glibc: cleaned up obsolete patches
This commit is contained in:
parent
4112d95a81
commit
65ca291e6b
@ -1,38 +0,0 @@
|
||||
diff -urN glibc-2.16.0.orig/sysdeps/gnu/configure glibc-2.16.0/sysdeps/gnu/configure
|
||||
--- glibc-2.16.0.orig/sysdeps/gnu/configure 2012-06-30 14:12:34.000000000 -0500
|
||||
+++ glibc-2.16.0/sysdeps/gnu/configure 2012-07-02 08:19:20.330001028 -0500
|
||||
@@ -14,9 +14,9 @@
|
||||
test -n "$libc_cv_slibdir" || \
|
||||
case $machine in
|
||||
sparc/sparc64 | x86_64* | powerpc/powerpc64 | s390/s390-64)
|
||||
- libc_cv_slibdir=/lib64
|
||||
+ libc_cv_slibdir=/lib
|
||||
if test "$libdir" = '${exec_prefix}/lib'; then
|
||||
- libdir='${exec_prefix}/lib64';
|
||||
+ libdir='${exec_prefix}/lib';
|
||||
# Locale data can be shared between 32bit and 64bit libraries
|
||||
libc_cv_localedir='${exec_prefix}/lib/locale'
|
||||
fi
|
||||
diff -urN glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldconfig.h glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldconfig.h
|
||||
--- glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldconfig.h 2012-06-30 14:12:34.000000000 -0500
|
||||
+++ glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldconfig.h 2012-07-02 08:19:45.560001124 -0500
|
||||
@@ -18,9 +18,9 @@
|
||||
#include <sysdeps/generic/ldconfig.h>
|
||||
|
||||
#define SYSDEP_KNOWN_INTERPRETER_NAMES \
|
||||
- { "/lib/ld-linux.so.2", FLAG_ELF_LIBC6 }, \
|
||||
+ { "/lib32/ld-linux.so.2", FLAG_ELF_LIBC6 }, \
|
||||
{ "/libx32/ld-linux-x32.so.2", FLAG_ELF_LIBC6 }, \
|
||||
- { "/lib64/ld-linux-x86-64.so.2", FLAG_ELF_LIBC6 },
|
||||
+ { "/lib/ld-linux-x86-64.so.2", FLAG_ELF_LIBC6 },
|
||||
#define SYSDEP_KNOWN_LIBRARY_NAMES \
|
||||
{ "libc.so.6", FLAG_ELF_LIBC6 }, \
|
||||
{ "libm.so.6", FLAG_ELF_LIBC6 },
|
||||
diff -urN glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed
|
||||
--- glibc-2.16.0.orig/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed 2012-06-30 14:12:34.000000000 -0500
|
||||
+++ glibc-2.16.0/sysdeps/unix/sysv/linux/x86_64/ldd-rewrite.sed 2012-07-02 08:20:20.240001247 -0500
|
||||
@@ -1,3 +1,3 @@
|
||||
/LD_TRACE_LOADED_OBJECTS=1/a\
|
||||
add_env="$add_env LD_LIBRARY_VERSION=\\$verify_out"
|
||||
-s_^\(RTLDLIST=\)\(.*lib\)\(\|64\|x32\)\(/[^/]*\)\(-x86-64\|-x32\)\(\.so\.[0-9.]*\)[ ]*$_\1"\2\4\6 \264\4-x86-64\6 \2x32\4-x32\6"_
|
||||
+s_^\(RTLDLIST=\)\(.*lib\)\(\|64\|x32\)\(/[^/]*\)\(-x86-64\|-x32\)\(\.so\.[0-9.]*\)[ ]*$_\1"\232\4\6 \2\4-x86-64\6 \2x32\4-x32\6"_
|
@ -1,64 +0,0 @@
|
||||
From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001
|
||||
From: mancha <mancha1@hush.com>
|
||||
Date: Wed, 11 Sep 2013
|
||||
Subject: CVE-2013-4332
|
||||
|
||||
malloc: Check for integer overflow in pvalloc, valloc, and memalign.
|
||||
|
||||
A large bytes parameter to pvalloc, valloc, or memalign could cause
|
||||
an integer overflow and corrupt allocator internals. Check the
|
||||
overflow does not occur before continuing with the allocation.
|
||||
|
||||
Note: This is a backport to glibc 2.17 of the following three commits:
|
||||
* https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a
|
||||
* https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef
|
||||
* https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d
|
||||
---
|
||||
|
||||
malloc.c | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
--- a/malloc/malloc.c
|
||||
+++ b/malloc/malloc.c
|
||||
@@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t
|
||||
/* Otherwise, ensure that it is at least a minimum chunk size */
|
||||
if (alignment < MINSIZE) alignment = MINSIZE;
|
||||
|
||||
+ /* Check for overflow. */
|
||||
+ if (bytes > SIZE_MAX - alignment - MINSIZE)
|
||||
+ {
|
||||
+ __set_errno (ENOMEM);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
arena_get(ar_ptr, bytes + alignment + MINSIZE);
|
||||
if(!ar_ptr)
|
||||
return 0;
|
||||
@@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes)
|
||||
|
||||
size_t pagesz = GLRO(dl_pagesize);
|
||||
|
||||
+ /* Check for overflow. */
|
||||
+ if (bytes > SIZE_MAX - pagesz - MINSIZE)
|
||||
+ {
|
||||
+ __set_errno (ENOMEM);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
|
||||
const __malloc_ptr_t)) =
|
||||
force_reg (__memalign_hook);
|
||||
@@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes)
|
||||
size_t page_mask = GLRO(dl_pagesize) - 1;
|
||||
size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
|
||||
|
||||
+ /* Check for overflow. */
|
||||
+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
|
||||
+ {
|
||||
+ __set_errno (ENOMEM);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
|
||||
const __malloc_ptr_t)) =
|
||||
force_reg (__memalign_hook);
|
@ -1,72 +0,0 @@
|
||||
# http://sourceware.org/bugzilla/show_bug.cgi?id=15078
|
||||
# CVE-2013-0242
|
||||
# ChangeLog, NEWS and new test removed to apply clean
|
||||
|
||||
commit a445af0bc722d620afed7683cd320c0e4c7c6059
|
||||
Author: Andreas Schwab <schwab@suse.de>
|
||||
Date: Tue Jan 29 14:45:15 2013 +0100
|
||||
|
||||
Fix buffer overrun in regexp matcher
|
||||
|
||||
diff --git a/posix/regexec.c b/posix/regexec.c
|
||||
index 7f2de85..5ca2bf6 100644
|
||||
--- a/posix/regexec.c
|
||||
+++ b/posix/regexec.c
|
||||
@@ -197,7 +197,7 @@ static int group_nodes_into_DFAstates (const re_dfa_t *dfa,
|
||||
static int check_node_accept (const re_match_context_t *mctx,
|
||||
const re_token_t *node, int idx)
|
||||
internal_function;
|
||||
-static reg_errcode_t extend_buffers (re_match_context_t *mctx)
|
||||
+static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len)
|
||||
internal_function;
|
||||
|
||||
/* Entry point for POSIX code. */
|
||||
@@ -1160,7 +1160,7 @@ check_matching (re_match_context_t *mctx, int fl_longest_match,
|
||||
|| (BE (next_char_idx >= mctx->input.valid_len, 0)
|
||||
&& mctx->input.valid_len < mctx->input.len))
|
||||
{
|
||||
- err = extend_buffers (mctx);
|
||||
+ err = extend_buffers (mctx, next_char_idx + 1);
|
||||
if (BE (err != REG_NOERROR, 0))
|
||||
{
|
||||
assert (err == REG_ESPACE);
|
||||
@@ -1738,7 +1738,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, int next_state_log_idx)
|
||||
&& mctx->input.valid_len < mctx->input.len))
|
||||
{
|
||||
reg_errcode_t err;
|
||||
- err = extend_buffers (mctx);
|
||||
+ err = extend_buffers (mctx, next_state_log_idx + 1);
|
||||
if (BE (err != REG_NOERROR, 0))
|
||||
return err;
|
||||
}
|
||||
@@ -2792,7 +2792,7 @@ get_subexp (re_match_context_t *mctx, int bkref_node, int bkref_str_idx)
|
||||
if (bkref_str_off >= mctx->input.len)
|
||||
break;
|
||||
|
||||
- err = extend_buffers (mctx);
|
||||
+ err = extend_buffers (mctx, bkref_str_off + 1);
|
||||
if (BE (err != REG_NOERROR, 0))
|
||||
return err;
|
||||
|
||||
@@ -4102,7 +4102,7 @@ check_node_accept (const re_match_context_t *mctx, const re_token_t *node,
|
||||
|
||||
static reg_errcode_t
|
||||
internal_function __attribute_warn_unused_result__
|
||||
-extend_buffers (re_match_context_t *mctx)
|
||||
+extend_buffers (re_match_context_t *mctx, int min_len)
|
||||
{
|
||||
reg_errcode_t ret;
|
||||
re_string_t *pstr = &mctx->input;
|
||||
@@ -4111,8 +4111,10 @@ extend_buffers (re_match_context_t *mctx)
|
||||
if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
|
||||
return REG_ESPACE;
|
||||
|
||||
- /* Double the lengthes of the buffers. */
|
||||
- ret = re_string_realloc_buffers (pstr, MIN (pstr->len, pstr->bufs_len * 2));
|
||||
+ /* Double the lengthes of the buffers, but allocate at least MIN_LEN. */
|
||||
+ ret = re_string_realloc_buffers (pstr,
|
||||
+ MAX (min_len,
|
||||
+ MIN (pstr->len, pstr->bufs_len * 2)));
|
||||
if (BE (ret != REG_NOERROR, 0))
|
||||
return ret;
|
||||
|
@ -1,61 +0,0 @@
|
||||
# http://sourceware.org/bugzilla/show_bug.cgi?id=13013
|
||||
|
||||
2011-07-21 Aurelien Jarno <aurel32@debian.org>
|
||||
|
||||
* resolv/res_query.c(__libc_res_nquery): Assign hp and hp2
|
||||
depending n and resplen2 to catch cases where answer
|
||||
equals answerp2.
|
||||
|
||||
diff --git a/resolv/res_query.c b/resolv/res_query.c
|
||||
index 2f7cfaa..405fa68 100644
|
||||
--- a/resolv/res_query.c
|
||||
+++ b/resolv/res_query.c
|
||||
@@ -122,6 +122,7 @@ __libc_res_nquery(res_state statp,
|
||||
int *resplen2)
|
||||
{
|
||||
HEADER *hp = (HEADER *) answer;
|
||||
+ HEADER *hp2;
|
||||
int n, use_malloc = 0;
|
||||
u_int oflags = statp->_flags;
|
||||
|
||||
@@ -239,26 +240,25 @@ __libc_res_nquery(res_state statp,
|
||||
/* __libc_res_nsend might have reallocated the buffer. */
|
||||
hp = (HEADER *) *answerp;
|
||||
|
||||
- /* We simplify the following tests by assigning HP to HP2. It
|
||||
- is easy to verify that this is the same as ignoring all
|
||||
- tests of HP2. */
|
||||
- HEADER *hp2 = answerp2 ? (HEADER *) *answerp2 : hp;
|
||||
-
|
||||
- if (n < (int) sizeof (HEADER) && answerp2 != NULL
|
||||
- && *resplen2 > (int) sizeof (HEADER))
|
||||
+ /* We simplify the following tests by assigning HP to HP2 or
|
||||
+ vice versa. It is easy to verify that this is the same as
|
||||
+ ignoring all tests of HP or HP2. */
|
||||
+ if (answerp2 == NULL || *resplen2 < (int) sizeof (HEADER))
|
||||
{
|
||||
- /* Special case of partial answer. */
|
||||
- assert (hp != hp2);
|
||||
- hp = hp2;
|
||||
+ hp2 = hp;
|
||||
}
|
||||
- else if (answerp2 != NULL && *resplen2 < (int) sizeof (HEADER)
|
||||
- && n > (int) sizeof (HEADER))
|
||||
+ else
|
||||
{
|
||||
- /* Special case of partial answer. */
|
||||
- assert (hp != hp2);
|
||||
- hp2 = hp;
|
||||
+ hp2 = (HEADER *) *answerp2;
|
||||
+ if (n < (int) sizeof (HEADER))
|
||||
+ {
|
||||
+ hp = hp2;
|
||||
+ }
|
||||
}
|
||||
|
||||
+ /* Make sure both hp and hp2 are defined */
|
||||
+ assert((hp != NULL) && (hp2 != NULL));
|
||||
+
|
||||
if ((hp->rcode != NOERROR || ntohs(hp->ancount) == 0)
|
||||
&& (hp2->rcode != NOERROR || ntohs(hp2->ancount) == 0)) {
|
||||
#ifdef DEBUG
|
@ -1,79 +0,0 @@
|
||||
commit 6db8f73723e64a4f486ca679e05dbf15a1437bfd
|
||||
Author: Liubov Dmitrieva <liubov.dmitrieva@gmail.com>
|
||||
Date: Wed Aug 15 21:06:55 2012 +0200
|
||||
|
||||
Fix segmentation fault in strncasecmp for i686
|
||||
|
||||
2012-08-15 Liubov Dmitrieva <liubov.dmitrieva@gmail.com>
|
||||
|
||||
[BZ #14195]
|
||||
* sysdeps/i386/i686/multiarch/strcmp-sssse3.S: Fix
|
||||
segmentation fault for a case of two empty input strings.
|
||||
* string/test-strncasecmp.c (check1): Renamed to...
|
||||
(bz12205): ...this.
|
||||
(bz14195): Add new testcase for two empty input strings and N > 0.
|
||||
(test_main): Call new testcase, adapt for renamed function.
|
||||
(cherry picked from commit b3f479a85a3e191befbe821d787d7f71c0f64e79)
|
||||
|
||||
diff --git a/string/test-strncasecmp.c b/string/test-strncasecmp.c
|
||||
index 6c17530..acfe668 100644
|
||||
--- a/string/test-strncasecmp.c
|
||||
+++ b/string/test-strncasecmp.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/* Test and measure strncasecmp functions.
|
||||
- Copyright (C) 1999, 2002, 2003, 2005, 2010 Free Software Foundation, Inc.
|
||||
+ Copyright (C) 1999-2012 Free Software Foundation, Inc.
|
||||
This file is part of the GNU C Library.
|
||||
Written by Jakub Jelinek <jakub@redhat.com>, 1999.
|
||||
|
||||
@@ -251,9 +251,9 @@ do_random_tests (void)
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
+/* Regression test for BZ #12205 */
|
||||
static void
|
||||
-check1 (void)
|
||||
+bz12205 (void)
|
||||
{
|
||||
static char cp [4096+16] __attribute__ ((aligned(4096)));
|
||||
static char gotrel[4096] __attribute__ ((aligned(4096)));
|
||||
@@ -270,6 +270,15 @@ check1 (void)
|
||||
check_result (impl, s1, s2, n, exp_result);
|
||||
}
|
||||
|
||||
+/* Regression test for BZ #14195 */
|
||||
+static void
|
||||
+bz14195 (void)
|
||||
+{
|
||||
+ const char *empty_string = "";
|
||||
+ FOR_EACH_IMPL (impl, 0)
|
||||
+ check_result (impl, empty_string, "", 5, 0);
|
||||
+}
|
||||
+
|
||||
int
|
||||
test_main (void)
|
||||
{
|
||||
@@ -277,7 +286,8 @@ test_main (void)
|
||||
|
||||
test_init ();
|
||||
|
||||
- check1 ();
|
||||
+ bz12205 ();
|
||||
+ bz14195 ();
|
||||
|
||||
printf ("%23s", "");
|
||||
FOR_EACH_IMPL (impl, 0)
|
||||
diff --git a/sysdeps/i386/i686/multiarch/strcmp-ssse3.S b/sysdeps/i386/i686/multiarch/strcmp-ssse3.S
|
||||
index 5e6321e..9735ad0 100644
|
||||
--- a/sysdeps/i386/i686/multiarch/strcmp-ssse3.S
|
||||
+++ b/sysdeps/i386/i686/multiarch/strcmp-ssse3.S
|
||||
@@ -2445,7 +2445,7 @@ L(less16bytes_sncmp):
|
||||
# endif
|
||||
jne L(neq_sncmp)
|
||||
test %cl, %cl
|
||||
- je L(eq)
|
||||
+ je L(eq_sncmp)
|
||||
|
||||
cmp $1, REM
|
||||
je L(eq_sncmp)
|
@ -1,399 +0,0 @@
|
||||
commit da1f431963218999c49cae928309dfec426c575c
|
||||
Author: Joseph Myers <joseph@codesourcery.com>
|
||||
Date: Mon Aug 27 15:59:24 2012 +0000
|
||||
|
||||
Fix strtod integer/buffer overflow (bug 14459).
|
||||
(cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4)
|
||||
|
||||
Conflicts:
|
||||
|
||||
ChangeLog
|
||||
NEWS
|
||||
stdlib/Makefile
|
||||
|
||||
diff --git a/stdlib/Makefile b/stdlib/Makefile
|
||||
index f7811c5..79c9acb 100644
|
||||
--- a/stdlib/Makefile
|
||||
+++ b/stdlib/Makefile
|
||||
@@ -68,7 +68,8 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \
|
||||
tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \
|
||||
tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2 \
|
||||
tst-makecontext2 tst-strtod6 tst-unsetenv1 \
|
||||
- tst-makecontext3 bug-getcontext bug-fmtmsg1
|
||||
+ tst-makecontext3 bug-getcontext bug-fmtmsg1 \
|
||||
+ tst-strtod-overflow
|
||||
|
||||
include ../Makeconfig
|
||||
|
||||
diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c
|
||||
index 2166a08..a8a7ea8 100644
|
||||
--- a/stdlib/strtod_l.c
|
||||
+++ b/stdlib/strtod_l.c
|
||||
@@ -60,6 +60,7 @@ extern unsigned long long int ____strtoull_l_internal (const char *, char **,
|
||||
#include <math.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <stdint.h>
|
||||
|
||||
/* The gmp headers need some configuration frobs. */
|
||||
#define HAVE_ALLOCA 1
|
||||
@@ -72,7 +73,6 @@ extern unsigned long long int ____strtoull_l_internal (const char *, char **,
|
||||
#include "longlong.h"
|
||||
#include "fpioconst.h"
|
||||
|
||||
-#define NDEBUG 1
|
||||
#include <assert.h>
|
||||
|
||||
|
||||
@@ -174,19 +174,19 @@ extern const mp_limb_t _tens_in_limb[MAX_DIG_PER_LIMB + 1];
|
||||
/* Return a floating point number of the needed type according to the given
|
||||
multi-precision number after possible rounding. */
|
||||
static FLOAT
|
||||
-round_and_return (mp_limb_t *retval, int exponent, int negative,
|
||||
+round_and_return (mp_limb_t *retval, intmax_t exponent, int negative,
|
||||
mp_limb_t round_limb, mp_size_t round_bit, int more_bits)
|
||||
{
|
||||
if (exponent < MIN_EXP - 1)
|
||||
{
|
||||
- mp_size_t shift = MIN_EXP - 1 - exponent;
|
||||
-
|
||||
- if (shift > MANT_DIG)
|
||||
+ if (exponent < MIN_EXP - 1 - MANT_DIG)
|
||||
{
|
||||
__set_errno (ERANGE);
|
||||
return 0.0;
|
||||
}
|
||||
|
||||
+ mp_size_t shift = MIN_EXP - 1 - exponent;
|
||||
+
|
||||
more_bits |= (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0;
|
||||
if (shift == MANT_DIG)
|
||||
/* This is a special case to handle the very seldom case where
|
||||
@@ -233,6 +233,9 @@ round_and_return (mp_limb_t *retval, int exponent, int negative,
|
||||
__set_errno (ERANGE);
|
||||
}
|
||||
|
||||
+ if (exponent > MAX_EXP)
|
||||
+ goto overflow;
|
||||
+
|
||||
if ((round_limb & (((mp_limb_t) 1) << round_bit)) != 0
|
||||
&& (more_bits || (retval[0] & 1) != 0
|
||||
|| (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0))
|
||||
@@ -258,6 +261,7 @@ round_and_return (mp_limb_t *retval, int exponent, int negative,
|
||||
}
|
||||
|
||||
if (exponent > MAX_EXP)
|
||||
+ overflow:
|
||||
return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL;
|
||||
|
||||
return MPN2FLOAT (retval, exponent, negative);
|
||||
@@ -271,7 +275,7 @@ round_and_return (mp_limb_t *retval, int exponent, int negative,
|
||||
factor for the resulting number (see code) multiply by it. */
|
||||
static const STRING_TYPE *
|
||||
str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
|
||||
- int *exponent
|
||||
+ intmax_t *exponent
|
||||
#ifndef USE_WIDE_CHAR
|
||||
, const char *decimal, size_t decimal_len, const char *thousands
|
||||
#endif
|
||||
@@ -301,6 +305,7 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
|
||||
cy += __mpn_add_1 (n, n, *nsize, low);
|
||||
if (cy != 0)
|
||||
{
|
||||
+ assert (*nsize < MPNSIZE);
|
||||
n[*nsize] = cy;
|
||||
++(*nsize);
|
||||
}
|
||||
@@ -335,7 +340,7 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
|
||||
}
|
||||
while (--digcnt > 0);
|
||||
|
||||
- if (*exponent > 0 && cnt + *exponent <= MAX_DIG_PER_LIMB)
|
||||
+ if (*exponent > 0 && *exponent <= MAX_DIG_PER_LIMB - cnt)
|
||||
{
|
||||
low *= _tens_in_limb[*exponent];
|
||||
start = _tens_in_limb[cnt + *exponent];
|
||||
@@ -355,7 +360,10 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
|
||||
cy = __mpn_mul_1 (n, n, *nsize, start);
|
||||
cy += __mpn_add_1 (n, n, *nsize, low);
|
||||
if (cy != 0)
|
||||
- n[(*nsize)++] = cy;
|
||||
+ {
|
||||
+ assert (*nsize < MPNSIZE);
|
||||
+ n[(*nsize)++] = cy;
|
||||
+ }
|
||||
}
|
||||
|
||||
return str;
|
||||
@@ -413,7 +421,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
{
|
||||
int negative; /* The sign of the number. */
|
||||
MPN_VAR (num); /* MP representation of the number. */
|
||||
- int exponent; /* Exponent of the number. */
|
||||
+ intmax_t exponent; /* Exponent of the number. */
|
||||
|
||||
/* Numbers starting `0X' or `0x' have to be processed with base 16. */
|
||||
int base = 10;
|
||||
@@ -435,7 +443,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
/* Points at the character following the integer and fractional digits. */
|
||||
const STRING_TYPE *expp;
|
||||
/* Total number of digit and number of digits in integer part. */
|
||||
- int dig_no, int_no, lead_zero;
|
||||
+ size_t dig_no, int_no, lead_zero;
|
||||
/* Contains the last character read. */
|
||||
CHAR_TYPE c;
|
||||
|
||||
@@ -767,7 +775,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
are all or any is really a fractional digit will be decided
|
||||
later. */
|
||||
int_no = dig_no;
|
||||
- lead_zero = int_no == 0 ? -1 : 0;
|
||||
+ lead_zero = int_no == 0 ? (size_t) -1 : 0;
|
||||
|
||||
/* Read the fractional digits. A special case are the 'american
|
||||
style' numbers like `16.' i.e. with decimal point but without
|
||||
@@ -789,12 +797,13 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
(base == 16 && ({ CHAR_TYPE lo = TOLOWER (c);
|
||||
lo >= L_('a') && lo <= L_('f'); })))
|
||||
{
|
||||
- if (c != L_('0') && lead_zero == -1)
|
||||
+ if (c != L_('0') && lead_zero == (size_t) -1)
|
||||
lead_zero = dig_no - int_no;
|
||||
++dig_no;
|
||||
c = *++cp;
|
||||
}
|
||||
}
|
||||
+ assert (dig_no <= (uintmax_t) INTMAX_MAX);
|
||||
|
||||
/* Remember start of exponent (if any). */
|
||||
expp = cp;
|
||||
@@ -817,24 +826,80 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
|
||||
if (c >= L_('0') && c <= L_('9'))
|
||||
{
|
||||
- int exp_limit;
|
||||
+ intmax_t exp_limit;
|
||||
|
||||
/* Get the exponent limit. */
|
||||
if (base == 16)
|
||||
- exp_limit = (exp_negative ?
|
||||
- -MIN_EXP + MANT_DIG + 4 * int_no :
|
||||
- MAX_EXP - 4 * int_no + 4 * lead_zero + 3);
|
||||
+ {
|
||||
+ if (exp_negative)
|
||||
+ {
|
||||
+ assert (int_no <= (uintmax_t) (INTMAX_MAX
|
||||
+ + MIN_EXP - MANT_DIG) / 4);
|
||||
+ exp_limit = -MIN_EXP + MANT_DIG + 4 * (intmax_t) int_no;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ if (int_no)
|
||||
+ {
|
||||
+ assert (lead_zero == 0
|
||||
+ && int_no <= (uintmax_t) INTMAX_MAX / 4);
|
||||
+ exp_limit = MAX_EXP - 4 * (intmax_t) int_no + 3;
|
||||
+ }
|
||||
+ else if (lead_zero == (size_t) -1)
|
||||
+ {
|
||||
+ /* The number is zero and this limit is
|
||||
+ arbitrary. */
|
||||
+ exp_limit = MAX_EXP + 3;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ assert (lead_zero
|
||||
+ <= (uintmax_t) (INTMAX_MAX - MAX_EXP - 3) / 4);
|
||||
+ exp_limit = (MAX_EXP
|
||||
+ + 4 * (intmax_t) lead_zero
|
||||
+ + 3);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
else
|
||||
- exp_limit = (exp_negative ?
|
||||
- -MIN_10_EXP + MANT_DIG + int_no :
|
||||
- MAX_10_EXP - int_no + lead_zero + 1);
|
||||
+ {
|
||||
+ if (exp_negative)
|
||||
+ {
|
||||
+ assert (int_no
|
||||
+ <= (uintmax_t) (INTMAX_MAX + MIN_10_EXP - MANT_DIG));
|
||||
+ exp_limit = -MIN_10_EXP + MANT_DIG + (intmax_t) int_no;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ if (int_no)
|
||||
+ {
|
||||
+ assert (lead_zero == 0
|
||||
+ && int_no <= (uintmax_t) INTMAX_MAX);
|
||||
+ exp_limit = MAX_10_EXP - (intmax_t) int_no + 1;
|
||||
+ }
|
||||
+ else if (lead_zero == (size_t) -1)
|
||||
+ {
|
||||
+ /* The number is zero and this limit is
|
||||
+ arbitrary. */
|
||||
+ exp_limit = MAX_10_EXP + 1;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ assert (lead_zero
|
||||
+ <= (uintmax_t) (INTMAX_MAX - MAX_10_EXP - 1));
|
||||
+ exp_limit = MAX_10_EXP + (intmax_t) lead_zero + 1;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (exp_limit < 0)
|
||||
+ exp_limit = 0;
|
||||
|
||||
do
|
||||
{
|
||||
- exponent *= 10;
|
||||
- exponent += c - L_('0');
|
||||
-
|
||||
- if (__builtin_expect (exponent > exp_limit, 0))
|
||||
+ if (__builtin_expect ((exponent > exp_limit / 10
|
||||
+ || (exponent == exp_limit / 10
|
||||
+ && c - L_('0') > exp_limit % 10)), 0))
|
||||
/* The exponent is too large/small to represent a valid
|
||||
number. */
|
||||
{
|
||||
@@ -843,7 +908,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
/* We have to take care for special situation: a joker
|
||||
might have written "0.0e100000" which is in fact
|
||||
zero. */
|
||||
- if (lead_zero == -1)
|
||||
+ if (lead_zero == (size_t) -1)
|
||||
result = negative ? -0.0 : 0.0;
|
||||
else
|
||||
{
|
||||
@@ -862,6 +927,9 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
/* NOTREACHED */
|
||||
}
|
||||
|
||||
+ exponent *= 10;
|
||||
+ exponent += c - L_('0');
|
||||
+
|
||||
c = *++cp;
|
||||
}
|
||||
while (c >= L_('0') && c <= L_('9'));
|
||||
@@ -930,7 +998,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
}
|
||||
#endif
|
||||
startp += lead_zero + decimal_len;
|
||||
- exponent -= base == 16 ? 4 * lead_zero : lead_zero;
|
||||
+ assert (lead_zero <= (base == 16
|
||||
+ ? (uintmax_t) INTMAX_MAX / 4
|
||||
+ : (uintmax_t) INTMAX_MAX));
|
||||
+ assert (lead_zero <= (base == 16
|
||||
+ ? ((uintmax_t) exponent
|
||||
+ - (uintmax_t) INTMAX_MIN) / 4
|
||||
+ : ((uintmax_t) exponent - (uintmax_t) INTMAX_MIN)));
|
||||
+ exponent -= base == 16 ? 4 * (intmax_t) lead_zero : (intmax_t) lead_zero;
|
||||
dig_no -= lead_zero;
|
||||
}
|
||||
|
||||
@@ -972,7 +1047,10 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
}
|
||||
|
||||
/* Adjust the exponent for the bits we are shifting in. */
|
||||
- exponent += bits - 1 + (int_no - 1) * 4;
|
||||
+ assert (int_no <= (uintmax_t) (exponent < 0
|
||||
+ ? (INTMAX_MAX - bits + 1) / 4
|
||||
+ : (INTMAX_MAX - exponent - bits + 1) / 4));
|
||||
+ exponent += bits - 1 + ((intmax_t) int_no - 1) * 4;
|
||||
|
||||
while (--dig_no > 0 && idx >= 0)
|
||||
{
|
||||
@@ -1024,13 +1102,15 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
really integer digits or belong to the fractional part; i.e. we normalize
|
||||
123e-2 to 1.23. */
|
||||
{
|
||||
- register int incr = (exponent < 0 ? MAX (-int_no, exponent)
|
||||
- : MIN (dig_no - int_no, exponent));
|
||||
+ register intmax_t incr = (exponent < 0
|
||||
+ ? MAX (-(intmax_t) int_no, exponent)
|
||||
+ : MIN ((intmax_t) dig_no - (intmax_t) int_no,
|
||||
+ exponent));
|
||||
int_no += incr;
|
||||
exponent -= incr;
|
||||
}
|
||||
|
||||
- if (__builtin_expect (int_no + exponent > MAX_10_EXP + 1, 0))
|
||||
+ if (__builtin_expect (exponent > MAX_10_EXP + 1 - (intmax_t) int_no, 0))
|
||||
{
|
||||
__set_errno (ERANGE);
|
||||
return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL;
|
||||
@@ -1215,7 +1295,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
digits we should have enough bits for the result. The remaining
|
||||
decimal digits give us the information that more bits are following.
|
||||
This can be used while rounding. (Two added as a safety margin.) */
|
||||
- if (dig_no - int_no > (MANT_DIG - bits + 2) / 3 + 2)
|
||||
+ if ((intmax_t) dig_no > (intmax_t) int_no + (MANT_DIG - bits + 2) / 3 + 2)
|
||||
{
|
||||
dig_no = int_no + (MANT_DIG - bits + 2) / 3 + 2;
|
||||
more_bits = 1;
|
||||
@@ -1223,7 +1303,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc)
|
||||
else
|
||||
more_bits = 0;
|
||||
|
||||
- neg_exp = dig_no - int_no - exponent;
|
||||
+ neg_exp = (intmax_t) dig_no - (intmax_t) int_no - exponent;
|
||||
|
||||
/* Construct the denominator. */
|
||||
densize = 0;
|
||||
diff --git a/stdlib/tst-strtod-overflow.c b/stdlib/tst-strtod-overflow.c
|
||||
new file mode 100644
|
||||
index 0000000..668d55b
|
||||
--- /dev/null
|
||||
+++ b/stdlib/tst-strtod-overflow.c
|
||||
@@ -0,0 +1,48 @@
|
||||
+/* Test for integer/buffer overflow in strtod.
|
||||
+ Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <http://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#define EXPONENT "e-2147483649"
|
||||
+#define SIZE 214748364
|
||||
+
|
||||
+static int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ char *p = malloc (1 + SIZE + sizeof (EXPONENT));
|
||||
+ if (p == NULL)
|
||||
+ {
|
||||
+ puts ("malloc failed, cannot test for overflow");
|
||||
+ return 0;
|
||||
+ }
|
||||
+ p[0] = '1';
|
||||
+ memset (p + 1, '0', SIZE);
|
||||
+ memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
|
||||
+ double d = strtod (p, NULL);
|
||||
+ if (d != 0)
|
||||
+ {
|
||||
+ printf ("strtod returned wrong value: %a\n", d);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#define TEST_FUNCTION do_test ()
|
||||
+#include "../test-skeleton.c"
|
Loading…
Reference in New Issue
Block a user