arrfab / rpms / glibc

Forked from rpms/glibc 5 years ago
Clone

Blame SOURCES/glibc-rh989861.patch

147e83
commit 27572ef96a66b61f5a6d81196c05983ab3dc9994
147e83
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
147e83
Date:   Sun Jun 30 20:45:19 2013 +0530
147e83
147e83
    Check for integer overflow
147e83
147e83
diff --git glibc-2.17-c758a686/string/strcoll_l.c glibc-2.17-c758a686/string/strcoll_l.c
147e83
index 1be6874..cbe5962 100644
147e83
--- glibc-2.17-c758a686/string/strcoll_l.c
147e83
+++ glibc-2.17-c758a686/string/strcoll_l.c
147e83
@@ -524,6 +524,14 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
147e83
   memset (&seq1, 0, sizeof (seq1));
147e83
   seq2 = seq1;
147e83
 
147e83
+  size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1);
147e83
+
147e83
+  /* If the strings are long enough to cause overflow in the size request, then
147e83
+     skip the allocation and proceed with the non-cached routines.  */
147e83
+  if (MIN (s1len, s2len) > size_max
147e83
+      || MAX (s1len, s2len) > size_max - MIN (s1len, s2len))
147e83
+    goto begin_collate;
147e83
+
147e83
   if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1)))
147e83
     {
147e83
       seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1));
147e83
@@ -546,8 +554,10 @@ STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
147e83
       seq2.rulearr = (unsigned char *) alloca (s2len);
147e83
     }
147e83
 
147e83
-  int rule = 0;
147e83
+  int rule;
147e83
 
147e83
+ begin_collate:
147e83
+  rule = 0;
147e83
   /* Cache values in the first pass and if needed, use them in subsequent
147e83
      passes.  */
147e83
   for (int pass = 0; pass < nrules; ++pass)