[glibc/f16] Check values from TZ file header (#767696)

Jeffrey Law law at fedoraproject.org
Mon Dec 19 05:01:37 UTC 2011 

commit c1ae8095f64571012bee02b1adecad7f2eedfd9d
Author: Jeff Law <law at redhat.com>
Date:   Mon Dec 19 05:01:18 2011 +0000

    Check values from TZ file header (#767696)

 glibc-rh767696.patch |   82 ++++++++++++++++++++++++++++++++++++++++++++++++++
 glibc.spec           |    8 ++++-
 2 files changed, 88 insertions(+), 2 deletions(-)
---
diff --git a/glibc-rh767696.patch b/glibc-rh767696.patch
new file mode 100644
index 0000000..0536efa
--- /dev/null
+++ b/glibc-rh767696.patch
@@ -0,0 +1,82 @@
+commit 97ac2654b2d831acaa18a2b018b0736245903fd2
+Author: Ulrich Drepper <drepper at gmail.com>
+Date:   Sat Dec 17 20:18:42 2011 -0500
+
+    Check values from TZ file header
+
+
+	[BZ #13506]
+	* time/tzfile.c (__tzfile_read): Check values from file header.
+
+diff --git a/time/tzfile.c b/time/tzfile.c
+index 144e20b..402389c 100644
+--- a/time/tzfile.c
++++ b/time/tzfile.c
+@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
+       goto read_again;
+     }
+ 
++  if (__builtin_expect (num_transitions
++			> ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
++			   / (sizeof (time_t) + 1)), 0))
++    goto lose;
+   total_size = num_transitions * (sizeof (time_t) + 1);
+   total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
+ 		& ~(__alignof__ (struct ttinfo) - 1));
+   types_idx = total_size;
+-  total_size += num_types * sizeof (struct ttinfo) + chars;
++  if (__builtin_expect (num_types
++			> (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
++    goto lose;
++  total_size += num_types * sizeof (struct ttinfo);
++  if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
++    goto lose;
++  total_size += chars;
++  if (__builtin_expect (__alignof__ (struct leap) - 1
++			> SIZE_MAX - total_size, 0))
++    goto lose;
+   total_size = ((total_size + __alignof__ (struct leap) - 1)
+ 		& ~(__alignof__ (struct leap) - 1));
+   leaps_idx = total_size;
++  if (__builtin_expect (num_leaps
++			> (SIZE_MAX - total_size) / sizeof (struct leap), 0))
++    goto lose;
+   total_size += num_leaps * sizeof (struct leap);
+-  tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
+-		? st.st_size - (ftello (f)
+-				+ num_transitions * (8 + 1)
+-				+ num_types * 6
+-				+ chars
+-				+ num_leaps * 12
+-				+ num_isstd
+-				+ num_isgmt) - 1 : 0);
++  tzspec_len = 0;
++  if (sizeof (time_t) == 8 && trans_width == 8)
++    {
++      off_t rem = st.st_size - ftello (f);
++      if (__builtin_expect (rem < 0
++			    || (size_t) rem < (num_transitions * (8 + 1)
++					       + num_types * 6
++					       + chars), 0))
++	goto lose;
++      tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
++				   + num_types * 6
++				   + chars);
++      if (__builtin_expect (num_leaps > SIZE_MAX / 12
++			    || tzspec_len < num_leaps * 12, 0))
++	goto lose;
++      tzspec_len -= num_leaps * 12;
++      if (__builtin_expect (tzspec_len < num_isstd, 0))
++	goto lose;
++      tzspec_len -= num_isstd;
++      if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
++	goto lose;
++      tzspec_len -= num_isgmt + 1;
++      if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
++	goto lose;
++    }
++  if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
++    goto lose;
+ 
+   /* Allocate enough memory including the extra block requested by the
+      caller.  */
diff --git a/glibc.spec b/glibc.spec
index de61668..70c4175 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -54,6 +54,7 @@ Patch10: %{name}-rh750811.patch
 Patch11: %{name}-rh758252.patch
 Patch12: %{name}-rh767746.patch
 Patch13: %{name}-rh552960.patch
+Patch14: %{name}-rh767696.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Obsoletes: glibc-profile < 2.4
 Obsoletes: nss_db
@@ -284,6 +285,7 @@ rm -rf %{glibcportsdir}
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 # A lot of programs still misuse memcpy when they have to use
 # memmove. The memcpy implementation below is not tolerant at
@@ -1136,10 +1138,12 @@ rm -f *.filelist*
 %endif
 
 %changelog
-* Fri Dec 16 2011 Jeff Law <law at redhat.com> - 2.14.90-24.fc16.1
+* Sun Dec 18 2011 Jeff Law <law at redhat.com> - 2.14.90-24.fc16.1
+  - Check values from TZ file header (#767696)
   - Handle EAGAIN from FUTEX_WAIT_REQUEUE_PI (#552960)
   - Add {dist}.#
   - Correct return value from pthread_create when stack alloction fails.
+    (#767746)
 
 * Wed Dec 7 2011 Jeff Law <law at redhat.com> - 2.14.90-23
   - Fix a wrong constant in powerpc hypot implementation (#750811)
@@ -1148,7 +1152,7 @@ rm -f *.filelist*
   - Truncate time values in Linux futimes when falling back to utime
 
 * Mon Dec 5 2011 Jeff Law <law at redhat.com> - 2.14.90-22
-  - Mark fortified __FD_ELT as extension
+  - Mark fortified __FD_ELT as extension (#761021)
   - Fix typo in manual (#708455)
 
 * Wed Nov 30 2011 Jeff Law <law at redhat.com> - 2.14.90-21

More information about the scm-commits mailing list