From c1ae8095f64571012bee02b1adecad7f2eedfd9d Mon Sep 17 00:00:00 2001 From: Jeff Law Date: Mon, 19 Dec 2011 05:01:18 +0000 Subject: [PATCH] Check values from TZ file header (#767696) --- glibc-rh767696.patch | 82 ++++++++++++++++++++++++++++++++++++++++++++ glibc.spec | 8 +++-- 2 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 glibc-rh767696.patch diff --git a/glibc-rh767696.patch b/glibc-rh767696.patch new file mode 100644 index 0000000..0536efa --- /dev/null +++ b/glibc-rh767696.patch @@ -0,0 +1,82 @@ +commit 97ac2654b2d831acaa18a2b018b0736245903fd2 +Author: Ulrich Drepper +Date: Sat Dec 17 20:18:42 2011 -0500 + + Check values from TZ file header + + + [BZ #13506] + * time/tzfile.c (__tzfile_read): Check values from file header. + +diff --git a/time/tzfile.c b/time/tzfile.c +index 144e20b..402389c 100644 +--- a/time/tzfile.c ++++ b/time/tzfile.c +@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap) + goto read_again; + } + ++ if (__builtin_expect (num_transitions ++ > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1)) ++ / (sizeof (time_t) + 1)), 0)) ++ goto lose; + total_size = num_transitions * (sizeof (time_t) + 1); + total_size = ((total_size + __alignof__ (struct ttinfo) - 1) + & ~(__alignof__ (struct ttinfo) - 1)); + types_idx = total_size; +- total_size += num_types * sizeof (struct ttinfo) + chars; ++ if (__builtin_expect (num_types ++ > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0)) ++ goto lose; ++ total_size += num_types * sizeof (struct ttinfo); ++ if (__builtin_expect (chars > SIZE_MAX - total_size, 0)) ++ goto lose; ++ total_size += chars; ++ if (__builtin_expect (__alignof__ (struct leap) - 1 ++ > SIZE_MAX - total_size, 0)) ++ goto lose; + total_size = ((total_size + __alignof__ (struct leap) - 1) + & ~(__alignof__ (struct leap) - 1)); + leaps_idx = total_size; ++ if (__builtin_expect (num_leaps ++ > (SIZE_MAX - total_size) / sizeof (struct leap), 0)) ++ goto lose; + total_size += num_leaps * sizeof (struct leap); +- tzspec_len = (sizeof (time_t) == 8 && trans_width == 8 +- ? st.st_size - (ftello (f) +- + num_transitions * (8 + 1) +- + num_types * 6 +- + chars +- + num_leaps * 12 +- + num_isstd +- + num_isgmt) - 1 : 0); ++ tzspec_len = 0; ++ if (sizeof (time_t) == 8 && trans_width == 8) ++ { ++ off_t rem = st.st_size - ftello (f); ++ if (__builtin_expect (rem < 0 ++ || (size_t) rem < (num_transitions * (8 + 1) ++ + num_types * 6 ++ + chars), 0)) ++ goto lose; ++ tzspec_len = (size_t) rem - (num_transitions * (8 + 1) ++ + num_types * 6 ++ + chars); ++ if (__builtin_expect (num_leaps > SIZE_MAX / 12 ++ || tzspec_len < num_leaps * 12, 0)) ++ goto lose; ++ tzspec_len -= num_leaps * 12; ++ if (__builtin_expect (tzspec_len < num_isstd, 0)) ++ goto lose; ++ tzspec_len -= num_isstd; ++ if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0)) ++ goto lose; ++ tzspec_len -= num_isgmt + 1; ++ if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0)) ++ goto lose; ++ } ++ if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0)) ++ goto lose; + + /* Allocate enough memory including the extra block requested by the + caller. */ diff --git a/glibc.spec b/glibc.spec index de61668..70c4175 100644 --- a/glibc.spec +++ b/glibc.spec @@ -54,6 +54,7 @@ Patch10: %{name}-rh750811.patch Patch11: %{name}-rh758252.patch Patch12: %{name}-rh767746.patch Patch13: %{name}-rh552960.patch +Patch14: %{name}-rh767696.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Obsoletes: glibc-profile < 2.4 Obsoletes: nss_db @@ -284,6 +285,7 @@ rm -rf %{glibcportsdir} %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 # A lot of programs still misuse memcpy when they have to use # memmove. The memcpy implementation below is not tolerant at @@ -1136,10 +1138,12 @@ rm -f *.filelist* %endif %changelog -* Fri Dec 16 2011 Jeff Law - 2.14.90-24.fc16.1 +* Sun Dec 18 2011 Jeff Law - 2.14.90-24.fc16.1 + - Check values from TZ file header (#767696) - Handle EAGAIN from FUTEX_WAIT_REQUEUE_PI (#552960) - Add {dist}.# - Correct return value from pthread_create when stack alloction fails. + (#767746) * Wed Dec 7 2011 Jeff Law - 2.14.90-23 - Fix a wrong constant in powerpc hypot implementation (#750811) @@ -1148,7 +1152,7 @@ rm -f *.filelist* - Truncate time values in Linux futimes when falling back to utime * Mon Dec 5 2011 Jeff Law - 2.14.90-22 - - Mark fortified __FD_ELT as extension + - Mark fortified __FD_ELT as extension (#761021) - Fix typo in manual (#708455) * Wed Nov 30 2011 Jeff Law - 2.14.90-21