diff options
author | Ondřej Bílka <neleai@seznam.cz> | 2013-10-14 17:15:08 +0200 |
---|---|---|
committer | Ondřej Bílka <neleai@seznam.cz> | 2013-10-14 17:15:48 +0200 |
commit | 17c48a60b8f51e627fc1a1bc3805a80b7bdf6d8d (patch) | |
tree | 34f5acbf55012d7a35bf6cbdb02148a5b359c9c2 | |
parent | cabba9343c8bd99e4aea66aa1e0ec7d93aa18a7e (diff) | |
download | glibc-17c48a60b8f51e627fc1a1bc3805a80b7bdf6d8d.zip glibc-17c48a60b8f51e627fc1a1bc3805a80b7bdf6d8d.tar.gz glibc-17c48a60b8f51e627fc1a1bc3805a80b7bdf6d8d.tar.bz2 |
Fix error_tail overflow in allocation calculation.
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | NEWS | 10 | ||||
-rw-r--r-- | misc/error.c | 2 |
3 files changed, 11 insertions, 6 deletions
@@ -1,3 +1,8 @@ +2013-10-14 Ondřej Bílka <neleai@seznam.cz> + + [BZ #15672] + * misc/error.c (error_tail): Fix possible buffer overflow. + 2013-10-14 Aurelien Jarno <aurelien@aurel32.net> [BZ #13028] @@ -11,11 +11,11 @@ Version 2.19 156, 431, 832, 13028, 13982, 13985, 14155, 14547, 14699, 14910, 15048, 15362, 15400, 15427, 15522, 15531, 15532, 15608, 15609, 15610, 15632, - 15640, 15680, 15681, 15723, 15734, 15735, 15736, 15748, 15749, 15754, - 15760, 15764, 15797, 15844, 15847, 15849, 15855, 15856, 15857, 15859, - 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, - 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, - 15919, 15921, 15923, 15939, 15963, 15966, 15988, 16032, 16034, 16036. + 15640, 15672, 15680, 15681, 15723, 15734, 15735, 15736, 15748, 15749, + 15754, 15760, 15764, 15797, 15844, 15847, 15849, 15855, 15856, 15857, + 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, + 15909, 15919, 15921, 15923, 15939, 15963, 15966, 15988, 16032, 16034, + 16036. * CVE-2012-4412 The strcoll implementation caches indices and rules for large collation sequences to optimize multiple passes. This cache diff --git a/misc/error.c b/misc/error.c index c8e62cf..408a1ab 100644 --- a/misc/error.c +++ b/misc/error.c @@ -165,7 +165,7 @@ error_tail (int status, int errnum, const char *message, va_list args) if (res != len) break; - if (__builtin_expect (len >= SIZE_MAX / 2, 0)) + if (__builtin_expect (len >= SIZE_MAX / sizeof (wchar_t) / 2, 0)) { /* This really should not happen if everything is fine. */ res = (size_t) -1; |