[glibc] Fix cycle detection & overflows (729661)

[Jeffrey Law]

commit 4dc232f59d9bc46050bc6ee199f3f14e1b72cf2c
Author: Jeff Law <law at redhat.com>
Date:   Mon Jan 23 14:41:49 2012 -0700

    Fix cycle detection & overflows (729661)

 glibc-rh729661.patch |   56 ++++++++++++++++++++++++++++++++++++++++++++++++++
 glibc.spec           |    7 +++++-
 2 files changed, 62 insertions(+), 1 deletions(-)
---
diff --git a/glibc-rh729661.patch b/glibc-rh729661.patch
new file mode 100644
index 0000000..f297970
--- /dev/null
+++ b/glibc-rh729661.patch
@@ -0,0 +1,56 @@
+diff -rup a/elf/dl-deps.c b/elf/dl-deps.c
+--- a/elf/dl-deps.c	2012-01-23 14:28:15.888185967 -0700
++++ b/elf/dl-deps.c	2012-01-23 14:29:11.620197431 -0700
+@@ -634,7 +634,7 @@ Filters not supported with LD_TRACE_PREL
+       /* We can skip looking for the binary itself which is at the front
+ 	 of the search list.  */
+       i = 1;
+-      char seen[nlist];
++      unsigned short seen[nlist];
+       memset (seen, 0, nlist * sizeof (seen[0]));
+       while (1)
+ 	{
+@@ -660,13 +660,13 @@ Filters not supported with LD_TRACE_PREL
+ 			       (k - i) * sizeof (l_initfini[0]));
+ 		      l_initfini[k] = thisp;
+ 
+-		      if (seen[i + 1] > 1)
++		      if (seen[i + 1] > nlist - i)
+ 			{
+ 			  ++i;
+ 			  goto next_clear;
+ 			}
+ 
+-		      char this_seen = seen[i];
++		      unsigned short this_seen = seen[i];
+ 		      memmove (&seen[i], &seen[i + 1],
+ 			       (k - i) * sizeof (seen[0]));
+ 		      seen[k] = this_seen;
+diff -rup a/elf/dl-fini.c b/elf/dl-fini.c
+--- a/elf/dl-fini.c	2012-01-01 05:16:32.000000000 -0700
++++ b/elf/dl-fini.c	2012-01-23 14:29:39.661203226 -0700
+@@ -39,7 +39,7 @@ _dl_sort_fini (struct link_map **maps, s
+   /* We can skip looking for the binary itself which is at the front
+      of the search list for the main namespace.  */
+   unsigned int i = ns == LM_ID_BASE;
+-  char seen[nmaps];
++  unsigned short seen[nmaps];
+   memset (seen, 0, nmaps * sizeof (seen[0]));
+   while (1)
+     {
+@@ -79,13 +79,13 @@ _dl_sort_fini (struct link_map **maps, s
+ 		      used[k] = here_used;
+ 		    }
+ 
+-		  if (seen[i + 1] > 1)
++		  if (seen[i + 1] > nmaps - i)
+ 		    {
+ 		      ++i;
+ 		      goto next_clear;
+ 		    }
+ 
+-		  char this_seen = seen[i];
++		  unsigned short this_seen = seen[i];
+ 		  memmove (&seen[i], &seen[i + 1], (k - i) * sizeof (seen[0]));
+ 		  seen[k] = this_seen;
+ 
diff --git a/glibc.spec b/glibc.spec
index ad73097..de833a0 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -28,7 +28,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 2%{?dist}
+Release: 3%{?dist}
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -53,6 +53,7 @@ Patch4: %{name}-rh730856.patch
 # Reverting an upstream patch.  I don't think this has been discussed upstream yet.
 # Caused a variety of problems for Fedora & Debian
 Patch5: %{name}-rh769421.patch
+Patch6: %{name}-rh729661.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Obsoletes: glibc-profile < 2.4
@@ -276,6 +277,7 @@ rm -rf %{glibcportsdir}
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 # A lot of programs still misuse memcpy when they have to use
 # memmove. The memcpy implementation below is not tolerant at
@@ -1128,6 +1130,9 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Mon Jan 23 2012 Jeff Law <law at redhat.com> - 2.15-3
+  - Fix cycle detection (#729661)
+
 * Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.15-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild