From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17 00:00:00 2001
From: Joseph Myers <joseph@codesourcery.com>
Date: Fri, 4 Dec 2015 20:36:28 +0000
Subject: Fix nan functions handling of payload strings (bug 16961, bug 16962).

The nan, nanf and nanl functions handle payload strings by doing e.g.:

  if (tagp[0] != '\0')
    {
      char buf[6 + strlen (tagp)];
      sprintf (buf, "NAN(%s)", tagp);
      return strtod (buf, NULL);
    }

This is an unbounded stack allocation based on the length of the
argument.  Furthermore, if the argument starts with an n-char-sequence
followed by ')', that n-char-sequence is wrongly treated as
significant for determining the payload of the resulting NaN, when ISO
C says the call should be equivalent to strtod ("NAN", NULL), without
being affected by that initial n-char-sequence.  This patch fixes both
those problems by using the __strtod_nan etc. functions recently
factored out of strtod etc. for that purpose, with those functions
being exported from libc at version GLIBC_PRIVATE.

Tested for x86_64, x86, mips64 and powerpc.

	[BZ #16961]
	[BZ #16962]
	* math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
	string on the stack for strtod.
	* math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
	a string on the stack for strtof.
	* math/s_nanl.c (__nanl): Use __strtold_nan instead of
	constructing a string on the stack for strtold.
	* stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
	__strtold_nan to GLIBC_PRIVATE.
	* math/test-nan-overflow.c: New file.
	* math/test-nan-payload.c: Likewise.
	* math/Makefile (tests): Add test-nan-overflow and
	test-nan-payload.
---
 NEWS | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index cb61a3a..37189f7 100644
--- a/NEWS
+++ b/NEWS
@@ -60,6 +60,12 @@ Version 2.23
   C Library is GCC 4.7.  Older GCC versions, and non-GNU compilers, can
   still be used to compile programs using the GNU C Library.
 
+Security related changes:
+
+* The nan, nanf and nanl functions no longer have unbounded stack usage
+  depending on the length of the string passed as an argument to the
+  functions.  Reported by Joseph Myers.
+
 * The following bugs are resolved with this release:
 
   [The release manager will add the list generated by
-- 
cgit v1.1