This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH 2/2][BZ #14547] Fix CVE-2012-4412


Hi,

This is the second patch that completes the fix to CVE-2012-4412.  The
reproducer in pr#14547 should be fixed with this patch.  I did not
make a test case out of the reproducer since it would be much too
slow.

I have also verified that there are no regressions in the testsuite
due to this fix.

Siddhesh

	[BZ #14547]
	* string/strcoll_l.c (STRCOLL): Skip allocating memory for
	cache if string sizes may cause integer overflow.

diff --git a/string/strcoll_l.c b/string/strcoll_l.c
index 37f802e..ec630fe 100644
--- a/string/strcoll_l.c
+++ b/string/strcoll_l.c
@@ -524,6 +524,14 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
   memset (&seq1, 0, sizeof (seq1));
   seq2 = seq1;
 
+  size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1);
+
+  /* If the strings are long enough to cause overflow in the size request, then
+     skip the allocation and proceed with the non-cached routines.  */
+  if (MIN (s1len, s2len) > size_max
+      || MAX (s1len, s2len) > size_max - MIN (s1len, s2len))
+    goto begin_collate;
+
   if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1)))
     {
       seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1));
@@ -546,8 +554,10 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
       seq2.rulearr = (unsigned char *) alloca (s2len);
     }
 
-  int rule = 0;
+  int rule;
 
+ begin_collate:
+  rule = 0;
   /* Cache values in the first pass and if needed, use them in subsequent
      passes.  */
   for (int pass = 0; pass < nrules; ++pass)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]