diff options
author | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-02-24 08:05:34 -0800 |
---|---|---|
committer | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-02-24 08:05:34 -0800 |
commit | 6909d2767580b680138a6aa49aabf4976770e9f6 (patch) | |
tree | 7f2b0beb70e3a2119193bbc12672bf8d19b79869 | |
parent | 65f6f938cd562a614a68e15d0581a34b177ec29d (diff) | |
download | glibc-6909d2767580b680138a6aa49aabf4976770e9f6.zip glibc-6909d2767580b680138a6aa49aabf4976770e9f6.tar.gz glibc-6909d2767580b680138a6aa49aabf4976770e9f6.tar.bz2 |
Fix BZ #17916 - fopen unbounded stack usage for ccs= modes
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | libio/fileops.c | 13 | ||||
-rw-r--r-- | libio/tst-fopenloc.c | 28 |
4 files changed, 47 insertions, 4 deletions
@@ -1,3 +1,9 @@ +2015-02-24 Paul Pluzhnikov <ppluzhnikov@google.com> + + [BZ #17916] + * libio/fileops.c (_IO_new_file_fopen): Limit stack use + * libio/tst-fopenloc.c (do_test, do_bz17916): Add a large ccs= test + 2015-02-24 Eric Rannaud <e@nanocritical.com> [BZ #17523] @@ -10,8 +10,8 @@ Version 2.22 * The following bugs are resolved with this release: 4719, 14841, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17523, - 17569, 17588, 17792, 17836, 17912, 17932, 17944, 17949, 17964, 17965, - 17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999. + 17569, 17588, 17792, 17836, 17912, 17916, 17932, 17944, 17949, 17964, + 17965, 17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999. * Character encoding and ctype tables were updated to Unicode 7.0.0, using new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red diff --git a/libio/fileops.c b/libio/fileops.c index 297b478..2427320 100644 --- a/libio/fileops.c +++ b/libio/fileops.c @@ -353,7 +353,15 @@ _IO_new_file_fopen (_IO_FILE *fp, const char *filename, const char *mode, struct gconv_fcts fcts; struct _IO_codecvt *cc; char *endp = __strchrnul (cs + 5, ','); - char ccs[endp - (cs + 5) + 3]; + char *ccs = malloc (endp - (cs + 5) + 3); + + if (ccs == NULL) + { + int malloc_err = errno; /* Whatever malloc failed with. */ + (void) _IO_file_close_it (fp); + __set_errno (malloc_err); + return NULL; + } *((char *) __mempcpy (ccs, cs + 5, endp - (cs + 5))) = '\0'; strip (ccs, ccs); @@ -365,10 +373,13 @@ _IO_new_file_fopen (_IO_FILE *fp, const char *filename, const char *mode, This means we cannot proceed since the user explicitly asked for these. */ (void) _IO_file_close_it (fp); + free (ccs); __set_errno (EINVAL); return NULL; } + free (ccs); + assert (fcts.towc_nsteps == 1); assert (fcts.tomb_nsteps == 1); diff --git a/libio/tst-fopenloc.c b/libio/tst-fopenloc.c index 1336023..48c2d3b 100644 --- a/libio/tst-fopenloc.c +++ b/libio/tst-fopenloc.c @@ -24,10 +24,36 @@ #include <stdlib.h> #include <string.h> #include <wchar.h> +#include <sys/resource.h> static const char inputfile[] = "../iconvdata/testdata/ISO-8859-1"; +static +int do_bz17916 (void) +{ + /* BZ #17916 -- check invalid large ccs= case. */ + struct rlimit rl; + getrlimit (RLIMIT_STACK, &rl); + rl.rlim_cur = 1024 * 1024; + setrlimit (RLIMIT_STACK, &rl); + + const size_t sz = 2 * 1024 * 1024; + char *ccs = malloc (sz); + strcpy (ccs, "r,ccs="); + memset (ccs + 6, 'A', sz - 6 - 1); + ccs[sz - 1] = '\0'; + + FILE *fp = fopen (inputfile, ccs); + if (fp != NULL) + { + printf ("unxpected success\n"); + return 1; + } + free (ccs); + + return 0; +} static int do_test (void) @@ -57,7 +83,7 @@ do_test (void) fclose (fp); - return 0; + return do_bz17916 (); } #define TEST_FUNCTION do_test () |