2012-06-21 Jeff Law <law@redhat.com>

        [BZ #13882]
        * elf/dl-deps.c (_dl_map_object_deps): Fix cycle detection.  Use
        uint16_t for elements in the "seen" array to avoid char overflows.
        * elf/dl-fini.c (_dl_sort_fini): Likewise.
        * elf/dl-open.c (dl_open_worker): Likewise.

5 files changed, 28 insertions, 20 deletions

diff --git a/ChangeLog b/ChangeLog
index 0a70e8bdec..01bb5c49af 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2012-06-21  Jeff Law  <law@redhat.com>
+
+	[BZ #13882]
+	* elf/dl-deps.c (_dl_map_object_deps): Fix cycle detection.  Use
+	uint16_t for elements in the "seen" array to avoid char overflows.
+        * elf/dl-fini.c (_dl_sort_fini): Likewise.
+	* elf/dl-open.c (dl_open_worker): Likewise.
+
 2012-06-21  Carlos O'Donell  <carlos_odonell@mentor.com>
 
 	* scripts/list-sources.sh: Scan PORTS for translations.
diff --git a/NEWS b/NEWS
index 97ab8fead9..f758700b63 100644
--- a/NEWS
+++ b/NEWS
@@ -23,14 +23,14 @@ Version 2.16
   13691, 13695, 13704, 13705, 13706, 13718, 13726, 13738, 13739, 13743,
   13750, 13758, 13760, 13761, 13775, 13786, 13787, 13792, 13806, 13824,
   13840, 13841, 13844, 13846, 13848, 13851, 13852, 13854, 13871, 13872,
-  13873, 13879, 13883, 13884, 13885, 13886, 13892, 13895, 13908, 13910,
-  13911, 13912, 13913, 13914, 13915, 13916, 13917, 13918, 13919, 13920,
-  13921, 13922, 13923, 13924, 13926, 13927, 13928, 13938, 13941, 13942,
-  13954, 13955, 13956, 13963, 13967, 13968, 13970, 13973, 13979, 13983,
-  13986, 13996, 14012, 14027, 14033, 14034, 14036, 14040, 14043, 14044,
-  14048, 14049, 14050, 14053, 14055, 14059, 14064, 14075, 14080, 14083,
-  14103, 14104, 14109, 14112, 14117, 14122, 14123, 14134, 14153, 14183,
-  14188, 14199, 14210, 14218, 14229, 14241
+  13873, 13879, 13882, 13883, 13884, 13885, 13886, 13892, 13895, 13908,
+  13910, 13911, 13912, 13913, 13914, 13915, 13916, 13917, 13918, 13919,
+  13920, 13921, 13922, 13923, 13924, 13926, 13927, 13928, 13938, 13941,
+  13942, 13954, 13955, 13956, 13963, 13967, 13968, 13970, 13973, 13979,
+  13983, 13986, 13996, 14012, 14027, 14033, 14034, 14036, 14040, 14043,
+  14044, 14048, 14049, 14050, 14053, 14055, 14059, 14064, 14075, 14080,
+  14083, 14103, 14104, 14109, 14112, 14117, 14122, 14123, 14134, 14153,
+  14183, 14188, 14199, 14210, 14218, 14229, 14241
 
 * Support for the x32 ABI on x86-64 added.  The x32 target is selected by
   configuring glibc with:
diff --git a/elf/dl-deps.c b/elf/dl-deps.c
index fb1c3058c0..69aec461fb 100644
--- a/elf/dl-deps.c
+++ b/elf/dl-deps.c
@@ -1,5 +1,5 @@
 /* Load the dependencies of a mapped object.
-   Copyright (C) 1996-2003, 2004, 2005, 2006, 2007, 2010, 2011
+   Copyright (C) 1996-2003, 2004-2007, 2010-2012
    Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -632,7 +632,7 @@ Filters not supported with LD_TRACE_PRELINKING"));
       /* We can skip looking for the binary itself which is at the front
 	 of the search list.  */
       i = 1;
-      char seen[nlist];
+      uint16_t seen[nlist];
       memset (seen, 0, nlist * sizeof (seen[0]));
       while (1)
 	{
@@ -658,13 +658,13 @@ Filters not supported with LD_TRACE_PRELINKING"));
 			       (k - i) * sizeof (l_initfini[0]));
 		      l_initfini[k] = thisp;
 
-		      if (seen[i + 1] > 1)
+		      if (seen[i + 1] > nlist - i)
 			{
 			  ++i;
 			  goto next_clear;
 			}
 
-		      char this_seen = seen[i];
+		      uint16_t this_seen = seen[i];
 		      memmove (&seen[i], &seen[i + 1],
 			       (k - i) * sizeof (seen[0]));
 		      seen[k] = this_seen;
diff --git a/elf/dl-fini.c b/elf/dl-fini.c
index 05146b3795..87cf2f1d33 100644
--- a/elf/dl-fini.c
+++ b/elf/dl-fini.c
@@ -1,5 +1,5 @@
 /* Call the termination functions of loaded shared objects.
-   Copyright (C) 1995,96,1998-2002,2004-2005,2009,2011
+   Copyright (C) 1995, 1996, 1998-2002, 2004-2005, 2009, 2011-2012
    Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -38,7 +38,7 @@ _dl_sort_fini (struct link_map **maps, size_t nmaps, char *used, Lmid_t ns)
   /* We can skip looking for the binary itself which is at the front
      of the search list for the main namespace.  */
   unsigned int i = ns == LM_ID_BASE;
-  char seen[nmaps];
+  uint16_t seen[nmaps];
   memset (seen, 0, nmaps * sizeof (seen[0]));
   while (1)
     {
@@ -78,13 +78,13 @@ _dl_sort_fini (struct link_map **maps, size_t nmaps, char *used, Lmid_t ns)
 		      used[k] = here_used;
 		    }
 
-		  if (seen[i + 1] > 1)
+		  if (seen[i + 1] > nmaps - i)
 		    {
 		      ++i;
 		      goto next_clear;
 		    }
 
-		  char this_seen = seen[i];
+		  uint16_t this_seen = seen[i];
 		  memmove (&seen[i], &seen[i + 1], (k - i) * sizeof (seen[0]));
 		  seen[k] = this_seen;
 
diff --git a/elf/dl-open.c b/elf/dl-open.c
index 570c5f8791..9fe0a7ff6a 100644
--- a/elf/dl-open.c
+++ b/elf/dl-open.c
@@ -1,5 +1,5 @@
 /* Load a shared object at runtime, relocate it, and run its initializer.
-   Copyright (C) 1996-2007, 2009, 2010, 2011, 2012 Free Software Foundation, Inc.
+   Copyright (C) 1996-2007, 2009-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -325,7 +325,7 @@ dl_open_worker (void *a)
   while (l != NULL);
   if (nmaps > 1)
     {
-      char seen[nmaps];
+      uint16_t seen[nmaps];
       memset (seen, '\0', nmaps);
       size_t i = 0;
       while (1)
@@ -351,13 +351,13 @@ dl_open_worker (void *a)
 			       (k - i) * sizeof (maps[0]));
 		      maps[k] = thisp;
 
-		      if (seen[i + 1] > 1)
+		      if (seen[i + 1] > nmaps - i)
 			{
 			  ++i;
 			  goto next_clear;
 			}
 
-		      char this_seen = seen[i];
+		      uint16_t this_seen = seen[i];
 		      memmove (&seen[i], &seen[i + 1],
 			       (k - i) * sizeof (seen[0]));
 		      seen[k] = this_seen;