This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch release/2.21/master updated. glibc-2.21-16-g163437e
- From: aurel32 at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 23 Jan 2016 20:36:07 -0000
- Subject: GNU C Library master sources branch release/2.21/master updated. glibc-2.21-16-g163437e
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.21/master has been updated
via 163437ec37ea32e82469de9b6cbed0d7209551c1 (commit)
via f676ce661cc319c0a984b93e4879aa717fb6240b (commit)
via 907cc11c576a21ea6df5f5ad0a2b1dc3b55dd553 (commit)
from dbcaca73cb0a19698ea1b424087e8997a9b7c3c4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=163437ec37ea32e82469de9b6cbed0d7209551c1
commit 163437ec37ea32e82469de9b6cbed0d7209551c1
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sat Sep 26 13:27:48 2015 -0700
Fix BZ #18985 -- out of range data to strftime() causes a segfault
(cherry picked from commit d36c75fc0d44deec29635dd239b0fbd206ca49b7)
diff --git a/ChangeLog b/ChangeLog
index c27d586..a3182f0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #18985]
+ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
+ (__strftime_internal): Likewise.
+ * time/tst-strftime.c (do_bz18985): New test.
+ (do_test): Call it.
+
2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #17905]
diff --git a/NEWS b/NEWS
index a48ed48..e659b75 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.21.1
* The following bugs are resolved with this release:
- 17269, 17905, 17949, 18007, 18032, 18287, 18694, 18887.
+ 17269, 17905, 17949, 18007, 18032, 18287, 18694, 18887, 18985.
* A buffer overflow in gethostbyname_r and related functions performing DNS
requests has been fixed. If the NSS functions were called with a
diff --git a/time/strftime_l.c b/time/strftime_l.c
index b48ef34..4eb647c 100644
--- a/time/strftime_l.c
+++ b/time/strftime_l.c
@@ -510,13 +510,17 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument
only a few elements. Dereference the pointers only if the format
requires this. Then it is ok to fail if the pointers are invalid. */
# define a_wkday \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
# define f_wkday \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
# define a_month \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
# define f_month \
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
# define ampm \
((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
? NLW(PM_STR) : NLW(AM_STR)))
@@ -526,8 +530,10 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument
# define ap_len STRLEN (ampm)
#else
# if !HAVE_STRFTIME
-# define f_wkday (weekday_name[tp->tm_wday])
-# define f_month (month_name[tp->tm_mon])
+# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \
+ ? "?" : weekday_name[tp->tm_wday])
+# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \
+ ? "?" : month_name[tp->tm_mon])
# define a_wkday f_wkday
# define a_month f_month
# define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
@@ -1321,7 +1327,7 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument
*tzset_called = true;
}
# endif
- zone = tzname[tp->tm_isdst];
+ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
}
#endif
if (! zone)
diff --git a/time/tst-strftime.c b/time/tst-strftime.c
index 374fba4..af3ff72 100644
--- a/time/tst-strftime.c
+++ b/time/tst-strftime.c
@@ -4,6 +4,56 @@
#include <time.h>
+static int
+do_bz18985 (void)
+{
+ char buf[1000];
+ struct tm ttm;
+ int rc, ret = 0;
+
+ memset (&ttm, 1, sizeof (ttm));
+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+
+ if (rc == 66)
+ {
+ const char expected[]
+ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
+ if (0 != strcmp (buf, expected))
+ {
+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
+ ret += 1;
+ }
+ }
+ else
+ {
+ printf ("expected 66, got %d\n", rc);
+ ret += 1;
+ }
+
+ /* Check negative values as well. */
+ memset (&ttm, 0xFF, sizeof (ttm));
+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+
+ if (rc == 30)
+ {
+ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
+ if (0 != strcmp (buf, expected))
+ {
+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
+ ret += 1;
+ }
+ }
+ else
+ {
+ printf ("expected 30, got %d\n", rc);
+ ret += 1;
+ }
+
+ return ret;
+}
+
static struct
{
const char *fmt;
@@ -104,7 +154,7 @@ do_test (void)
}
}
- return result;
+ return result + do_bz18985 ();
}
#define TEST_FUNCTION do_test ()
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f676ce661cc319c0a984b93e4879aa717fb6240b
commit f676ce661cc319c0a984b93e4879aa717fb6240b
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sat Aug 8 15:54:40 2015 -0700
Fix trailing space.
(cherry picked from commit 7565d2a862683a3c26ffb1f32351b8c5ab9f7b31)
diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c
index 140de72..0886938 100644
--- a/catgets/tst-catgets.c
+++ b/catgets/tst-catgets.c
@@ -30,7 +30,7 @@ do_bz17905 (void)
rl.rlim_cur = sz;
setrlimit (RLIMIT_STACK, &rl);
- buf = malloc (sz + 1);
+ buf = malloc (sz + 1);
memset (buf, 'A', sz);
buf[sz] = '\0';
setenv ("NLSPATH", buf, 1);
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=907cc11c576a21ea6df5f5ad0a2b1dc3b55dd553
commit 907cc11c576a21ea6df5f5ad0a2b1dc3b55dd553
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sat Aug 8 15:53:03 2015 -0700
Fix BZ #17905
(cherry picked from commit 0f58539030e436449f79189b6edab17d7479796e)
diff --git a/ChangeLog b/ChangeLog
index 07419aa..c27d586 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17905]
+ * catgets/Makefile (tst-catgets-mem): New test.
+ * catgets/catgets.c (catopen): Don't use unbounded alloca.
+ * catgets/open_catalog.c (__open_catalog): Likewise.
+ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
+
2015-05-01 Szabolcs Nagy <szabolcs.nagy@arm.com>
* config.h.in (HAVE_AARCH64_BE): Add.
diff --git a/NEWS b/NEWS
index 3014c08..a48ed48 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,7 @@ Version 2.21.1
* The following bugs are resolved with this release:
- 17269, 17949, 18007, 18032, 18287, 18694, 18887.
+ 17269, 17905, 17949, 18007, 18032, 18287, 18694, 18887.
* A buffer overflow in gethostbyname_r and related functions performing DNS
requests has been fixed. If the NSS functions were called with a
diff --git a/catgets/Makefile b/catgets/Makefile
index 4624a88..56de38b 100644
--- a/catgets/Makefile
+++ b/catgets/Makefile
@@ -34,6 +34,7 @@ test-srcs = test-gencat
ifeq ($(run-built-tests),yes)
tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
$(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
+tests-special += $(objpfx)tst-catgets-mem.out
endif
gencat-modules = xmalloc
@@ -50,9 +51,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcatdir)/%L/%N:$(msgcatdir)/%L/LC_MESSAGES/%
generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
test-gencat.h
+generated += tst-catgets.mtrace tst-catgets-mem.out
+
generated-dirs += de
-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
+tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
ifeq ($(run-built-tests),yes)
# This test just checks whether the program produces any error or not.
@@ -86,4 +89,8 @@ $(objpfx)test-gencat.out: test-gencat.sh $(objpfx)test-gencat \
$(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
$(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
$(evaluate-test)
+
+$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
+ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
+ $(evaluate-test)
endif
diff --git a/catgets/catgets.c b/catgets/catgets.c
index cf93d56..4be452d 100644
--- a/catgets/catgets.c
+++ b/catgets/catgets.c
@@ -16,7 +16,6 @@
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
-#include <alloca.h>
#include <errno.h>
#include <locale.h>
#include <nl_types.h>
@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
__nl_catd result;
const char *env_var = NULL;
const char *nlspath = NULL;
+ char *tmp = NULL;
if (strchr (cat_name, '/') == NULL)
{
@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
{
/* Append the system dependent directory. */
size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
- char *tmp = alloca (len);
+ tmp = malloc (len);
+
+ if (__glibc_unlikely (tmp == NULL))
+ return (nl_catd) -1;
__stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
nlspath = tmp;
@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
result = (__nl_catd) malloc (sizeof (*result));
if (result == NULL)
- /* We cannot get enough memory. */
- return (nl_catd) -1;
-
- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
+ {
+ /* We cannot get enough memory. */
+ result = (nl_catd) -1;
+ }
+ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
{
/* Couldn't open the file. */
free ((void *) result);
- return (nl_catd) -1;
+ result = (nl_catd) -1;
}
+ free (tmp);
return (nl_catd) result;
}
diff --git a/catgets/open_catalog.c b/catgets/open_catalog.c
index e069416..9f4d776 100644
--- a/catgets/open_catalog.c
+++ b/catgets/open_catalog.c
@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
size_t tab_size;
const char *lastp;
int result = -1;
+ char *buf = NULL;
if (strchr (cat_name, '/') != NULL || nlspath == NULL)
fd = open_not_cancel_2 (cat_name, O_RDONLY);
@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
if (__glibc_unlikely (bufact + (n) >= bufmax)) \
{ \
char *old_buf = buf; \
- bufmax += 256 + (n); \
- buf = (char *) alloca (bufmax); \
- memcpy (buf, old_buf, bufact); \
+ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
+ buf = realloc (buf, bufmax); \
+ if (__glibc_unlikely (buf == NULL)) \
+ { \
+ free (old_buf); \
+ return -1; \
+ } \
}
/* The RUN_NLSPATH variable contains a colon separated list of
descriptions where we expect to find catalogs. We have to
recognize certain % substitutions and stop when we found the
first existing file. */
- char *buf;
size_t bufact;
- size_t bufmax;
+ size_t bufmax = 0;
size_t len;
- buf = NULL;
- bufmax = 0;
-
fd = -1;
while (*run_nlspath != '\0')
{
@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
/* Avoid dealing with directories and block devices */
if (__builtin_expect (fd, 0) < 0)
- return -1;
+ {
+ free (buf);
+ return -1;
+ }
if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
goto close_unlock_return;
@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var,
/* Release the lock again. */
close_unlock_return:
close_not_cancel_no_status (fd);
+ free (buf);
return result;
}
diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c
index a0a4089..140de72 100644
--- a/catgets/tst-catgets.c
+++ b/catgets/tst-catgets.c
@@ -1,7 +1,10 @@
+#include <assert.h>
#include <mcheck.h>
#include <nl_types.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
+#include <sys/resource.h>
static const char *msgs[] =
@@ -12,6 +15,33 @@ static const char *msgs[] =
};
#define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
+
+/* Test for unbounded alloca. */
+static int
+do_bz17905 (void)
+{
+ char *buf;
+ struct rlimit rl;
+ nl_catd result;
+
+ const int sz = 1024 * 1024;
+
+ getrlimit (RLIMIT_STACK, &rl);
+ rl.rlim_cur = sz;
+ setrlimit (RLIMIT_STACK, &rl);
+
+ buf = malloc (sz + 1);
+ memset (buf, 'A', sz);
+ buf[sz] = '\0';
+ setenv ("NLSPATH", buf, 1);
+
+ result = catopen (buf, NL_CAT_LOCALE);
+ assert (result == (nl_catd) -1);
+
+ free (buf);
+ return 0;
+}
+
#define ROUNDS 5
static int
@@ -62,6 +92,7 @@ do_test (void)
}
}
+ result += do_bz17905 ();
return result;
}
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 16 ++++++++++++++
NEWS | 2 +-
catgets/Makefile | 9 +++++++-
catgets/catgets.c | 19 +++++++++++------
catgets/open_catalog.c | 23 ++++++++++++--------
catgets/tst-catgets.c | 31 ++++++++++++++++++++++++++++
time/strftime_l.c | 20 ++++++++++++------
time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++-
8 files changed, 146 insertions(+), 26 deletions(-)
hooks/post-receive
--
GNU C Library master sources