[glibc] Fix use-after-free in dcigettext.c (#816647).

Jeffrey Law law at fedoraproject.org
Thu Jun 21 18:05:56 UTC 2012 

commit fd26ca323db15675ab41c4ee487001f42d44aafe
Author: Jeff Law <law at redhat.com>
Date:   Thu Jun 21 12:04:39 2012 -0600

    Fix use-after-free in dcigettext.c (#816647).

 glibc-rh816647.patch |   25 +++++++++++++++++++++++++
 glibc.spec           |    9 ++++++++-
 2 files changed, 33 insertions(+), 1 deletions(-)
---
diff --git a/glibc-rh816647.patch b/glibc-rh816647.patch
new file mode 100644
index 0000000..1880121
--- /dev/null
+++ b/glibc-rh816647.patch
@@ -0,0 +1,25 @@
+2012-06-21  Jeff Law  <law at redhat.com>
+
+	* intl/dcigettext.c (_nl_find_msg): Do not dereference memory
+	that may have just been free'd.
+
+diff --git a/intl/dcigettext.c b/intl/dcigettext.c
+index f6b7573..9c673d4 100644
+--- a/intl/dcigettext.c
++++ b/intl/dcigettext.c
+@@ -1149,13 +1149,14 @@ _nl_find_msg (domain_file, domainbinding, msgid, convert, lengthp)
+ 		  /* We must allocate a new buffer or resize the old one.  */
+ 		  if (malloc_count > 0)
+ 		    {
++		      struct transmem_list *next = transmem_list->next;
+ 		      ++malloc_count;
+ 		      freemem_size = malloc_count * INITIAL_BLOCK_SIZE;
+ 		      newmem = (transmem_block_t *) realloc (transmem_list,
+ 							     freemem_size);
+ # ifdef _LIBC
+ 		      if (newmem != NULL)
+-			transmem_list = transmem_list->next;
++			transmem_list = next;
+ 		      else
+ 			{
+ 			  struct transmem_list *old = transmem_list;
diff --git a/glibc.spec b/glibc.spec
index 2f06be3..af26340 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -28,7 +28,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 14%{?dist}
+Release: 15%{?dist}
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -174,6 +174,9 @@ Patch2034: %{name}-rh767693-2.patch
 # Upstream BZ 14247
 Patch2036: %{name}-rh827510.patch
 
+# Upstream BZ 14277
+Patch2037: %{name}-rh816647.patch
+
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Obsoletes: glibc-profile < 2.4
 Obsoletes: nss_db
@@ -432,6 +435,7 @@ rm -rf %{glibcportsdir}
 %patch2034 -p1
 %patch0035 -p1
 %patch2036 -p1
+%patch2037 -p1
 
 # On powerpc32, hp timing is only available in power4/power6
 # libs, not in base, so pre-power4 dynamic linker is incompatible
@@ -1314,6 +1318,9 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Thu Jun 21 2012 Jeff Law <law at redhat.com> - 2.15.90-15
+  - Fix use-after-free in dcigettext.c (#816647).
+
 * Fri Jun 15 2012 Jeff Law <law at redhat.com> - 2.15.90-14
   - Resync with master.

More information about the scm-commits mailing list