Annotation of /trunk/glibc/patches/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch
Parent Directory | Revision Log
Revision 2283 -
(hide annotations)
(download)
Mon Sep 16 11:57:11 2013 UTC (10 years, 7 months ago) by niro
File size: 1556 byte(s)
Mon Sep 16 11:57:11 2013 UTC (10 years, 7 months ago) by niro
File size: 1556 byte(s)
-glibc-2.18 CVEs and fixes
1 | niro | 2283 | diff --git a/malloc/malloc.c b/malloc/malloc.c |
2 | index dd295f5..7f43ba3 100644 | ||
3 | --- a/malloc/malloc.c | ||
4 | +++ b/malloc/malloc.c | ||
5 | @@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes) | ||
6 | size_t page_mask = GLRO(dl_pagesize) - 1; | ||
7 | size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); | ||
8 | |||
9 | + /* Check for overflow. */ | ||
10 | + if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) | ||
11 | + { | ||
12 | + __set_errno (ENOMEM); | ||
13 | + return 0; | ||
14 | + } | ||
15 | + | ||
16 | void *(*hook) (size_t, size_t, const void *) = | ||
17 | force_reg (__memalign_hook); | ||
18 | if (__builtin_expect (hook != NULL, 0)) | ||
19 | diff --git a/malloc/malloc.c b/malloc/malloc.c | ||
20 | index 7f43ba3..3148c5f 100644 | ||
21 | --- a/malloc/malloc.c | ||
22 | +++ b/malloc/malloc.c | ||
23 | @@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes) | ||
24 | |||
25 | size_t pagesz = GLRO(dl_pagesize); | ||
26 | |||
27 | + /* Check for overflow. */ | ||
28 | + if (bytes > SIZE_MAX - pagesz - MINSIZE) | ||
29 | + { | ||
30 | + __set_errno (ENOMEM); | ||
31 | + return 0; | ||
32 | + } | ||
33 | + | ||
34 | void *(*hook) (size_t, size_t, const void *) = | ||
35 | force_reg (__memalign_hook); | ||
36 | if (__builtin_expect (hook != NULL, 0)) | ||
37 | diff --git a/malloc/malloc.c b/malloc/malloc.c | ||
38 | index 3148c5f..f7718a9 100644 | ||
39 | --- a/malloc/malloc.c | ||
40 | +++ b/malloc/malloc.c | ||
41 | @@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) | ||
42 | /* Otherwise, ensure that it is at least a minimum chunk size */ | ||
43 | if (alignment < MINSIZE) alignment = MINSIZE; | ||
44 | |||
45 | + /* Check for overflow. */ | ||
46 | + if (bytes > SIZE_MAX - alignment - MINSIZE) | ||
47 | + { | ||
48 | + __set_errno (ENOMEM); | ||
49 | + return 0; | ||
50 | + } | ||
51 | + | ||
52 | arena_get(ar_ptr, bytes + alignment + MINSIZE); | ||
53 | if(!ar_ptr) | ||
54 | return 0; |