Fix integer overflow leading to buffer overflow in strto* (#847718)

- Avoid another unbound alloca in vfprintf

glibc-rh552960-2.patch

@@ -0,0 +1,27 @@
+diff -rup a/nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_cond_wait.S b/nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_cond_wait.S
+--- a/nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_cond_wait.S	2012-02-10 12:49:42.609737373 -0700
++++ b/nptl/sysdeps/unix/sysv/linux/i386/i486/pthread_cond_wait.S	2012-02-10 12:52:00.962150379 -0700
+@@ -438,6 +438,10 @@ __pthread_cond_wait:
+ 	addl	$1, cond_futex(%ebx)
+ 	movl	cond_futex(%ebx), %ebp
+ 
++	/* Increment total_seq to ensure we do not lose wakeups.  */
++	addl	$1, total_seq(%ebx)
++	adcl	$0, total_seq+4(%ebx)
++
+ 	/* Unlock.  */
+ 	LOCK
+ #if cond_lock == 0
+diff -rup a/nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S b/nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S
+--- a/nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S	2012-02-10 12:49:42.612737361 -0700
++++ b/nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S	2012-02-10 12:52:36.179000963 -0700
+@@ -366,6 +366,9 @@ __pthread_cond_wait:
+ 	incl	cond_futex(%rdi)
+ 	movl	cond_futex(%rdi), %edx
+ 
++	/* Increment total_seq to ensure we do not lose wakeups.  */
++	incq	total_seq(%rdi)
++
+ 	/* Release internal lock.  */
+ 	LOCK
+ #if cond_lock == 0

glibc-rh730856.patch

@@ -0,0 +1,52 @@
+diff -Nrup a/resolv/res_query.c b/resolv/res_query.c
+--- a/resolv/res_query.c	2012-05-11 13:46:06.442619026 -0400
++++ b/resolv/res_query.c	2012-05-11 16:19:35.195340660 -0400
+@@ -122,6 +122,7 @@ __libc_res_nquery(res_state statp,
+ 		  int *resplen2)
+ {
+ 	HEADER *hp = (HEADER *) answer;
++	HEADER *hp2;
+ 	int n, use_malloc = 0;
+ 	u_int oflags = statp->_flags;
+ 
+@@ -239,26 +240,25 @@ __libc_res_nquery(res_state statp,
+ 	  /* __libc_res_nsend might have reallocated the buffer.  */
+ 	  hp = (HEADER *) *answerp;
+ 
+-	/* We simplify the following tests by assigning HP to HP2.  It
+-	   is easy to verify that this is the same as ignoring all
+-	   tests of HP2.  */
+-	HEADER *hp2 = answerp2 ? (HEADER *) *answerp2 : hp;
+-
+-	if (n < (int) sizeof (HEADER) && answerp2 != NULL
+-	    && *resplen2 > (int) sizeof (HEADER))
++	/* We simplify the following tests by assigning HP to HP2 or
++	   vice versa.  It is easy to verify that this is the same as
++	   ignoring all tests of HP or HP2.  */
++	if (answerp2 == NULL || *resplen2 < (int) sizeof (HEADER))
+ 	  {
+-	    /* Special case of partial answer.  */
+-	    assert (n == 0 || hp != hp2);
+-	    hp = hp2;
++	    hp2 = hp;
+ 	  }
+-	else if (answerp2 != NULL && *resplen2 < (int) sizeof (HEADER)
+-		 && n > (int) sizeof (HEADER))
++	else
+ 	  {
+-	    /* Special case of partial answer.  */
+-	    assert (hp != hp2);
+-	    hp2 = hp;
++	    hp2 = (HEADER *) *answerp2;
++	    if (n < (int) sizeof (HEADER))
++	      {
++	        hp = hp2;
++	      }
+ 	  }
+ 
++	/* Make sure both hp and hp2 are defined */
++	assert((hp != NULL) && (hp2 != NULL));
++
+ 	if ((hp->rcode != NOERROR || ntohs(hp->ancount) == 0)
+ 	    && (hp2->rcode != NOERROR || ntohs(hp2->ancount) == 0)) {
+ #ifdef DEBUG

glibc-rh769993.patch

@@ -0,0 +1,24 @@
+commit d2daaa1eb6deaa17f6c9bc110cf7d927d8dcd767
+Author: Rafael Ávila de Espíndola <rafael.espindola@gmail.com>
+Date:   Wed Dec 21 13:27:09 2011 -0800
+
+    Define x86_64 feraiseexcept inline only under __USE_EXTERN_INLINES.
+
+2011-12-19  Rafael Ávila de Espíndola  <rafael.espindola@gmail.com>
+
+	* sysdeps/x86_64/fpu/bits/fenv.h (feraiseexcept): Define it only
+	under [__USE_EXTERN_INLINES].
+
+diff --git a/sysdeps/x86_64/fpu/bits/fenv.h b/sysdeps/x86_64/fpu/bits/fenv.h
+index 4af1643..d73859c 100644
+--- a/sysdeps/x86_64/fpu/bits/fenv.h
++++ b/sysdeps/x86_64/fpu/bits/fenv.h
+@@ -97,7 +97,7 @@ fenv_t;
+ #endif
+ 
+ 
+-#ifdef __OPTIMIZE__
++#ifdef __USE_EXTERN_INLINES
+ __BEGIN_DECLS
+ 
+ /* Optimized versions.  */

glibc-rh794797.patch

@@ -0,0 +1,240 @@
+From libc-alpha-return-25252-listarch-libc-alpha=sources dot redhat dot com at sourceware dot org Thu Feb 16 16:21:17 2012
+Return-Path: <libc-alpha-return-25252-listarch-libc-alpha=sources dot redhat dot com at sourceware dot org>
+Delivered-To: listarch-libc-alpha at sources dot redhat dot com
+Received: (qmail 5187 invoked by alias); 16 Feb 2012 16:21:14 -0000
+Delivered-To: moderator for libc-alpha at sourceware dot org
+Received: (qmail 2174 invoked by uid 22791); 16 Feb 2012 16:17:18 -0000
+X-SWARE-Spam-Status: No, hits=-2.0 required=5.0
+	tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,TW_TV,TW_VB,TW_VF,T_RP_MATCHES_RCVD
+X-Spam-Check-By: sourceware.org
+Date: Thu, 16 Feb 2012 08:16:13 -0800
+From: Kees Cook <kees at outflux dot net>
+To: "Ryan S dot  Arnold" <ryan dot arnold at gmail dot com>
+Cc: libc-alpha at sourceware dot org, Paul Eggert <eggert at cs dot ucla dot edu>,
+        Roland McGrath <roland at hack dot frob dot com>,
+        Andreas Schwab <schwab at linux-m68k dot org>
+Subject: Re: [PATCH] vfprintf: validate nargs and maybe allocate from heap
+Message-ID: <20120216161613.GZ20420@outflux.net>
+References: <20120206062537.GM4979@outflux.net>
+ <20120207000509 dot GP4989 at outflux dot net>
+ <20120210192457 dot GF20420 at outflux dot net>
+ <CAAKybw8AgkGsKAx=kvX4Tsi74f+HtuVnatTCB0VfsHi7vVFi1Q at mail dot gmail dot com>
+ <20120214223048 dot GM20420 at outflux dot net>
+ <CAAKybw_HS+cav+YcDw3ns7UXu6_xA7EHPrkiB87P+OGwEB0PVQ at mail dot gmail dot com>
+ <20120214224543 dot GN20420 at outflux dot net>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+In-Reply-To: <20120214224543 dot GN20420 at outflux dot net>
+X-MIMEDefang-Filter: outflux$Revision: 1.316 $
+X-HELO: www.outflux.net
+Mailing-List: contact libc-alpha-help at sourceware dot org; run by ezmlm
+Precedence: bulk
+List-Id: <libc-alpha.sourceware.org>
+List-Subscribe: <mailto:libc-alpha-subscribe at sourceware dot org>
+List-Archive: <http://sourceware.org/ml/libc-alpha/>
+List-Post: <mailto:libc-alpha at sourceware dot org>
+List-Help: <mailto:libc-alpha-help at sourceware dot org>, <http://sourceware dot org/ml/#faqs>
+Sender: libc-alpha-owner at sourceware dot org
+Delivered-To: mailing list libc-alpha at sourceware dot org
+
+The nargs value can overflow when doing allocations, allowing arbitrary
+memory writes via format strings, bypassing _FORTIFY_SOURCE:
+http://www.phrack.org/issues.html?issue=67&id=9
+
+This checks for nargs overflow and possibly allocates from heap instead of
+stack, and adds a regression test for the situation.
+
+I have FSF assignment via Google. (Sent from @outflux since that's how I'm
+subscribed here, but CL shows @chromium.org as part of my Google work.)
+
+This version disables the useless test on non-32-bit platforms.
+
+2012-02-16  Kees Cook  <keescook@chromium.org>
+
+ 	[BZ #13656]
+ 	* stdio-common/vfprintf.c (vfprintf): Check for nargs overflow and
+ 	possibly allocate from heap instead of stack.
+ 	* stdio-common/bug-vfprintf-nargs.c: New file.
+ 	* stdio-common/Makefile (tests): Add nargs overflow test.
+
+diff --git a/stdio-common/Makefile b/stdio-common/Makefile
+index a847b28..080badc 100644
+--- a/stdio-common/Makefile
++++ b/stdio-common/Makefile
+@@ -59,7 +59,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
+ 	 tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \
+ 	 tst-fwrite bug16 bug17 tst-swscanf tst-sprintf2 bug18 bug18a \
+ 	 bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
+-	 scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24
++	 scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
++	 bug-vfprintf-nargs
+ 
+ test-srcs = tst-unbputc tst-printf
+ 
+diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c
+new file mode 100644
+index 0000000..13c66c0
+--- /dev/null
++++ b/stdio-common/bug-vfprintf-nargs.c
+@@ -0,0 +1,78 @@
++/* Test for vfprintf nargs allocation overflow (BZ #13656).
++   Copyright (C) 2012 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++   Contributed by Kees Cook <keescook@chromium.org>, 2012.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, write to the Free
++   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
++   02111-1307 USA.  */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <stdint.h>
++#include <unistd.h>
++#include <inttypes.h>
++#include <string.h>
++#include <signal.h>
++
++static int
++format_failed (const char *fmt, const char *expected)
++{
++  char output[80];
++
++  printf ("%s : ", fmt);
++
++  memset (output, 0, sizeof output);
++  /* Having sprintf itself detect a failure is good.  */
++  if (sprintf (output, fmt, 1, 2, 3, "test") > 0
++      && strcmp (output, expected) != 0)
++    {
++      printf ("FAIL (output '%s' != expected '%s')\n", output, expected);
++      return 1;
++    }
++  puts ("ok");
++  return 0;
++}
++
++static int
++do_test (void)
++{
++  int rc = 0;
++  char buf[64];
++
++  /* Regular positionals work.  */
++  if (format_failed ("%1$d", "1") != 0)
++    rc = 1;
++
++  /* Regular width positionals work.  */
++  if (format_failed ("%1$*2$d", " 1") != 0)
++    rc = 1;
++
++  /* Positional arguments are constructed via read_int, so nargs can only
++     overflow on 32-bit systems.  On 64-bit systems, it will attempt to
++     allocate a giant amount of memory and possibly crash, which is the
++     expected situation.  Since the 64-bit behavior is arch-specific, only
++     test this on 32-bit systems.  */
++  if (sizeof (long int) == 4)
++    {
++      sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int));
++      if (format_failed (buf, "1 %$d") != 0)
++        rc = 1;
++    }
++
++  return rc;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index 863cd5d..022e72b 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
+      0 if unknown.  */
+   int readonly_format = 0;
+ 
++  /* For the argument descriptions, which may be allocated on the heap.  */
++  void *args_malloced = NULL;
++
+   /* This table maps a character into a number representing a
+      class.  In each step there is a destination label for each
+      class.  */
+@@ -1647,9 +1650,10 @@ do_positional:
+        determine the size of the array needed to store the argument
+        attributes.  */
+     size_t nargs = 0;
+-    int *args_type;
+-    union printf_arg *args_value = NULL;
++    size_t bytes_per_arg;
++    union printf_arg *args_value;
+     int *args_size;
++    int *args_type;
+ 
+     /* Positional parameters refer to arguments directly.  This could
+        also determine the maximum number of arguments.  Track the
+@@ -1698,13 +1702,33 @@ do_positional:
+ 
+     /* Determine the number of arguments the format string consumes.  */
+     nargs = MAX (nargs, max_ref_arg);
++    bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
++                    + sizeof (*args_type);
++
++    /* Check for potential integer overflow.  */
++    if (nargs > SIZE_MAX / bytes_per_arg)
++      {
++         done = -1;
++         goto all_done;
++      }
+ 
+     /* Allocate memory for the argument descriptions.  */
+-    args_type = alloca (nargs * sizeof (int));
++    if (__libc_use_alloca (nargs * bytes_per_arg))
++        args_value = alloca (nargs * bytes_per_arg);
++    else
++      {
++        args_value = args_malloced = malloc (nargs * bytes_per_arg);
++        if (args_value == NULL)
++          {
++            done = -1;
++            goto all_done;
++          }
++      }
++
++    args_size = &args_value[nargs].pa_int;
++    args_type = &args_size[nargs];
+     memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
+-	    nargs * sizeof (int));
+-    args_value = alloca (nargs * sizeof (union printf_arg));
+-    args_size = alloca (nargs * sizeof (int));
++	    nargs * sizeof (*args_type));
+ 
+     /* XXX Could do sanity check here: If any element in ARGS_TYPE is
+        still zero after this loop, format is invalid.  For now we
+@@ -1973,8 +1997,8 @@ do_positional:
+   }
+ 
+ all_done:
+-  if (__builtin_expect (workstart != NULL, 0))
+-    free (workstart);
++  free (args_malloced);
++  free (workstart);
+   /* Unlock the stream.  */
+   _IO_funlockfile (s);
+   _IO_cleanup_region_end (0);
+-- 
+1.7.5.4
+
+-- 
+Kees Cook                                            @outflux.net
+

glibc-rh847718.patch

@@ -0,0 +1,353 @@
+diff -Nrup a/stdlib/Makefile b/stdlib/Makefile
+--- a/stdlib/Makefile	2011-10-19 05:03:31.000000000 -0600
++++ b/stdlib/Makefile	2012-08-15 10:04:53.514783877 -0600
+@@ -71,7 +71,7 @@ tests		:= tst-strtol tst-strtod testmb t
+ 		   tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \
+ 		   tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2	    \
+ 		   tst-makecontext2 tst-strtod6 tst-unsetenv1		    \
+-		   tst-makecontext3 bug-getcontext
++		   tst-makecontext3 bug-getcontext tst-strtod-overflow
+ 
+ include ../Makeconfig
+ 
+diff -Nrup a/stdlib/strtod_l.c b/stdlib/strtod_l.c
+--- a/stdlib/strtod_l.c	2011-10-19 05:03:31.000000000 -0600
++++ b/stdlib/strtod_l.c	2012-08-15 10:04:53.595783593 -0600
+@@ -62,6 +62,7 @@ extern unsigned long long int ____strtou
+ #include <math.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <stdint.h>
+ 
+ /* The gmp headers need some configuration frobs.  */
+ #define HAVE_ALLOCA 1
+@@ -176,19 +177,19 @@ extern const mp_limb_t _tens_in_limb[MAX
+ /* Return a floating point number of the needed type according to the given
+    multi-precision number after possible rounding.  */
+ static FLOAT
+-round_and_return (mp_limb_t *retval, int exponent, int negative,
++round_and_return (mp_limb_t *retval, intmax_t exponent, int negative,
+ 		  mp_limb_t round_limb, mp_size_t round_bit, int more_bits)
+ {
+   if (exponent < MIN_EXP - 1)
+     {
+-      mp_size_t shift = MIN_EXP - 1 - exponent;
+-
+-      if (shift > MANT_DIG)
++      if (exponent < MIN_EXP - 1 - MANT_DIG)
+ 	{
+ 	  __set_errno (ERANGE);
+ 	  return 0.0;
+ 	}
+ 
++      mp_size_t shift = MIN_EXP - 1 - exponent;
++
+       more_bits |= (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0;
+       if (shift == MANT_DIG)
+ 	/* This is a special case to handle the very seldom case where
+@@ -235,6 +236,9 @@ round_and_return (mp_limb_t *retval, int
+       __set_errno (ERANGE);
+     }
+ 
++  if (exponent > MAX_EXP)
++    goto overflow;
++
+   if ((round_limb & (((mp_limb_t) 1) << round_bit)) != 0
+       && (more_bits || (retval[0] & 1) != 0
+ 	  || (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0))
+@@ -260,6 +264,7 @@ round_and_return (mp_limb_t *retval, int
+     }
+ 
+   if (exponent > MAX_EXP)
++  overflow:
+     return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL;
+ 
+   return MPN2FLOAT (retval, exponent, negative);
+@@ -273,7 +278,7 @@ round_and_return (mp_limb_t *retval, int
+    factor for the resulting number (see code) multiply by it.  */
+ static const STRING_TYPE *
+ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
+-	    int *exponent
++	    intmax_t *exponent
+ #ifndef USE_WIDE_CHAR
+ 	    , const char *decimal, size_t decimal_len, const char *thousands
+ #endif
+@@ -337,7 +342,7 @@ str_to_mpn (const STRING_TYPE *str, int
+     }
+   while (--digcnt > 0);
+ 
+-  if (*exponent > 0 && cnt + *exponent <= MAX_DIG_PER_LIMB)
++  if (*exponent > 0 && *exponent <= MAX_DIG_PER_LIMB - cnt)
+     {
+       low *= _tens_in_limb[*exponent];
+       start = _tens_in_limb[cnt + *exponent];
+@@ -415,7 +420,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+ {
+   int negative;			/* The sign of the number.  */
+   MPN_VAR (num);		/* MP representation of the number.  */
+-  int exponent;			/* Exponent of the number.  */
++  intmax_t exponent;		/* Exponent of the number.  */
+ 
+   /* Numbers starting `0X' or `0x' have to be processed with base 16.  */
+   int base = 10;
+@@ -437,7 +442,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+   /* Points at the character following the integer and fractional digits.  */
+   const STRING_TYPE *expp;
+   /* Total number of digit and number of digits in integer part.  */
+-  int dig_no, int_no, lead_zero;
++  size_t dig_no, int_no, lead_zero;
+   /* Contains the last character read.  */
+   CHAR_TYPE c;
+ 
+@@ -769,7 +774,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+      are all or any is really a fractional digit will be decided
+      later.  */
+   int_no = dig_no;
+-  lead_zero = int_no == 0 ? -1 : 0;
++  lead_zero = int_no == 0 ? (size_t) -1 : 0;
+ 
+   /* Read the fractional digits.  A special case are the 'american
+      style' numbers like `16.' i.e. with decimal point but without
+@@ -791,12 +796,13 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+ 	     (base == 16 && ({ CHAR_TYPE lo = TOLOWER (c);
+ 			       lo >= L_('a') && lo <= L_('f'); })))
+ 	{
+-	  if (c != L_('0') && lead_zero == -1)
++	  if (c != L_('0') && lead_zero == (size_t) -1)
+ 	    lead_zero = dig_no - int_no;
+ 	  ++dig_no;
+ 	  c = *++cp;
+ 	}
+     }
++  assert (dig_no <= (uintmax_t) INTMAX_MAX);
+ 
+   /* Remember start of exponent (if any).  */
+   expp = cp;
+@@ -819,24 +825,80 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+ 
+       if (c >= L_('0') && c <= L_('9'))
+ 	{
+-	  int exp_limit;
++	  intmax_t exp_limit;
+ 
+ 	  /* Get the exponent limit. */
+ 	  if (base == 16)
+-	    exp_limit = (exp_negative ?
+-			 -MIN_EXP + MANT_DIG + 4 * int_no :
+-			 MAX_EXP - 4 * int_no + 4 * lead_zero + 3);
++	    {
++	      if (exp_negative)
++		{
++		  assert (int_no <= (uintmax_t) (INTMAX_MAX
++						 + MIN_EXP - MANT_DIG) / 4);
++		  exp_limit = -MIN_EXP + MANT_DIG + 4 * (intmax_t) int_no;
++		}
++	      else
++		{
++		  if (int_no)
++		    {
++		      assert (lead_zero == 0
++			      && int_no <= (uintmax_t) INTMAX_MAX / 4);
++		      exp_limit = MAX_EXP - 4 * (intmax_t) int_no + 3;
++		    }
++		  else if (lead_zero == (size_t) -1)
++		    {
++		      /* The number is zero and this limit is
++			 arbitrary.  */
++		      exp_limit = MAX_EXP + 3;
++		    }
++		  else
++		    {
++		      assert (lead_zero
++			      <= (uintmax_t) (INTMAX_MAX - MAX_EXP - 3) / 4);
++		      exp_limit = (MAX_EXP
++				   + 4 * (intmax_t) lead_zero
++				   + 3);
++		    }
++		}
++	    }
+ 	  else
+-	    exp_limit = (exp_negative ?
+-			 -MIN_10_EXP + MANT_DIG + int_no :
+-			 MAX_10_EXP - int_no + lead_zero + 1);
++	    {
++	      if (exp_negative)
++		{
++		  assert (int_no
++			  <= (uintmax_t) (INTMAX_MAX + MIN_10_EXP - MANT_DIG));
++		  exp_limit = -MIN_10_EXP + MANT_DIG + (intmax_t) int_no;
++		}
++	      else
++		{
++		  if (int_no)
++		    {
++		      assert (lead_zero == 0
++			      && int_no <= (uintmax_t) INTMAX_MAX);
++		      exp_limit = MAX_10_EXP - (intmax_t) int_no + 1;
++		    }
++		  else if (lead_zero == (size_t) -1)
++		    {
++		      /* The number is zero and this limit is
++			 arbitrary.  */
++		      exp_limit = MAX_10_EXP + 1;
++		    }
++		  else
++		    {
++		      assert (lead_zero
++			      <= (uintmax_t) (INTMAX_MAX - MAX_10_EXP - 1));
++		      exp_limit = MAX_10_EXP + (intmax_t) lead_zero + 1;
++		    }
++		}
++	    }
++
++	  if (exp_limit < 0)
++	    exp_limit = 0;
+ 
+ 	  do
+ 	    {
+-	      exponent *= 10;
+-	      exponent += c - L_('0');
+-
+-	      if (__builtin_expect (exponent > exp_limit, 0))
++	      if (__builtin_expect ((exponent > exp_limit / 10
++				     || (exponent == exp_limit / 10
++					 && c - L_('0') > exp_limit % 10)), 0))
+ 		/* The exponent is too large/small to represent a valid
+ 		   number.  */
+ 		{
+@@ -845,7 +907,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+ 		  /* We have to take care for special situation: a joker
+ 		     might have written "0.0e100000" which is in fact
+ 		     zero.  */
+-		  if (lead_zero == -1)
++		  if (lead_zero == (size_t) -1)
+ 		    result = negative ? -0.0 : 0.0;
+ 		  else
+ 		    {
+@@ -864,6 +926,9 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+ 		  /* NOTREACHED */
+ 		}
+ 
++	      exponent *= 10;
++	      exponent += c - L_('0');
++
+ 	      c = *++cp;
+ 	    }
+ 	  while (c >= L_('0') && c <= L_('9'));
+@@ -932,7 +997,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+ 	}
+ #endif
+       startp += lead_zero + decimal_len;
+-      exponent -= base == 16 ? 4 * lead_zero : lead_zero;
++      assert (lead_zero <= (base == 16
++			    ? (uintmax_t) INTMAX_MAX / 4
++			    : (uintmax_t) INTMAX_MAX));
++      assert (lead_zero <= (base == 16
++			    ? ((uintmax_t) exponent
++			       - (uintmax_t) INTMAX_MIN) / 4
++			    : ((uintmax_t) exponent - (uintmax_t) INTMAX_MIN)));
++      exponent -= base == 16 ? 4 * (intmax_t) lead_zero : (intmax_t) lead_zero;
+       dig_no -= lead_zero;
+     }
+ 
+@@ -974,7 +1046,10 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+ 	}
+ 
+       /* Adjust the exponent for the bits we are shifting in.  */
+-      exponent += bits - 1 + (int_no - 1) * 4;
++      assert (int_no <= (uintmax_t) (exponent < 0
++				     ? (INTMAX_MAX - bits + 1) / 4
++				     : (INTMAX_MAX - exponent - bits + 1) / 4));
++      exponent += bits - 1 + ((intmax_t) int_no - 1) * 4;
+ 
+       while (--dig_no > 0 && idx >= 0)
+ 	{
+@@ -1014,13 +1089,15 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+      really integer digits or belong to the fractional part; i.e. we normalize
+      123e-2 to 1.23.  */
+   {
+-    register int incr = (exponent < 0 ? MAX (-int_no, exponent)
+-			 : MIN (dig_no - int_no, exponent));
++    register intmax_t incr = (exponent < 0
++			      ? MAX (-(intmax_t) int_no, exponent)
++			      : MIN ((intmax_t) dig_no - (intmax_t) int_no,
++				     exponent));
+     int_no += incr;
+     exponent -= incr;
+   }
+ 
+-  if (__builtin_expect (int_no + exponent > MAX_10_EXP + 1, 0))
++  if (__builtin_expect (exponent > MAX_10_EXP + 1 - (intmax_t) int_no, 0))
+     {
+       __set_errno (ERANGE);
+       return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL;
+@@ -1205,7 +1282,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+        digits we should have enough bits for the result.  The remaining
+        decimal digits give us the information that more bits are following.
+        This can be used while rounding.  (Two added as a safety margin.)  */
+-    if (dig_no - int_no > (MANT_DIG - bits + 2) / 3 + 2)
++    if ((intmax_t) dig_no > (intmax_t) int_no + (MANT_DIG - bits + 2) / 3 + 2)
+       {
+ 	dig_no = int_no + (MANT_DIG - bits + 2) / 3 + 2;
+ 	more_bits = 1;
+@@ -1213,7 +1290,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group
+     else
+       more_bits = 0;
+ 
+-    neg_exp = dig_no - int_no - exponent;
++    neg_exp = (intmax_t) dig_no - (intmax_t) int_no - exponent;
+ 
+     /* Construct the denominator.  */
+     densize = 0;
+diff -Nrup a/stdlib/tst-strtod-overflow.c b/stdlib/tst-strtod-overflow.c
+--- a/stdlib/tst-strtod-overflow.c	1969-12-31 17:00:00.000000000 -0700
++++ b/stdlib/tst-strtod-overflow.c	2012-08-15 10:04:54.483780474 -0600
+@@ -0,0 +1,48 @@
++/* Test for integer/buffer overflow in strtod.
++   Copyright (C) 2012 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++#define EXPONENT "e-2147483649"
++#define SIZE 214748364
++
++static int
++do_test (void)
++{
++  char *p = malloc (1 + SIZE + sizeof (EXPONENT));
++  if (p == NULL)
++    {
++      puts ("malloc failed, cannot test for overflow");
++      return 0;
++    }
++  p[0] = '1';
++  memset (p + 1, '0', SIZE);
++  memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
++  double d = strtod (p, NULL);
++  if (d != 0)
++    {
++      printf ("strtod returned wrong value: %a\n", d);
++      return 1;
++    }
++  return 0;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"

glibc.spec

@@ -28,7 +28,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 24%{?dist}.3
+Release: 24%{?dist}.9
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -55,6 +55,13 @@ Patch11: %{name}-rh758252.patch
 Patch12: %{name}-rh767746.patch
 Patch13: %{name}-rh552960.patch
 Patch14: %{name}-rh767696.patch
+Patch15: %{name}-rh552960-2.patch
+Patch16: %{name}-rh769993.patch
+Patch17: %{name}-rh794797.patch
+Patch18: %{name}-rh730856.patch
+Patch19: %{name}-rh841318.patch
+Patch20: %{name}-rh847718.patch
+
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Obsoletes: glibc-profile < 2.4
 Obsoletes: nss_db
@@ -284,8 +291,14 @@ rm -rf %{glibcportsdir}
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
-%patch13 -p1
+#%patch13 -p1
 %patch14 -p1
+#%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
 
 # A lot of programs still misuse memcpy when they have to use
 # memmove. The memcpy implementation below is not tolerant at
@@ -1138,6 +1151,26 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Wed Aug 15 2012 Jeff Law <law@redhat.com> - 2.14.90-24.fc16.9
+  - Fix integer overflow leading to buffer overflow in strto* (#847718)
+
+* Tue Jul 31 2012 Patsy Franklin <patsy@redhat.com> - 2.14.90-24.fc16.8
+  - Avoid unbound alloca in vfprintf.  (#841318)
+
+* Wed May 9 2012 Patsy Franklin <patsy@redhat.com> - 2.14.90-24.fc16.7
+  - Fix reply buffer mismanagement in resolver.  (#730856)
+
+* Mon Feb 20 2012 Jeff Law <law@redhat.com> - 2.14.90-24.fc16.6
+  - Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE (#794797)
+  - Disable 552960/769421 patches again, they're still not right.
+
+* Fri Feb 10 2012 Jeff Law <law@redhat.com> - 2.14.90-24.fc16.5
+  - Fix lost wakeups in pthread_cond_*.  (#552960, #769421)
+  - Define x86_64 feraiseexcept inline only under __USE_EXTERN_INLINES (#769993).
+
+* Thu Dec 22 2011 Jeff Law <law@redhat.com> - 2.14.90-24.fc16.4
+  - Revert change for 552960, it's causing multiple problems.
+
 * Sun Dec 18 2011 Jeff Law <law@redhat.com> - 2.14.90-24.fc16.3
   - Check values from TZ file header (#767696)
   - Handle EAGAIN from FUTEX_WAIT_REQUEUE_PI (#552960)