diff options
Diffstat (limited to 'patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch')
-rw-r--r-- | patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch | 95 |
1 files changed, 0 insertions, 95 deletions
diff --git a/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch deleted file mode 100644 index 4ff5a63..0000000 --- a/patches/glibc-2.20/0004-CVE-2015-1472-wscanf-allocates-too-little-memory.patch +++ /dev/null @@ -1,95 +0,0 @@ -From: Paul Pluzhnikov <ppluzhnikov@google.com> -Date: Fri, 6 Feb 2015 00:30:42 -0500 -Subject: [PATCH] CVE-2015-1472: wscanf allocates too little memory - -BZ #16618 - -Under certain conditions wscanf can allocate too little memory for the -to-be-scanned arguments and overflow the allocated buffer. The -implementation now correctly computes the required buffer size when -using malloc. - -A regression test was added to tst-sscanf. ---- - stdio-common/tst-sscanf.c | 33 +++++++++++++++++++++++++++++++++ - stdio-common/vfscanf.c | 12 ++++++------ - 2 files changed, 39 insertions(+), 6 deletions(-) - -diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c -index 9fef93a53578..6394fe1cccd1 100644 ---- a/stdio-common/tst-sscanf.c -+++ b/stdio-common/tst-sscanf.c -@@ -233,5 +233,38 @@ main (void) - } - } - -+ /* BZ #16618 -+ The test will segfault during SSCANF if the buffer overflow -+ is not fixed. The size of `s` is such that it forces the use -+ of malloc internally and this triggers the incorrect computation. -+ Thus the value for SIZE is arbitrariy high enough that malloc -+ is used. */ -+ { -+#define SIZE 131072 -+ CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); -+ if (s == NULL) -+ abort (); -+ for (size_t i = 0; i < SIZE; i++) -+ s[i] = L('0'); -+ s[SIZE] = L('\0'); -+ int i = 42; -+ /* Scan multi-digit zero into `i`. */ -+ if (SSCANF (s, L("%d"), &i) != 1) -+ { -+ printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); -+ result = 1; -+ } -+ if (i != 0) -+ { -+ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); -+ result = 1; -+ } -+ free (s); -+ if (result != 1) -+ printf ("PASS: bug16618: Did not crash.\n"); -+#undef SIZE -+ } -+ -+ - return result; - } -diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c -index e0d224530cc6..a4f06b44e576 100644 ---- a/stdio-common/vfscanf.c -+++ b/stdio-common/vfscanf.c -@@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, - if (__glibc_unlikely (wpsize == wpmax)) \ - { \ - CHAR_T *old = wp; \ -- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ -- ? UCHAR_MAX + 1 : 2 * wpmax); \ -- if (use_malloc || !__libc_use_alloca (newsize)) \ -+ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ -+ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ -+ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ -+ if (!__libc_use_alloca (newsize)) \ - { \ - wp = realloc (use_malloc ? wp : NULL, newsize); \ - if (wp == NULL) \ -@@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, - } \ - if (! use_malloc) \ - MEMCPY (wp, old, wpsize); \ -- wpmax = newsize; \ -+ wpmax = wpneed; \ - use_malloc = true; \ - } \ - else \ - { \ - size_t s = wpmax * sizeof (CHAR_T); \ -- wp = (CHAR_T *) extend_alloca (wp, s, \ -- newsize * sizeof (CHAR_T)); \ -+ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ - wpmax = s / sizeof (CHAR_T); \ - if (old != NULL) \ - MEMCPY (wp, old, wpsize); \ |