[glibc/f19] Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).

[Siddhesh Poyarekar]

commit 701d18f90d923efd0cba7346422c5a3ffc8dee01
Author: Siddhesh Poyarekar <siddhesh at redhat.com>
Date:   Mon Sep 16 15:38:55 2013 +0530

    Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).
    
    Conflicts:
    	glibc.spec

 glibc-rh1008299.patch |   46 ++++++++++++++++++++++++++++++++++++++++++++++
 glibc.spec            |    7 ++++++-
 2 files changed, 52 insertions(+), 1 deletions(-)
---
diff --git a/glibc-rh1008299.patch b/glibc-rh1008299.patch
new file mode 100644
index 0000000..14d1057
--- /dev/null
+++ b/glibc-rh1008299.patch
@@ -0,0 +1,46 @@
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 3148c5f..f7718a9 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
+   /* Otherwise, ensure that it is at least a minimum chunk size */
+   if (alignment <  MINSIZE) alignment = MINSIZE;
+ 
++  /* Check for overflow.  */
++  if (bytes > SIZE_MAX - alignment - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   arena_get(ar_ptr, bytes + alignment + MINSIZE);
+   if(!ar_ptr)
+     return 0;
+@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
+ 
+   size_t pagesz = GLRO(dl_pagesize);
+ 
++  /* Check for overflow.  */
++  if (bytes > SIZE_MAX - pagesz - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
+ 					const __malloc_ptr_t)) =
+     force_reg (__memalign_hook);
+@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
+   size_t page_mask = GLRO(dl_pagesize) - 1;
+   size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
+ 
++  /* Check for overflow.  */
++  if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
+ 					const __malloc_ptr_t)) =
+     force_reg (__memalign_hook);
diff --git a/glibc.spec b/glibc.spec
index 0bd7d95..e3daad6 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -27,7 +27,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 14%{?dist}
+Release: 15%{?dist}
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -129,6 +129,7 @@ Patch1007: %{name}-rh977887-2.patch
 Patch1008: %{name}-rh984829.patch
 Patch1009: %{name}-rh995841.patch
 Patch1010: %{name}-rh947892.patch
+Patch1011: %{name}-rh1008299.patch
 
 #
 # Patches submitted, but not yet approved upstream.
@@ -445,6 +446,7 @@ package or when debugging this package.
 %patch0040 -p1
 %patch0041 -p1
 %patch0042 -p1
+%patch1011 -p1
 
 # On powerpc32, hp timing is only available in power4/power6
 # libs, not in base, so pre-power4 dynamic linker is incompatible
@@ -1235,6 +1237,9 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Mon Sep 16 2013 Siddhesh Poyarekar <siddhesh at redhat.com> - 2.17-15
+- Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).
+
 * Mon Aug 26 2013 Siddhesh Poyarekar <siddhesh at redhat.com> - 2.17-14
 - Add systemd to BuildRequires (#999924).
 - Expand sizes of some types in strcoll (#855399, CVE-2012-4424).