aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Pluzhnikov <ppluzhnikov@google.com>2015-02-24 08:05:34 -0800
committerPaul Pluzhnikov <ppluzhnikov@google.com>2015-02-24 08:05:34 -0800
commit6909d2767580b680138a6aa49aabf4976770e9f6 (patch)
tree7f2b0beb70e3a2119193bbc12672bf8d19b79869
parent65f6f938cd562a614a68e15d0581a34b177ec29d (diff)
downloadglibc-6909d2767580b680138a6aa49aabf4976770e9f6.zip
glibc-6909d2767580b680138a6aa49aabf4976770e9f6.tar.gz
glibc-6909d2767580b680138a6aa49aabf4976770e9f6.tar.bz2
Fix BZ #17916 - fopen unbounded stack usage for ccs= modes
-rw-r--r--ChangeLog6
-rw-r--r--NEWS4
-rw-r--r--libio/fileops.c13
-rw-r--r--libio/tst-fopenloc.c28
4 files changed, 47 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index 59a1571..c306867 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-02-24 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17916]
+ * libio/fileops.c (_IO_new_file_fopen): Limit stack use
+ * libio/tst-fopenloc.c (do_test, do_bz17916): Add a large ccs= test
+
2015-02-24 Eric Rannaud <e@nanocritical.com>
[BZ #17523]
diff --git a/NEWS b/NEWS
index bd95e74..3f005fe 100644
--- a/NEWS
+++ b/NEWS
@@ -10,8 +10,8 @@ Version 2.22
* The following bugs are resolved with this release:
4719, 14841, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17523,
- 17569, 17588, 17792, 17836, 17912, 17932, 17944, 17949, 17964, 17965,
- 17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999.
+ 17569, 17588, 17792, 17836, 17912, 17916, 17932, 17944, 17949, 17964,
+ 17965, 17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999.
* Character encoding and ctype tables were updated to Unicode 7.0.0, using
new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red
diff --git a/libio/fileops.c b/libio/fileops.c
index 297b478..2427320 100644
--- a/libio/fileops.c
+++ b/libio/fileops.c
@@ -353,7 +353,15 @@ _IO_new_file_fopen (_IO_FILE *fp, const char *filename, const char *mode,
struct gconv_fcts fcts;
struct _IO_codecvt *cc;
char *endp = __strchrnul (cs + 5, ',');
- char ccs[endp - (cs + 5) + 3];
+ char *ccs = malloc (endp - (cs + 5) + 3);
+
+ if (ccs == NULL)
+ {
+ int malloc_err = errno; /* Whatever malloc failed with. */
+ (void) _IO_file_close_it (fp);
+ __set_errno (malloc_err);
+ return NULL;
+ }
*((char *) __mempcpy (ccs, cs + 5, endp - (cs + 5))) = '\0';
strip (ccs, ccs);
@@ -365,10 +373,13 @@ _IO_new_file_fopen (_IO_FILE *fp, const char *filename, const char *mode,
This means we cannot proceed since the user explicitly asked
for these. */
(void) _IO_file_close_it (fp);
+ free (ccs);
__set_errno (EINVAL);
return NULL;
}
+ free (ccs);
+
assert (fcts.towc_nsteps == 1);
assert (fcts.tomb_nsteps == 1);
diff --git a/libio/tst-fopenloc.c b/libio/tst-fopenloc.c
index 1336023..48c2d3b 100644
--- a/libio/tst-fopenloc.c
+++ b/libio/tst-fopenloc.c
@@ -24,10 +24,36 @@
#include <stdlib.h>
#include <string.h>
#include <wchar.h>
+#include <sys/resource.h>
static const char inputfile[] = "../iconvdata/testdata/ISO-8859-1";
+static
+int do_bz17916 (void)
+{
+ /* BZ #17916 -- check invalid large ccs= case. */
+ struct rlimit rl;
+ getrlimit (RLIMIT_STACK, &rl);
+ rl.rlim_cur = 1024 * 1024;
+ setrlimit (RLIMIT_STACK, &rl);
+
+ const size_t sz = 2 * 1024 * 1024;
+ char *ccs = malloc (sz);
+ strcpy (ccs, "r,ccs=");
+ memset (ccs + 6, 'A', sz - 6 - 1);
+ ccs[sz - 1] = '\0';
+
+ FILE *fp = fopen (inputfile, ccs);
+ if (fp != NULL)
+ {
+ printf ("unxpected success\n");
+ return 1;
+ }
+ free (ccs);
+
+ return 0;
+}
static int
do_test (void)
@@ -57,7 +83,7 @@ do_test (void)
fclose (fp);
- return 0;
+ return do_bz17916 ();
}
#define TEST_FUNCTION do_test ()