diff options
author | root <root@rshg054.dnsready.net> | 2013-09-17 01:42:42 -0700 |
---|---|---|
committer | root <root@rshg054.dnsready.net> | 2013-09-17 01:42:42 -0700 |
commit | a1ec78e8d16098adb2e9e1cf4e364625e74c3bc4 (patch) | |
tree | df5debed7978d781494c73a98f73921edea769cc /core/glibc/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch | |
parent | bce247d29e4c6f3b30326d485942cc2d3614430f (diff) |
Tue Sep 17 01:42:37 PDT 2013
Diffstat (limited to 'core/glibc/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch')
-rw-r--r-- | core/glibc/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/core/glibc/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch b/core/glibc/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch new file mode 100644 index 000000000..093db86c9 --- /dev/null +++ b/core/glibc/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch @@ -0,0 +1,54 @@ +diff --git a/malloc/malloc.c b/malloc/malloc.c +index dd295f5..7f43ba3 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes) + size_t page_mask = GLRO(dl_pagesize) - 1; + size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + void *(*hook) (size_t, size_t, const void *) = + force_reg (__memalign_hook); + if (__builtin_expect (hook != NULL, 0)) +diff --git a/malloc/malloc.c b/malloc/malloc.c +index 7f43ba3..3148c5f 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes) + + size_t pagesz = GLRO(dl_pagesize); + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - pagesz - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + void *(*hook) (size_t, size_t, const void *) = + force_reg (__memalign_hook); + if (__builtin_expect (hook != NULL, 0)) +diff --git a/malloc/malloc.c b/malloc/malloc.c +index 3148c5f..f7718a9 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) + /* Otherwise, ensure that it is at least a minimum chunk size */ + if (alignment < MINSIZE) alignment = MINSIZE; + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - alignment - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + arena_get(ar_ptr, bytes + alignment + MINSIZE); + if(!ar_ptr) + return 0; |