diff --git a/glibc/glibc-2.16.0-multilib-dirs.patch b/glibc/glibc-2.16.0-multilib-dirs.patch deleted file mode 100644 index f0f1fbb1..00000000 --- a/glibc/glibc-2.16.0-multilib-dirs.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -urN glibc-2.16.0.orig/sysdeps/gnu/configure glibc-2.16.0/sysdeps/gnu/configure ---- glibc-2.16.0.orig/sysdeps/gnu/configure 2012-06-30 14:12:34.000000000 -0500 -+++ glibc-2.16.0/sysdeps/gnu/configure 2012-07-02 08:19:20.330001028 -0500 -@@ -14,9 +14,9 @@ - test -n "$libc_cv_slibdir" || \ - case $machine in - sparc/sparc64 | x86_64* | powerpc/powerpc64 | s390/s390-64) -- libc_cv_slibdir=/lib64 -+ libc_cv_slibdir=/lib - if test "$libdir" = '${exec_prefix}/lib'; then -- libdir='${exec_prefix}/lib64'; -+ libdir='${exec_prefix}/lib'; - # Locale data can be shared between 32bit and 64bit libraries - libc_cv_localedir='${exec_prefix}/lib/locale' - fi -diff -urN glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldconfig.h glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldconfig.h ---- glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldconfig.h 2012-06-30 14:12:34.000000000 -0500 -+++ glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldconfig.h 2012-07-02 08:19:45.560001124 -0500 -@@ -18,9 +18,9 @@ - #include - - #define SYSDEP_KNOWN_INTERPRETER_NAMES \ -- { "/lib/ld-linux.so.2", FLAG_ELF_LIBC6 }, \ -+ { "/lib32/ld-linux.so.2", FLAG_ELF_LIBC6 }, \ - { "/libx32/ld-linux-x32.so.2", FLAG_ELF_LIBC6 }, \ -- { "/lib64/ld-linux-x86-64.so.2", FLAG_ELF_LIBC6 }, -+ { "/lib/ld-linux-x86-64.so.2", FLAG_ELF_LIBC6 }, - #define SYSDEP_KNOWN_LIBRARY_NAMES \ - { "libc.so.6", FLAG_ELF_LIBC6 }, \ - { "libm.so.6", FLAG_ELF_LIBC6 }, -diff -urN glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed ---- glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed 2012-06-30 14:12:34.000000000 -0500 -+++ glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed 2012-07-02 08:20:20.240001247 -0500 -@@ -1,3 +1,3 @@ - /LD_TRACE_LOADED_OBJECTS=1/a\ - add_env="$add_env LD_LIBRARY_VERSION=\\$verify_out" --s_^\(RTLDLIST=\)\(.*lib\)\(\|64\|x32\)\(/[^/]*\)\(-x86-64\|-x32\)\(\.so\.[0-9.]*\)[ ]*$_\1"\2\4\6 \264\4-x86-64\6 \2x32\4-x32\6"_ -+s_^\(RTLDLIST=\)\(.*lib\)\(\|64\|x32\)\(/[^/]*\)\(-x86-64\|-x32\)\(\.so\.[0-9.]*\)[ ]*$_\1"\232\4\6 \2\4-x86-64\6 \2x32\4-x32\6"_ diff --git a/glibc/glibc-CVE-2013-4332.patch b/glibc/glibc-CVE-2013-4332.patch deleted file mode 100644 index 9f7f5886..00000000 --- a/glibc/glibc-CVE-2013-4332.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001 -From: mancha -Date: Wed, 11 Sep 2013 -Subject: CVE-2013-4332 - -malloc: Check for integer overflow in pvalloc, valloc, and memalign. - -A large bytes parameter to pvalloc, valloc, or memalign could cause -an integer overflow and corrupt allocator internals. Check the -overflow does not occur before continuing with the allocation. - -Note: This is a backport to glibc 2.17 of the following three commits: - * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a - * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef - * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d ---- - -malloc.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - ---- a/malloc/malloc.c -+++ b/malloc/malloc.c -@@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t - /* Otherwise, ensure that it is at least a minimum chunk size */ - if (alignment < MINSIZE) alignment = MINSIZE; - -+ /* Check for overflow. */ -+ if (bytes > SIZE_MAX - alignment - MINSIZE) -+ { -+ __set_errno (ENOMEM); -+ return 0; -+ } -+ - arena_get(ar_ptr, bytes + alignment + MINSIZE); - if(!ar_ptr) - return 0; -@@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes) - - size_t pagesz = GLRO(dl_pagesize); - -+ /* Check for overflow. */ -+ if (bytes > SIZE_MAX - pagesz - MINSIZE) -+ { -+ __set_errno (ENOMEM); -+ return 0; -+ } -+ - __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, - const __malloc_ptr_t)) = - force_reg (__memalign_hook); -@@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes) - size_t page_mask = GLRO(dl_pagesize) - 1; - size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); - -+ /* Check for overflow. */ -+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) -+ { -+ __set_errno (ENOMEM); -+ return 0; -+ } -+ - __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, - const __malloc_ptr_t)) = - force_reg (__memalign_hook); diff --git a/glibc/glibc-regexp_buffer_overrun.patch b/glibc/glibc-regexp_buffer_overrun.patch deleted file mode 100644 index a7869613..00000000 --- a/glibc/glibc-regexp_buffer_overrun.patch +++ /dev/null @@ -1,72 +0,0 @@ -# http://sourceware.org/bugzilla/show_bug.cgi?id=15078 -# CVE-2013-0242 -# ChangeLog, NEWS and new test removed to apply clean - -commit a445af0bc722d620afed7683cd320c0e4c7c6059 -Author: Andreas Schwab -Date: Tue Jan 29 14:45:15 2013 +0100 - - Fix buffer overrun in regexp matcher - -diff --git a/posix/regexec.c b/posix/regexec.c -index 7f2de85..5ca2bf6 100644 ---- a/posix/regexec.c -+++ b/posix/regexec.c -@@ -197,7 +197,7 @@ static int group_nodes_into_DFAstates (const re_dfa_t *dfa, - static int check_node_accept (const re_match_context_t *mctx, - const re_token_t *node, int idx) - internal_function; --static reg_errcode_t extend_buffers (re_match_context_t *mctx) -+static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len) - internal_function; - - /* Entry point for POSIX code. */ -@@ -1160,7 +1160,7 @@ check_matching (re_match_context_t *mctx, int fl_longest_match, - || (BE (next_char_idx >= mctx->input.valid_len, 0) - && mctx->input.valid_len < mctx->input.len)) - { -- err = extend_buffers (mctx); -+ err = extend_buffers (mctx, next_char_idx + 1); - if (BE (err != REG_NOERROR, 0)) - { - assert (err == REG_ESPACE); -@@ -1738,7 +1738,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, int next_state_log_idx) - && mctx->input.valid_len < mctx->input.len)) - { - reg_errcode_t err; -- err = extend_buffers (mctx); -+ err = extend_buffers (mctx, next_state_log_idx + 1); - if (BE (err != REG_NOERROR, 0)) - return err; - } -@@ -2792,7 +2792,7 @@ get_subexp (re_match_context_t *mctx, int bkref_node, int bkref_str_idx) - if (bkref_str_off >= mctx->input.len) - break; - -- err = extend_buffers (mctx); -+ err = extend_buffers (mctx, bkref_str_off + 1); - if (BE (err != REG_NOERROR, 0)) - return err; - -@@ -4102,7 +4102,7 @@ check_node_accept (const re_match_context_t *mctx, const re_token_t *node, - - static reg_errcode_t - internal_function __attribute_warn_unused_result__ --extend_buffers (re_match_context_t *mctx) -+extend_buffers (re_match_context_t *mctx, int min_len) - { - reg_errcode_t ret; - re_string_t *pstr = &mctx->input; -@@ -4111,8 +4111,10 @@ extend_buffers (re_match_context_t *mctx) - if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0)) - return REG_ESPACE; - -- /* Double the lengthes of the buffers. */ -- ret = re_string_realloc_buffers (pstr, MIN (pstr->len, pstr->bufs_len * 2)); -+ /* Double the lengthes of the buffers, but allocate at least MIN_LEN. */ -+ ret = re_string_realloc_buffers (pstr, -+ MAX (min_len, -+ MIN (pstr->len, pstr->bufs_len * 2))); - if (BE (ret != REG_NOERROR, 0)) - return ret; - diff --git a/glibc/glibc-resolv_assert.patch b/glibc/glibc-resolv_assert.patch deleted file mode 100644 index f03cd160..00000000 --- a/glibc/glibc-resolv_assert.patch +++ /dev/null @@ -1,61 +0,0 @@ -# http://sourceware.org/bugzilla/show_bug.cgi?id=13013 - -2011-07-21 Aurelien Jarno - - * resolv/res_query.c(__libc_res_nquery): Assign hp and hp2 - depending n and resplen2 to catch cases where answer - equals answerp2. - -diff --git a/resolv/res_query.c b/resolv/res_query.c -index 2f7cfaa..405fa68 100644 ---- a/resolv/res_query.c -+++ b/resolv/res_query.c -@@ -122,6 +122,7 @@ __libc_res_nquery(res_state statp, - int *resplen2) - { - HEADER *hp = (HEADER *) answer; -+ HEADER *hp2; - int n, use_malloc = 0; - u_int oflags = statp->_flags; - -@@ -239,26 +240,25 @@ __libc_res_nquery(res_state statp, - /* __libc_res_nsend might have reallocated the buffer. */ - hp = (HEADER *) *answerp; - -- /* We simplify the following tests by assigning HP to HP2. It -- is easy to verify that this is the same as ignoring all -- tests of HP2. */ -- HEADER *hp2 = answerp2 ? (HEADER *) *answerp2 : hp; -- -- if (n < (int) sizeof (HEADER) && answerp2 != NULL -- && *resplen2 > (int) sizeof (HEADER)) -+ /* We simplify the following tests by assigning HP to HP2 or -+ vice versa. It is easy to verify that this is the same as -+ ignoring all tests of HP or HP2. */ -+ if (answerp2 == NULL || *resplen2 < (int) sizeof (HEADER)) - { -- /* Special case of partial answer. */ -- assert (hp != hp2); -- hp = hp2; -+ hp2 = hp; - } -- else if (answerp2 != NULL && *resplen2 < (int) sizeof (HEADER) -- && n > (int) sizeof (HEADER)) -+ else - { -- /* Special case of partial answer. */ -- assert (hp != hp2); -- hp2 = hp; -+ hp2 = (HEADER *) *answerp2; -+ if (n < (int) sizeof (HEADER)) -+ { -+ hp = hp2; -+ } - } - -+ /* Make sure both hp and hp2 are defined */ -+ assert((hp != NULL) && (hp2 != NULL)); -+ - if ((hp->rcode != NOERROR || ntohs(hp->ancount) == 0) - && (hp2->rcode != NOERROR || ntohs(hp2->ancount) == 0)) { - #ifdef DEBUG diff --git a/glibc/glibc-segfault_in_strncasecmp.patch b/glibc/glibc-segfault_in_strncasecmp.patch deleted file mode 100644 index 98ea8515..00000000 --- a/glibc/glibc-segfault_in_strncasecmp.patch +++ /dev/null @@ -1,79 +0,0 @@ -commit 6db8f73723e64a4f486ca679e05dbf15a1437bfd -Author: Liubov Dmitrieva -Date: Wed Aug 15 21:06:55 2012 +0200 - - Fix segmentation fault in strncasecmp for i686 - - 2012-08-15 Liubov Dmitrieva - - [BZ #14195] - * sysdeps/i386/i686/multiarch/strcmp-sssse3.S: Fix - segmentation fault for a case of two empty input strings. - * string/test-strncasecmp.c (check1): Renamed to... - (bz12205): ...this. - (bz14195): Add new testcase for two empty input strings and N > 0. - (test_main): Call new testcase, adapt for renamed function. - (cherry picked from commit b3f479a85a3e191befbe821d787d7f71c0f64e79) - -diff --git a/string/test-strncasecmp.c b/string/test-strncasecmp.c -index 6c17530..acfe668 100644 ---- a/string/test-strncasecmp.c -+++ b/string/test-strncasecmp.c -@@ -1,5 +1,5 @@ - /* Test and measure strncasecmp functions. -- Copyright (C) 1999, 2002, 2003, 2005, 2010 Free Software Foundation, Inc. -+ Copyright (C) 1999-2012 Free Software Foundation, Inc. - This file is part of the GNU C Library. - Written by Jakub Jelinek , 1999. - -@@ -251,9 +251,9 @@ do_random_tests (void) - } - } - -- -+/* Regression test for BZ #12205 */ - static void --check1 (void) -+bz12205 (void) - { - static char cp [4096+16] __attribute__ ((aligned(4096))); - static char gotrel[4096] __attribute__ ((aligned(4096))); -@@ -270,6 +270,15 @@ check1 (void) - check_result (impl, s1, s2, n, exp_result); - } - -+/* Regression test for BZ #14195 */ -+static void -+bz14195 (void) -+{ -+ const char *empty_string = ""; -+ FOR_EACH_IMPL (impl, 0) -+ check_result (impl, empty_string, "", 5, 0); -+} -+ - int - test_main (void) - { -@@ -277,7 +286,8 @@ test_main (void) - - test_init (); - -- check1 (); -+ bz12205 (); -+ bz14195 (); - - printf ("%23s", ""); - FOR_EACH_IMPL (impl, 0) -diff --git a/sysdeps/i386/i686/multiarch/strcmp-ssse3.S b/sysdeps/i386/i686/multiarch/strcmp-ssse3.S -index 5e6321e..9735ad0 100644 ---- a/sysdeps/i386/i686/multiarch/strcmp-ssse3.S -+++ b/sysdeps/i386/i686/multiarch/strcmp-ssse3.S -@@ -2445,7 +2445,7 @@ L(less16bytes_sncmp): - # endif - jne L(neq_sncmp) - test %cl, %cl -- je L(eq) -+ je L(eq_sncmp) - - cmp $1, REM - je L(eq_sncmp) diff --git a/glibc/glibc-strtod_integer_overflow.patch b/glibc/glibc-strtod_integer_overflow.patch deleted file mode 100644 index 26e57776..00000000 --- a/glibc/glibc-strtod_integer_overflow.patch +++ /dev/null @@ -1,399 +0,0 @@ -commit da1f431963218999c49cae928309dfec426c575c -Author: Joseph Myers -Date: Mon Aug 27 15:59:24 2012 +0000 - - Fix strtod integer/buffer overflow (bug 14459). - (cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4) - - Conflicts: - - ChangeLog - NEWS - stdlib/Makefile - -diff --git a/stdlib/Makefile b/stdlib/Makefile -index f7811c5..79c9acb 100644 ---- a/stdlib/Makefile -+++ b/stdlib/Makefile -@@ -68,7 +68,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ - tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \ - tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2 \ - tst-makecontext2 tst-strtod6 tst-unsetenv1 \ -- tst-makecontext3 bug-getcontext bug-fmtmsg1 -+ tst-makecontext3 bug-getcontext bug-fmtmsg1 \ -+ tst-strtod-overflow - - include ../Makeconfig - -diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c -index 2166a08..a8a7ea8 100644 ---- a/stdlib/strtod_l.c -+++ b/stdlib/strtod_l.c -@@ -60,6 +60,7 @@ extern unsigned long long int ____strtoull_l_internal (const char *, char **, - #include - #include - #include -+#include - - /* The gmp headers need some configuration frobs. */ - #define HAVE_ALLOCA 1 -@@ -72,7 +73,6 @@ extern unsigned long long int ____strtoull_l_internal (const char *, char **, - #include "longlong.h" - #include "fpioconst.h" - --#define NDEBUG 1 - #include - - -@@ -174,19 +174,19 @@ extern const mp_limb_t _tens_in_limb[MAX_DIG_PER_LIMB + 1]; - /* Return a floating point number of the needed type according to the given - multi-precision number after possible rounding. */ - static FLOAT --round_and_return (mp_limb_t *retval, int exponent, int negative, -+round_and_return (mp_limb_t *retval, intmax_t exponent, int negative, - mp_limb_t round_limb, mp_size_t round_bit, int more_bits) - { - if (exponent < MIN_EXP - 1) - { -- mp_size_t shift = MIN_EXP - 1 - exponent; -- -- if (shift > MANT_DIG) -+ if (exponent < MIN_EXP - 1 - MANT_DIG) - { - __set_errno (ERANGE); - return 0.0; - } - -+ mp_size_t shift = MIN_EXP - 1 - exponent; -+ - more_bits |= (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0; - if (shift == MANT_DIG) - /* This is a special case to handle the very seldom case where -@@ -233,6 +233,9 @@ round_and_return (mp_limb_t *retval, int exponent, int negative, - __set_errno (ERANGE); - } - -+ if (exponent > MAX_EXP) -+ goto overflow; -+ - if ((round_limb & (((mp_limb_t) 1) << round_bit)) != 0 - && (more_bits || (retval[0] & 1) != 0 - || (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0)) -@@ -258,6 +261,7 @@ round_and_return (mp_limb_t *retval, int exponent, int negative, - } - - if (exponent > MAX_EXP) -+ overflow: - return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL; - - return MPN2FLOAT (retval, exponent, negative); -@@ -271,7 +275,7 @@ round_and_return (mp_limb_t *retval, int exponent, int negative, - factor for the resulting number (see code) multiply by it. */ - static const STRING_TYPE * - str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize, -- int *exponent -+ intmax_t *exponent - #ifndef USE_WIDE_CHAR - , const char *decimal, size_t decimal_len, const char *thousands - #endif -@@ -301,6 +305,7 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize, - cy += __mpn_add_1 (n, n, *nsize, low); - if (cy != 0) - { -+ assert (*nsize < MPNSIZE); - n[*nsize] = cy; - ++(*nsize); - } -@@ -335,7 +340,7 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize, - } - while (--digcnt > 0); - -- if (*exponent > 0 && cnt + *exponent <= MAX_DIG_PER_LIMB) -+ if (*exponent > 0 && *exponent <= MAX_DIG_PER_LIMB - cnt) - { - low *= _tens_in_limb[*exponent]; - start = _tens_in_limb[cnt + *exponent]; -@@ -355,7 +360,10 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize, - cy = __mpn_mul_1 (n, n, *nsize, start); - cy += __mpn_add_1 (n, n, *nsize, low); - if (cy != 0) -- n[(*nsize)++] = cy; -+ { -+ assert (*nsize < MPNSIZE); -+ n[(*nsize)++] = cy; -+ } - } - - return str; -@@ -413,7 +421,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - { - int negative; /* The sign of the number. */ - MPN_VAR (num); /* MP representation of the number. */ -- int exponent; /* Exponent of the number. */ -+ intmax_t exponent; /* Exponent of the number. */ - - /* Numbers starting `0X' or `0x' have to be processed with base 16. */ - int base = 10; -@@ -435,7 +443,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - /* Points at the character following the integer and fractional digits. */ - const STRING_TYPE *expp; - /* Total number of digit and number of digits in integer part. */ -- int dig_no, int_no, lead_zero; -+ size_t dig_no, int_no, lead_zero; - /* Contains the last character read. */ - CHAR_TYPE c; - -@@ -767,7 +775,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - are all or any is really a fractional digit will be decided - later. */ - int_no = dig_no; -- lead_zero = int_no == 0 ? -1 : 0; -+ lead_zero = int_no == 0 ? (size_t) -1 : 0; - - /* Read the fractional digits. A special case are the 'american - style' numbers like `16.' i.e. with decimal point but without -@@ -789,12 +797,13 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - (base == 16 && ({ CHAR_TYPE lo = TOLOWER (c); - lo >= L_('a') && lo <= L_('f'); }))) - { -- if (c != L_('0') && lead_zero == -1) -+ if (c != L_('0') && lead_zero == (size_t) -1) - lead_zero = dig_no - int_no; - ++dig_no; - c = *++cp; - } - } -+ assert (dig_no <= (uintmax_t) INTMAX_MAX); - - /* Remember start of exponent (if any). */ - expp = cp; -@@ -817,24 +826,80 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - - if (c >= L_('0') && c <= L_('9')) - { -- int exp_limit; -+ intmax_t exp_limit; - - /* Get the exponent limit. */ - if (base == 16) -- exp_limit = (exp_negative ? -- -MIN_EXP + MANT_DIG + 4 * int_no : -- MAX_EXP - 4 * int_no + 4 * lead_zero + 3); -+ { -+ if (exp_negative) -+ { -+ assert (int_no <= (uintmax_t) (INTMAX_MAX -+ + MIN_EXP - MANT_DIG) / 4); -+ exp_limit = -MIN_EXP + MANT_DIG + 4 * (intmax_t) int_no; -+ } -+ else -+ { -+ if (int_no) -+ { -+ assert (lead_zero == 0 -+ && int_no <= (uintmax_t) INTMAX_MAX / 4); -+ exp_limit = MAX_EXP - 4 * (intmax_t) int_no + 3; -+ } -+ else if (lead_zero == (size_t) -1) -+ { -+ /* The number is zero and this limit is -+ arbitrary. */ -+ exp_limit = MAX_EXP + 3; -+ } -+ else -+ { -+ assert (lead_zero -+ <= (uintmax_t) (INTMAX_MAX - MAX_EXP - 3) / 4); -+ exp_limit = (MAX_EXP -+ + 4 * (intmax_t) lead_zero -+ + 3); -+ } -+ } -+ } - else -- exp_limit = (exp_negative ? -- -MIN_10_EXP + MANT_DIG + int_no : -- MAX_10_EXP - int_no + lead_zero + 1); -+ { -+ if (exp_negative) -+ { -+ assert (int_no -+ <= (uintmax_t) (INTMAX_MAX + MIN_10_EXP - MANT_DIG)); -+ exp_limit = -MIN_10_EXP + MANT_DIG + (intmax_t) int_no; -+ } -+ else -+ { -+ if (int_no) -+ { -+ assert (lead_zero == 0 -+ && int_no <= (uintmax_t) INTMAX_MAX); -+ exp_limit = MAX_10_EXP - (intmax_t) int_no + 1; -+ } -+ else if (lead_zero == (size_t) -1) -+ { -+ /* The number is zero and this limit is -+ arbitrary. */ -+ exp_limit = MAX_10_EXP + 1; -+ } -+ else -+ { -+ assert (lead_zero -+ <= (uintmax_t) (INTMAX_MAX - MAX_10_EXP - 1)); -+ exp_limit = MAX_10_EXP + (intmax_t) lead_zero + 1; -+ } -+ } -+ } -+ -+ if (exp_limit < 0) -+ exp_limit = 0; - - do - { -- exponent *= 10; -- exponent += c - L_('0'); -- -- if (__builtin_expect (exponent > exp_limit, 0)) -+ if (__builtin_expect ((exponent > exp_limit / 10 -+ || (exponent == exp_limit / 10 -+ && c - L_('0') > exp_limit % 10)), 0)) - /* The exponent is too large/small to represent a valid - number. */ - { -@@ -843,7 +908,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - /* We have to take care for special situation: a joker - might have written "0.0e100000" which is in fact - zero. */ -- if (lead_zero == -1) -+ if (lead_zero == (size_t) -1) - result = negative ? -0.0 : 0.0; - else - { -@@ -862,6 +927,9 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - /* NOTREACHED */ - } - -+ exponent *= 10; -+ exponent += c - L_('0'); -+ - c = *++cp; - } - while (c >= L_('0') && c <= L_('9')); -@@ -930,7 +998,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - } - #endif - startp += lead_zero + decimal_len; -- exponent -= base == 16 ? 4 * lead_zero : lead_zero; -+ assert (lead_zero <= (base == 16 -+ ? (uintmax_t) INTMAX_MAX / 4 -+ : (uintmax_t) INTMAX_MAX)); -+ assert (lead_zero <= (base == 16 -+ ? ((uintmax_t) exponent -+ - (uintmax_t) INTMAX_MIN) / 4 -+ : ((uintmax_t) exponent - (uintmax_t) INTMAX_MIN))); -+ exponent -= base == 16 ? 4 * (intmax_t) lead_zero : (intmax_t) lead_zero; - dig_no -= lead_zero; - } - -@@ -972,7 +1047,10 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - } - - /* Adjust the exponent for the bits we are shifting in. */ -- exponent += bits - 1 + (int_no - 1) * 4; -+ assert (int_no <= (uintmax_t) (exponent < 0 -+ ? (INTMAX_MAX - bits + 1) / 4 -+ : (INTMAX_MAX - exponent - bits + 1) / 4)); -+ exponent += bits - 1 + ((intmax_t) int_no - 1) * 4; - - while (--dig_no > 0 && idx >= 0) - { -@@ -1024,13 +1102,15 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - really integer digits or belong to the fractional part; i.e. we normalize - 123e-2 to 1.23. */ - { -- register int incr = (exponent < 0 ? MAX (-int_no, exponent) -- : MIN (dig_no - int_no, exponent)); -+ register intmax_t incr = (exponent < 0 -+ ? MAX (-(intmax_t) int_no, exponent) -+ : MIN ((intmax_t) dig_no - (intmax_t) int_no, -+ exponent)); - int_no += incr; - exponent -= incr; - } - -- if (__builtin_expect (int_no + exponent > MAX_10_EXP + 1, 0)) -+ if (__builtin_expect (exponent > MAX_10_EXP + 1 - (intmax_t) int_no, 0)) - { - __set_errno (ERANGE); - return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL; -@@ -1215,7 +1295,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - digits we should have enough bits for the result. The remaining - decimal digits give us the information that more bits are following. - This can be used while rounding. (Two added as a safety margin.) */ -- if (dig_no - int_no > (MANT_DIG - bits + 2) / 3 + 2) -+ if ((intmax_t) dig_no > (intmax_t) int_no + (MANT_DIG - bits + 2) / 3 + 2) - { - dig_no = int_no + (MANT_DIG - bits + 2) / 3 + 2; - more_bits = 1; -@@ -1223,7 +1303,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) - else - more_bits = 0; - -- neg_exp = dig_no - int_no - exponent; -+ neg_exp = (intmax_t) dig_no - (intmax_t) int_no - exponent; - - /* Construct the denominator. */ - densize = 0; -diff --git a/stdlib/tst-strtod-overflow.c b/stdlib/tst-strtod-overflow.c -new file mode 100644 -index 0000000..668d55b ---- /dev/null -+++ b/stdlib/tst-strtod-overflow.c -@@ -0,0 +1,48 @@ -+/* Test for integer/buffer overflow in strtod. -+ Copyright (C) 2012 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+ -+#define EXPONENT "e-2147483649" -+#define SIZE 214748364 -+ -+static int -+do_test (void) -+{ -+ char *p = malloc (1 + SIZE + sizeof (EXPONENT)); -+ if (p == NULL) -+ { -+ puts ("malloc failed, cannot test for overflow"); -+ return 0; -+ } -+ p[0] = '1'; -+ memset (p + 1, '0', SIZE); -+ memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT)); -+ double d = strtod (p, NULL); -+ if (d != 0) -+ { -+ printf ("strtod returned wrong value: %a\n", d); -+ return 1; -+ } -+ return 0; -+} -+ -+#define TEST_FUNCTION do_test () -+#include "../test-skeleton.c"