++ glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed 2012-07-02 08:20:20.240001247 -0500
@@ -1,3 +1,3 @@
/LD_TRACE_LOADED_OBJECTS=1/a\
add_env="$add_env LD_LIBRARY_VERSION=\\$verify_out"
-s_^\(RTLDLIST=\)\(.*lib\)\(\|64\|x32\)\(/[^/]*\)\(-x86-64\|-x32\)\(\.so\.[0-9.]*\)[ ]*$_\1"\2\4\6 \264\4-x86-64\6 \2x32\4-x32\6"_
+s_^\(RTLDLIST=\)\(.*lib\)\(\|64\|x32\)\(/[^/]*\)\(-x86-64\|-x32\)\(\.so\.[0-9.]*\)[ ]*$_\1"\232\4\6 \2\4-x86-64\6 \2x32\4-x32\6"_

64
glibc/glibc-CVE-2013-4332.patch
View File

@ -1,64 +0,0 @@
From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Wed, 11 Sep 2013
Subject: CVE-2013-4332
malloc: Check for integer overflow in pvalloc, valloc, and memalign.
A large bytes parameter to pvalloc, valloc, or memalign could cause
an integer overflow and corrupt allocator internals. Check the
overflow does not occur before continuing with the allocation.
Note: This is a backport to glibc 2.17 of the following three commits:
* https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a
* https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef
* https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d
---
malloc.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t
/* Otherwise, ensure that it is at least a minimum chunk size */
if (alignment < MINSIZE) alignment = MINSIZE;
+ /* Check for overflow. */
+ if (bytes > SIZE_MAX - alignment - MINSIZE)
+ {
+ __set_errno (ENOMEM);
+ return 0;
+ }
+
arena_get(ar_ptr, bytes + alignment + MINSIZE);
if(!ar_ptr)
return 0;
@@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes)
size_t pagesz = GLRO(dl_pagesize);
+ /* Check for overflow. */
+ if (bytes > SIZE_MAX - pagesz - MINSIZE)
+ {
+ __set_errno (ENOMEM);
+ return 0;
+ }
+
__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
const __malloc_ptr_t)) =
force_reg (__memalign_hook);
@@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes)
size_t page_mask = GLRO(dl_pagesize) - 1;
size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
+ /* Check for overflow. */
+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
+ {
+ __set_errno (ENOMEM);
+ return 0;
+ }
+
__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
const __malloc_ptr_t)) =
force_reg (__memalign_hook);

72
glibc/glibc-regexp_buffer_overrun.patch
View File

@ -1,72 +0,0 @@
# http://sourceware.org/bugzilla/show_bug.cgi?id=15078
# CVE-2013-0242
# ChangeLog, NEWS and new test removed to apply clean
commit a445af0bc722d620afed7683cd320c0e4c7c6059
Author: Andreas Schwab <schwab@suse.de>
Date: Tue Jan 29 14:45:15 2013 +0100
Fix buffer overrun in regexp matcher
diff --git a/posix/regexec.c b/posix/regexec.c
index 7f2de85..5ca2bf6 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -197,7 +197,7 @@ static int group_nodes_into_DFAstates (const re_dfa_t *dfa,
static int check_node_accept (const re_match_context_t *mctx,
const re_token_t *node, int idx)
internal_function;
-static reg_errcode_t extend_buffers (re_match_context_t *mctx)
+static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len)
internal_function;
/* Entry point for POSIX code. */
@@ -1160,7 +1160,7 @@ check_matching (re_match_context_t *mctx, int fl_longest_match,
|| (BE (next_char_idx >= mctx->input.valid_len, 0)
&& mctx->input.valid_len < mctx->input.len))
{
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, next_char_idx + 1);
if (BE (err != REG_NOERROR, 0))
{
assert (err == REG_ESPACE);
@@ -1738,7 +1738,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, int next_state_log_idx)
&& mctx->input.valid_len < mctx->input.len))
{
reg_errcode_t err;
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, next_state_log_idx + 1);
if (BE (err != REG_NOERROR, 0))
return err;
}
@@ -2792,7 +2792,7 @@ get_subexp (re_match_context_t *mctx, int bkref_node, int bkref_str_idx)
if (bkref_str_off >= mctx->input.len)
break;
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, bkref_str_off + 1);
if (BE (err != REG_NOERROR, 0))
return err;
@@ -4102,7 +4102,7 @@ check_node_accept (const re_match_context_t *mctx, const re_token_t *node,
static reg_errcode_t
internal_function __attribute_warn_unused_result__
-extend_buffers (re_match_context_t *mctx)
+extend_buffers (re_match_context_t *mctx, int min_len)
{
reg_errcode_t ret;
re_string_t *pstr = &mctx->input;
@@ -4111,8 +4111,10 @@ extend_buffers (re_match_context_t *mctx)
if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
return REG_ESPACE;
- /* Double the lengthes of the buffers. */
- ret = re_string_realloc_buffers (pstr, MIN (pstr->len, pstr->bufs_len * 2));
+ /* Double the lengthes of the buffers, but allocate at least MIN_LEN. */
+ ret = re_string_realloc_buffers (pstr,
+ MAX (min_len,
+ MIN (pstr->len, pstr->bufs_len * 2)));
if (BE (ret != REG_NOERROR, 0))
return ret;

61
glibc/glibc-resolv_assert.patch
View File

@ -1,61 +0,0 @@
# http://sourceware.org/bugzilla/show_bug.cgi?id=13013
2011-07-21 Aurelien Jarno <aurel32@debian.org>
* resolv/res_query.c(__libc_res_nquery): Assign hp and hp2
depending n and resplen2 to catch cases where answer
equals answerp2.
diff --git a/resolv/res_query.c b/resolv/res_query.c
index 2f7cfaa..405fa68 100644
--- a/resolv/res_query.c
+++ b/resolv/res_query.c
@@ -122,6 +122,7 @@ __libc_res_nquery(res_state statp,
int *resplen2)
{
HEADER *hp = (HEADER *) answer;
+ HEADER *hp2;
int n, use_malloc = 0;
u_int oflags = statp->_flags;
@@ -239,26 +240,25 @@ __libc_res_nquery(res_state statp,
/* __libc_res_nsend might have reallocated the buffer. */
hp = (HEADER *) *answerp;
- /* We simplify the following tests by assigning HP to HP2. It
- is easy to verify that this is the same as ignoring all
- tests of HP2. */
- HEADER *hp2 = answerp2 ? (HEADER *) *answerp2 : hp;
-
- if (n < (int) sizeof (HEADER) && answerp2 != NULL
- && *resplen2 > (int) sizeof (HEADER))
+ /* We simplify the following tests by assigning HP to HP2 or
+ vice versa. It is easy to verify that this is the same as
+ ignoring all tests of HP or HP2. */
+ if (answerp2 == NULL || *resplen2 < (int) sizeof (HEADER))
{
- /* Special case of partial answer. */
- assert (hp != hp2);
- hp = hp2;
+ hp2 = hp;
}
- else if (answerp2 != NULL && *resplen2 < (int) sizeof (HEADER)
- && n > (int) sizeof (HEADER))
+ else
{
- /* Special case of partial answer. */
- assert (hp != hp2);
- hp2 = hp;
+ hp2 = (HEADER *) *answerp2;
+ if (n < (int) sizeof (HEADER))
+ {
+ hp = hp2;
+ }
}
+ /* Make sure both hp and hp2 are defined */
+ assert((hp != NULL) && (hp2 != NULL));
+
if ((hp->rcode != NOERROR || ntohs(hp->ancount) == 0)
&& (hp2->rcode != NOERROR || ntohs(hp2->ancount) == 0)) {
#ifdef DEBUG

79
glibc/glibc-segfault_in_strncasecmp.patch
View File

@ -1,79 +0,0 @@
commit 6db8f73723e64a4f486ca679e05dbf15a1437bfd
Author: Liubov Dmitrieva <liubov.dmitrieva@gmail.com>
Date: Wed Aug 15 21:06:55 2012 +0200
Fix segmentation fault in strncasecmp for i686
2012-08-15 Liubov Dmitrieva <liubov.dmitrieva@gmail.com>
[BZ #14195]
* sysdeps/i386/i686/multiarch/strcmp-sssse3.S: Fix
segmentation fault for a case of two empty input strings.
* string/test-strncasecmp.c (check1): Renamed to...
(bz12205): ...this.
(bz14195): Add new testcase for two empty input strings and N > 0.
(test_main): Call new testcase, adapt for renamed function.
(cherry picked from commit b3f479a85a3e191befbe821d787d7f71c0f64e79)
diff --git a/string/test-strncasecmp.c b/string/test-strncasecmp.c
index 6c17530..acfe668 100644
--- a/string/test-strncasecmp.c
+++ b/string/test-strncasecmp.c
@@ -1,5 +1,5 @@
/* Test and measure strncasecmp functions.
- Copyright (C) 1999, 2002, 2003, 2005, 2010 Free Software Foundation, Inc.
+ Copyright (C) 1999-2012 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Written by Jakub Jelinek <jakub@redhat.com>, 1999.
@@ -251,9 +251,9 @@ do_random_tests (void)
}
}
-
+/* Regression test for BZ #12205 */
static void
-check1 (void)
+bz12205 (void)
{
static char cp [4096+16] __attribute__ ((aligned(4096)));
static char gotrel[4096] __attribute__ ((aligned(4096)));
@@ -270,6 +270,15 @@ check1 (void)
check_result (impl, s1, s2, n, exp_result);
}
+/* Regression test for BZ #14195 */
+static void
+bz14195 (void)
+{
+ const char *empty_string = "";
+ FOR_EACH_IMPL (impl, 0)
+ check_result (impl, empty_string, "", 5, 0);
+}
+
int
test_main (void)
{
@@ -277,7 +286,8 @@ test_main (void)
test_init ();
- check1 ();
+ bz12205 ();
+ bz14195 ();
printf ("%23s", "");
FOR_EACH_IMPL (impl, 0)
diff --git a/sysdeps/i386/i686/multiarch/strcmp-ssse3.S b/sysdeps/i386/i686/multiarch/strcmp-ssse3.S
index 5e6321e..9735ad0 100644
--- a/sysdeps/i386/i686/multiarch/strcmp-ssse3.S
+++ b/sysdeps/i386/i686/multiarch/strcmp-ssse3.S
@@ -2445,7 +2445,7 @@ L(less16bytes_sncmp):
# endif
jne L(neq_sncmp)
test %cl, %cl
- je L(eq)
+ je L(eq_sncmp)
cmp $1, REM
je L(eq_sncmp)

399
glibc/glibc-strtod_integer_overflow.patch
View File

@ -1,399 +0,0 @@
commit da1f431963218999c49cae928309dfec426c575c
Author: Joseph Myers <joseph@codesourcery.com>
Date: Mon Aug 27 15:59:24 2012 +0000
Fix strtod integer/buffer overflow (bug 14459).
(cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4)
Conflicts:
ChangeLog
NEWS
stdlib/Makefile
diff --git a/stdlib/Makefile b/stdlib/Makefile
index f7811c5..79c9acb 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -68,7 +68,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \
tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \
tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2 \
tst-makecontext2 tst-strtod6 tst-unsetenv1 \
- tst-makecontext3 bug-getcontext bug-fmtmsg1
+ tst-makecontext3 bug-getcontext bug-fmtmsg1 \
+ tst-strtod-overflow
include ../Makeconfig
diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c
index 2166a08..a8a7ea8 100644
--- a/stdlib/strtod_l.c
+++ b/stdlib/strtod_l.c
@@ -60,6 +60,7 @@ extern unsigned long long int ____strtoull_l_internal (const char *, char **,
#include <math.h>
#include <stdlib.h>
#include <string.h>
+#include <stdint.h>
/* The gmp headers need some configuration frobs. */
#define HAVE_ALLOCA 1
@@ -72,7 +73,6 @@ extern unsigned long long int ____strtoull_l_internal (const char *, char **,
#include "longlong.h"
#include "fpioconst.h"
-#define NDEBUG 1
#include <assert.h>
@@ -174,19 +174,19 @@ extern const mp_limb_t _tens_in_limb[MAX_DIG_PER_LIMB + 1];
/* Return a floating point number of the needed type according to the given
multi-precision number after possible rounding. */
static FLOAT
-round_and_return (mp_limb_t *retval, int exponent, int negative,
+round_and_return (mp_limb_t *retval, intmax_t exponent, int negative,
mp_limb_t round_limb, mp_size_t round_bit, int more_bits)
{
if (exponent < MIN_EXP - 1)
{
- mp_size_t shift = MIN_EXP - 1 - exponent;
-
- if (shift > MANT_DIG)
+ if (exponent < MIN_EXP - 1 - MANT_DIG)
{
__set_errno (ERANGE);
return 0.0;
}
+ mp_size_t shift = MIN_EXP - 1 - exponent;
+
more_bits |= (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0;
if (shift == MANT_DIG)
/* This is a special case to handle the very seldom case where
@@ -233,6 +233,9 @@ round_and_return (mp_limb_t *retval, int exponent, int negative,
__set_errno (ERANGE);
}
+ if (exponent > MAX_EXP)
+ goto overflow;
+
if ((round_limb & (((mp_limb_t) 1) << round_bit)) != 0
&& (more_bits || (retval[0] & 1) != 0
|| (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0))
@@ -258,6 +261,7 @@ round_and_return (mp_limb_t *retval, int exponent, int negative,
}
if (exponent > MAX_EXP)
+ overflow:
return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL;
return MPN2FLOAT (retval, exponent, negative);
@@ -271,7 +275,7 @@ round_and_return (mp_limb_t *retval, int exponent, int negative,
factor for the resulting number (see code) multiply by it. */
static const STRING_TYPE *
str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
- int *exponent
+ intmax_t *exponent
#ifndef USE_WIDE_CHAR
, const char *decimal, size_t decimal_len, const char *thousands
#endif
@@ -301,6 +305,7 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
cy += __mpn_add_1 (n, n, *nsize, low);
if (cy != 0)
{
+ assert (*nsize < MPNSIZE);
n[*nsize] = cy;
++(*nsize);
}
@@ -335,7 +340,7 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
}
while (--digcnt > 0);
- if (*exponent > 0 && cnt + *exponent <= MAX_DIG_PER_LIMB)
+ if (*exponent > 0 && *exponent <= MAX_DIG_PER_LIMB - cnt)
{
low *= _tens_in_limb[*exponent];
start = _tens_in_limb[cnt + *exponent];
@@ -355,7 +360,10 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
cy = __mpn_mul_1 (n, n, *nsize, start);
cy += __mpn_add_1 (n, n, *nsize, low);
if (cy != 0)
- n[(*nsize)++] = cy;
+ {
+ assert (*nsize < MPNSIZE);
+ n[(*nsize)++] = cy;
+ }
}
return str;
@@ -413,7 +421,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
{
int negative; /* The sign of the number. */
MPN_VAR (num); /* MP representation of the number. */
- int exponent; /* Exponent of the number. */
+ intmax_t exponent; /* Exponent of the number. */
/* Numbers starting `0X' or `0x' have to be processed with base 16. */
int base = 10;
@@ -435,7 +443,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
/* Points at the character following the integer and fractional digits. */
const STRING_TYPE *expp;
/* Total number of digit and number of digits in integer part. */
- int dig_no, int_no, lead_zero;
+ size_t dig_no, int_no, lead_zero;
/* Contains the last character read. */
CHAR_TYPE c;
@@ -767,7 +775,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
are all or any is really a fractional digit will be decided
later. */
int_no = dig_no;
- lead_zero = int_no == 0 ? -1 : 0;
+ lead_zero = int_no == 0 ? (size_t) -1 : 0;
/* Read the fractional digits. A special case are the 'american
style' numbers like `16.' i.e. with decimal point but without
@@ -789,12 +797,13 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
(base == 16 && ({ CHAR_TYPE lo = TOLOWER (c);
lo >= L_('a') && lo <= L_('f'); })))
{
- if (c != L_('0') && lead_zero == -1)
+ if (c != L_('0') && lead_zero == (size_t) -1)
lead_zero = dig_no - int_no;
++dig_no;
c = *++cp;
}
}
+ assert (dig_no <= (uintmax_t) INTMAX_MAX);
/* Remember start of exponent (if any). */
expp = cp;
@@ -817,24 +826,80 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
if (c >= L_('0') && c <= L_('9'))
{
- int exp_limit;
+ intmax_t exp_limit;
/* Get the exponent limit. */
if (base == 16)
- exp_limit = (exp_negative ?
- -MIN_EXP + MANT_DIG + 4 * int_no :
- MAX_EXP - 4 * int_no + 4 * lead_zero + 3);
+ {
+ if (exp_negative)
+ {
+ assert (int_no <= (uintmax_t) (INTMAX_MAX
+ + MIN_EXP - MANT_DIG) / 4);
+ exp_limit = -MIN_EXP + MANT_DIG + 4 * (intmax_t) int_no;
+ }
+ else
+ {
+ if (int_no)
+ {
+ assert (lead_zero == 0
+ && int_no <= (uintmax_t) INTMAX_MAX / 4);
+ exp_limit = MAX_EXP - 4 * (intmax_t) int_no + 3;
+ }
+ else if (lead_zero == (size_t) -1)
+ {
+ /* The number is zero and this limit is
+ arbitrary. */
+ exp_limit = MAX_EXP + 3;
+ }
+ else
+ {
+ assert (lead_zero
+ <= (uintmax_t) (INTMAX_MAX - MAX_EXP - 3) / 4);
+ exp_limit = (MAX_EXP
+ + 4 * (intmax_t) lead_zero
+ + 3);
+ }
+ }
+ }
else
- exp_limit = (exp_negative ?
- -MIN_10_EXP + MANT_DIG + int_no :
- MAX_10_EXP - int_no + lead_zero + 1);
+ {
+ if (exp_negative)
+ {
+ assert (int_no
+ <= (uintmax_t) (INTMAX_MAX + MIN_10_EXP - MANT_DIG));
+ exp_limit = -MIN_10_EXP + MANT_DIG + (intmax_t) int_no;
+ }
+ else
+ {
+ if (int_no)
+ {
+ assert (lead_zero == 0
+ && int_no <= (uintmax_t) INTMAX_MAX);
+ exp_limit = MAX_10_EXP - (intmax_t) int_no + 1;
+ }
+ else if (lead_zero == (size_t) -1)
+ {
+ /* The number is zero and this limit is
+ arbitrary. */
+ exp_limit = MAX_10_EXP + 1;
+ }
+ else
+ {
+ assert (lead_zero
+ <= (uintmax_t) (INTMAX_MAX - MAX_10_EXP - 1));
+ exp_limit = MAX_10_EXP + (intmax_t) lead_zero + 1;
+ }
+ }
+ }
+
+ if (exp_limit < 0)
+ exp_limit = 0;
do
{
- exponent *= 10;
- exponent += c - L_('0');
-
- if (__builtin_expect (exponent > exp_limit, 0))
+ if (__builtin_expect ((exponent > exp_limit / 10
+ || (exponent == exp_limit / 10
+ && c - L_('0') > exp_limit % 10)), 0))
/* The exponent is too large/small to represent a valid
number. */
{
@@ -843,7 +908,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
/* We have to take care for special situation: a joker
might have written "0.0e100000" which is in fact
zero. */
- if (lead_zero == -1)
+ if (lead_zero == (size_t) -1)
result = negative ? -0.0 : 0.0;
else
{
@@ -862,6 +927,9 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
/* NOTREACHED */
}
+ exponent *= 10;
+ exponent += c - L_('0');
+
c = *++cp;
}
while (c >= L_('0') && c <= L_('9'));
@@ -930,7 +998,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
}
#endif
startp += lead_zero + decimal_len;
- exponent -= base == 16 ? 4 * lead_zero : lead_zero;
+ assert (lead_zero <= (base == 16
+ ? (uintmax_t) INTMAX_MAX / 4
+ : (uintmax_t) INTMAX_MAX));
+ assert (lead_zero <= (base == 16
+ ? ((uintmax_t) exponent
+ - (uintmax_t) INTMAX_MIN) / 4
+ : ((uintmax_t) exponent - (uintmax_t) INTMAX_MIN)));
+ exponent -= base == 16 ? 4 * (intmax_t) lead_zero : (intmax_t) lead_zero;
dig_no -= lead_zero;
}
@@ -972,7 +1047,10 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
}
/* Adjust the exponent for the bits we are shifting in. */
- exponent += bits - 1 + (int_no - 1) * 4;
+ assert (int_no <= (uintmax_t) (exponent < 0
+ ? (INTMAX_MAX - bits + 1) / 4
+ : (INTMAX_MAX - exponent - bits + 1) / 4));
+ exponent += bits - 1 + ((intmax_t) int_no - 1) * 4;
while (--dig_no > 0 && idx >= 0)
{
@@ -1024,13 +1102,15 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
really integer digits or belong to the fractional part; i.e. we normalize
123e-2 to 1.23. */
{
- register int incr = (exponent < 0 ? MAX (-int_no, exponent)
- : MIN (dig_no - int_no, exponent));
+ register intmax_t incr = (exponent < 0
+ ? MAX (-(intmax_t) int_no, exponent)
+ : MIN ((intmax_t) dig_no - (intmax_t) int_no,
+ exponent));
int_no += incr;
exponent -= incr;
}
- if (__builtin_expect (int_no + exponent > MAX_10_EXP + 1, 0))
+ if (__builtin_expect (exponent > MAX_10_EXP + 1 - (intmax_t) int_no, 0))
{
__set_errno (ERANGE);
return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL;
@@ -1215,7 +1295,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
digits we should have enough bits for the result. The remaining
decimal digits give us the information that more bits are following.
This can be used while rounding. (Two added as a safety margin.) */
- if (dig_no - int_no > (MANT_DIG - bits + 2) / 3 + 2)
+ if ((intmax_t) dig_no > (intmax_t) int_no + (MANT_DIG - bits + 2) / 3 + 2)
{
dig_no = int_no + (MANT_DIG - bits + 2) / 3 + 2;
more_bits = 1;
@@ -1223,7 +1303,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
else
more_bits = 0;
- neg_exp = dig_no - int_no - exponent;
+ neg_exp = (intmax_t) dig_no - (intmax_t) int_no - exponent;
/* Construct the denominator. */
densize = 0;
diff --git a/stdlib/tst-strtod-overflow.c b/stdlib/tst-strtod-overflow.c
new file mode 100644
index 0000000..668d55b
--- /dev/null
+++ b/stdlib/tst-strtod-overflow.c
@@ -0,0 +1,48 @@
+/* Test for integer/buffer overflow in strtod.
+ Copyright (C) 2012 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define EXPONENT "e-2147483649"
+#define SIZE 214748364
+
+static int
+do_test (void)
+{
+ char *p = malloc (1 + SIZE + sizeof (EXPONENT));
+ if (p == NULL)
+ {
+ puts ("malloc failed, cannot test for overflow");
+ return 0;
+ }
+ p[0] = '1';
+ memset (p + 1, '0', SIZE);
+ memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
+ double d = strtod (p, NULL);
+ if (d != 0)
+ {
+ printf ("strtod returned wrong value: %a\n", d);
+ return 1;
+ }
+ return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"