[glibc/f14] - Check values from TZ file header (#767696)
Jeffrey Law
law at fedoraproject.org
Mon Dec 19 05:10:38 UTC 2011
commit b11f27e53f81d3f37041a8ffee9664e87d24e712
Author: Jeff Law <law at redhat.com>
Date: Mon Dec 19 05:10:31 2011 +0000
- Check values from TZ file header (#767696)
glibc-rh767696.patch | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++
glibc.spec | 9 +++++-
2 files changed, 90 insertions(+), 1 deletions(-)
---
diff --git a/glibc-rh767696.patch b/glibc-rh767696.patch
new file mode 100644
index 0000000..0536efa
--- /dev/null
+++ b/glibc-rh767696.patch
@@ -0,0 +1,82 @@
+commit 97ac2654b2d831acaa18a2b018b0736245903fd2
+Author: Ulrich Drepper <drepper at gmail.com>
+Date: Sat Dec 17 20:18:42 2011 -0500
+
+ Check values from TZ file header
+
+
+ [BZ #13506]
+ * time/tzfile.c (__tzfile_read): Check values from file header.
+
+diff --git a/time/tzfile.c b/time/tzfile.c
+index 144e20b..402389c 100644
+--- a/time/tzfile.c
++++ b/time/tzfile.c
+@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
+ goto read_again;
+ }
+
++ if (__builtin_expect (num_transitions
++ > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
++ / (sizeof (time_t) + 1)), 0))
++ goto lose;
+ total_size = num_transitions * (sizeof (time_t) + 1);
+ total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
+ & ~(__alignof__ (struct ttinfo) - 1));
+ types_idx = total_size;
+- total_size += num_types * sizeof (struct ttinfo) + chars;
++ if (__builtin_expect (num_types
++ > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
++ goto lose;
++ total_size += num_types * sizeof (struct ttinfo);
++ if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
++ goto lose;
++ total_size += chars;
++ if (__builtin_expect (__alignof__ (struct leap) - 1
++ > SIZE_MAX - total_size, 0))
++ goto lose;
+ total_size = ((total_size + __alignof__ (struct leap) - 1)
+ & ~(__alignof__ (struct leap) - 1));
+ leaps_idx = total_size;
++ if (__builtin_expect (num_leaps
++ > (SIZE_MAX - total_size) / sizeof (struct leap), 0))
++ goto lose;
+ total_size += num_leaps * sizeof (struct leap);
+- tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
+- ? st.st_size - (ftello (f)
+- + num_transitions * (8 + 1)
+- + num_types * 6
+- + chars
+- + num_leaps * 12
+- + num_isstd
+- + num_isgmt) - 1 : 0);
++ tzspec_len = 0;
++ if (sizeof (time_t) == 8 && trans_width == 8)
++ {
++ off_t rem = st.st_size - ftello (f);
++ if (__builtin_expect (rem < 0
++ || (size_t) rem < (num_transitions * (8 + 1)
++ + num_types * 6
++ + chars), 0))
++ goto lose;
++ tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
++ + num_types * 6
++ + chars);
++ if (__builtin_expect (num_leaps > SIZE_MAX / 12
++ || tzspec_len < num_leaps * 12, 0))
++ goto lose;
++ tzspec_len -= num_leaps * 12;
++ if (__builtin_expect (tzspec_len < num_isstd, 0))
++ goto lose;
++ tzspec_len -= num_isstd;
++ if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
++ goto lose;
++ tzspec_len -= num_isgmt + 1;
++ if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
++ goto lose;
++ }
++ if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
++ goto lose;
+
+ /* Allocate enough memory including the extra block requested by the
+ caller. */
diff --git a/glibc.spec b/glibc.spec
index 69efe6e..4d6d460 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -24,7 +24,7 @@
Summary: The GNU libc libraries
Name: glibc
Version: %{glibcversion}
-Release: 2
+Release: 3
# GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
# Things that are linked directly into dynamically linked programs
# and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -38,6 +38,8 @@ Source1: %{?glibc_release_url}%{glibcportsdir}.tar.xz
Source2: %{glibcsrcdir}-fedora.tar.xz
Patch0: %{name}-fedora.patch
Patch1: %{name}-ia64-lib64.patch
+Patch2: %{name}-rh767696.patch
+
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Obsoletes: glibc-profile < 2.4
Provides: ldconfig
@@ -250,6 +252,7 @@ rm -rf %{glibcportsdir}
%patch1 -p1
%endif
%endif
+%patch2 -p1
# A lot of programs still misuse memcpy when they have to use
# memmove. The memcpy implementation below is not tolerant at
@@ -1032,6 +1035,10 @@ rm -f *.filelist*
%endif
%changelog
+* Sun Dec 19 2011 Jeff Law <law at redhat.com> - 2.13-3
+ - Check values from TZ file header (#767696)
+
+
* Thu Aug 4 2011 Andreas Schwab <schwab at redhat.com> - 2.13-2
- Update from 2.13 branch
- Fix static linking with checking x86/x86-64 memcpy (BZ#12653)
More information about the scm-commits
mailing list