[glibc/f17] - Fix use-after-free in dcigettext.c (#816647).

Jeffrey Law law at fedoraproject.org
Thu Jun 21 18:14:46 UTC 2012 

commit 87db5ca47f429fa8d3574247cefb8c8791aef0bf
Author: Jeff Law <law at redhat.com>
Date:   Thu Jun 21 12:14:39 2012 -0600

      - Fix use-after-free in dcigettext.c (#816647).

 glibc-rh816647.patch |   25 +++++++++++++++++++++++++
 glibc.spec           |    9 ++++++++-
 2 files changed, 33 insertions(+), 1 deletions(-)
---
diff --git a/glibc-rh816647.patch b/glibc-rh816647.patch
new file mode 100644
index 0000000..1880121
--- /dev/null
+++ b/glibc-rh816647.patch
@@ -0,0 +1,25 @@
+2012-06-21  Jeff Law  <law at redhat.com>
+
+	* intl/dcigettext.c (_nl_find_msg): Do not dereference memory
+	that may have just been free'd.
+
+diff --git a/intl/dcigettext.c b/intl/dcigettext.c
+index f6b7573..9c673d4 100644
+--- a/intl/dcigettext.c
++++ b/intl/dcigettext.c
+@@ -1149,13 +1149,14 @@ _nl_find_msg (domain_file, domainbinding, msgid, convert, lengthp)
+ 		  /* We must allocate a new buffer or resize the old one.  */
+ 		  if (malloc_count > 0)
+ 		    {
++		      struct transmem_list *next = transmem_list->next;
+ 		      ++malloc_count;
+ 		      freemem_size = malloc_count * INITIAL_BLOCK_SIZE;
+ 		      newmem = (transmem_block_t *) realloc (transmem_list,
+ 							     freemem_size);
+ # ifdef _LIBC
+ 		      if (newmem != NULL)
+-			transmem_list = transmem_list->next;
++			transmem_list = next;
+ 		      else
+ 			{
+ 			  struct transmem_list *old = transmem_list;
diff --git a/glibc.spec b/glibc.spec
index 0d44353..4f051fd 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -28,7 +28,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 48%{?dist}
+Release: 49%{?dist}
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -205,6 +205,9 @@ Patch2060: %{name}-rh804630.patch
 # Upstream BZ 14247
 Patch2061: %{name}-rh827510.patch
 
+# Upstream BZ 14277
+Patch2062: %{name}-rh816647.patch
+
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Obsoletes: glibc-profile < 2.4
 Obsoletes: nss_db
@@ -491,6 +494,7 @@ popd
 %patch2059 -p1
 %patch2060 -p1
 %patch2061 -p1
+%patch2062 -p1
 
 # A lot of programs still misuse memcpy when they have to use
 # memmove. The memcpy implementation below is not tolerant at
@@ -1357,6 +1361,9 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Thu Jun 20 2012 Jeff Law <law at redhat.com> - 2.15.49
+  - Fix use-after-free in dcigettext.c (#816647).
+
 * Tue Jun 19 2012 Dennis Gilmore <dennis at ausil.us> - 2.15-48
 - remove armhfp linker changes  needs more testing in rawhide before we consider backporting to f17

More information about the scm-commits mailing list