Contents of /trunk/glibc/patches/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch
Parent Directory | Revision Log
Revision 2283 -
(show annotations)
(download)
Mon Sep 16 11:57:11 2013 UTC (11 years ago) by niro
File size: 1556 byte(s)
Mon Sep 16 11:57:11 2013 UTC (11 years ago) by niro
File size: 1556 byte(s)
-glibc-2.18 CVEs and fixes
1 | diff --git a/malloc/malloc.c b/malloc/malloc.c |
2 | index dd295f5..7f43ba3 100644 |
3 | --- a/malloc/malloc.c |
4 | +++ b/malloc/malloc.c |
5 | @@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes) |
6 | size_t page_mask = GLRO(dl_pagesize) - 1; |
7 | size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); |
8 | |
9 | + /* Check for overflow. */ |
10 | + if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) |
11 | + { |
12 | + __set_errno (ENOMEM); |
13 | + return 0; |
14 | + } |
15 | + |
16 | void *(*hook) (size_t, size_t, const void *) = |
17 | force_reg (__memalign_hook); |
18 | if (__builtin_expect (hook != NULL, 0)) |
19 | diff --git a/malloc/malloc.c b/malloc/malloc.c |
20 | index 7f43ba3..3148c5f 100644 |
21 | --- a/malloc/malloc.c |
22 | +++ b/malloc/malloc.c |
23 | @@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes) |
24 | |
25 | size_t pagesz = GLRO(dl_pagesize); |
26 | |
27 | + /* Check for overflow. */ |
28 | + if (bytes > SIZE_MAX - pagesz - MINSIZE) |
29 | + { |
30 | + __set_errno (ENOMEM); |
31 | + return 0; |
32 | + } |
33 | + |
34 | void *(*hook) (size_t, size_t, const void *) = |
35 | force_reg (__memalign_hook); |
36 | if (__builtin_expect (hook != NULL, 0)) |
37 | diff --git a/malloc/malloc.c b/malloc/malloc.c |
38 | index 3148c5f..f7718a9 100644 |
39 | --- a/malloc/malloc.c |
40 | +++ b/malloc/malloc.c |
41 | @@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) |
42 | /* Otherwise, ensure that it is at least a minimum chunk size */ |
43 | if (alignment < MINSIZE) alignment = MINSIZE; |
44 | |
45 | + /* Check for overflow. */ |
46 | + if (bytes > SIZE_MAX - alignment - MINSIZE) |
47 | + { |
48 | + __set_errno (ENOMEM); |
49 | + return 0; |
50 | + } |
51 | + |
52 | arena_get(ar_ptr, bytes + alignment + MINSIZE); |
53 | if(!ar_ptr) |
54 | return 0; |