From 325241608584653c1275a2ea28ce349a04fc4d28 Mon Sep 17 00:00:00 2001 From: Paul Pluzhnikov Date: Sun, 22 Feb 2015 12:01:47 -0800 Subject: Fix BZ #17269 -- _IO_wstr_overflow integer overflow (cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33) Conflicts: NEWS --- ChangeLog | 6 ++++++ NEWS | 2 +- libio/wstrops.c | 8 +++++++- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 79a59d59cd..435d1899e2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2015-12-30 Paul Pluzhnikov + + [BZ #17269] + * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow + (enlarge_userbuf): Likewise. + 2015-12-30 Andreas Schwab [BZ #18032] diff --git a/NEWS b/NEWS index 3ae421139d..0196d047aa 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,7 @@ Version 2.18.1 * The following bugs are resolved with this release: 15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916, - 16943, 16958, 18032, 18928, 19018. + 16943, 16958, 17269, 18032, 18928, 19018. * The LD_POINTER_GUARD environment variable can no longer be used to disable the pointer guard feature. It is always enabled. diff --git a/libio/wstrops.c b/libio/wstrops.c index 828393081e..19193e4826 100644 --- a/libio/wstrops.c +++ b/libio/wstrops.c @@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c) wchar_t *old_buf = fp->_wide_data->_IO_buf_base; size_t old_wblen = _IO_wblen (fp); _IO_size_t new_size = 2 * old_wblen + 100; - if (new_size < old_wblen) + + if (__glibc_unlikely (new_size < old_wblen) + || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t))) return EOF; + new_buf = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size * sizeof (wchar_t)); @@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading) return 1; _IO_size_t newsize = offset + 100; + if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t))) + return 1; + wchar_t *oldbuf = wd->_IO_buf_base; wchar_t *newbuf = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize -- cgit 1.4.1