summaryrefslogtreecommitdiff
path: root/cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch
diff options
context:
space:
mode:
authorNicolás Reynolds <fauno@endefensadelsl.org>2014-02-18 01:56:34 +0000
committerNicolás Reynolds <fauno@endefensadelsl.org>2014-02-18 01:56:34 +0000
commit8185891e28635bdb83fdf4ba4391030912dae596 (patch)
tree66a946535bdd228514750233b2cc99dd1866ff64 /cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch
parent60a11f87366fdfbd114cdc91ff813518858e5f8d (diff)
Tue Feb 18 01:56:27 UTC 2014
Diffstat (limited to 'cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch')
-rw-r--r--cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch180
1 files changed, 180 insertions, 0 deletions
diff --git a/cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch b/cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch
new file mode 100644
index 000000000..f8dde53f5
--- /dev/null
+++ b/cross/cross-mips64el-unknown-linux-gnu-glibc-headers/glibc-2.15-vfprintf-nargs.patch
@@ -0,0 +1,180 @@
+diff --git a/stdio-common/Makefile b/stdio-common/Makefile
+index a847b28..080badc 100644
+--- a/stdio-common/Makefile
++++ b/stdio-common/Makefile
+@@ -59,7 +59,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
+ tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \
+ tst-fwrite bug16 bug17 tst-swscanf tst-sprintf2 bug18 bug18a \
+ bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
+- scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24
++ scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
++ bug-vfprintf-nargs
+
+ test-srcs = tst-unbputc tst-printf
+
+diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c
+new file mode 100644
+index 0000000..13c66c0
+--- /dev/null
++++ b/stdio-common/bug-vfprintf-nargs.c
+@@ -0,0 +1,78 @@
++/* Test for vfprintf nargs allocation overflow (BZ #13656).
++ Copyright (C) 2012 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++ Contributed by Kees Cook <keescook@chromium.org>, 2012.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, write to the Free
++ Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
++ 02111-1307 USA. */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <stdint.h>
++#include <unistd.h>
++#include <inttypes.h>
++#include <string.h>
++#include <signal.h>
++
++static int
++format_failed (const char *fmt, const char *expected)
++{
++ char output[80];
++
++ printf ("%s : ", fmt);
++
++ memset (output, 0, sizeof output);
++ /* Having sprintf itself detect a failure is good. */
++ if (sprintf (output, fmt, 1, 2, 3, "test") > 0
++ && strcmp (output, expected) != 0)
++ {
++ printf ("FAIL (output '%s' != expected '%s')\n", output, expected);
++ return 1;
++ }
++ puts ("ok");
++ return 0;
++}
++
++static int
++do_test (void)
++{
++ int rc = 0;
++ char buf[64];
++
++ /* Regular positionals work. */
++ if (format_failed ("%1$d", "1") != 0)
++ rc = 1;
++
++ /* Regular width positionals work. */
++ if (format_failed ("%1$*2$d", " 1") != 0)
++ rc = 1;
++
++ /* Positional arguments are constructed via read_int, so nargs can only
++ overflow on 32-bit systems. On 64-bit systems, it will attempt to
++ allocate a giant amount of memory and possibly crash, which is the
++ expected situation. Since the 64-bit behavior is arch-specific, only
++ test this on 32-bit systems. */
++ if (sizeof (long int) == 4)
++ {
++ sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int));
++ if (format_failed (buf, "1 %$d") != 0)
++ rc = 1;
++ }
++
++ return rc;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index 863cd5d..c802e46 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
+ 0 if unknown. */
+ int readonly_format = 0;
+
++ /* For the argument descriptions, which may be allocated on the heap. */
++ void *args_malloced = NULL;
++
+ /* This table maps a character into a number representing a
+ class. In each step there is a destination label for each
+ class. */
+@@ -1647,9 +1650,10 @@ do_positional:
+ determine the size of the array needed to store the argument
+ attributes. */
+ size_t nargs = 0;
+- int *args_type;
+- union printf_arg *args_value = NULL;
++ size_t bytes_per_arg;
++ union printf_arg *args_value;
+ int *args_size;
++ int *args_type;
+
+ /* Positional parameters refer to arguments directly. This could
+ also determine the maximum number of arguments. Track the
+@@ -1698,13 +1702,38 @@ do_positional:
+
+ /* Determine the number of arguments the format string consumes. */
+ nargs = MAX (nargs, max_ref_arg);
++ /* Calculate total size needed to represent a single argument across
++ all three argument-related arrays. */
++ bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
++ + sizeof (*args_type);
++
++ /* Check for potential integer overflow. */
++ if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))
++ {
++ __set_errno (ERANGE);
++ done = -1;
++ goto all_done;
++ }
+
+- /* Allocate memory for the argument descriptions. */
+- args_type = alloca (nargs * sizeof (int));
++ /* Allocate memory for all three argument arrays. */
++ if (__libc_use_alloca (nargs * bytes_per_arg))
++ args_value = alloca (nargs * bytes_per_arg);
++ else
++ {
++ args_value = args_malloced = malloc (nargs * bytes_per_arg);
++ if (args_value == NULL)
++ {
++ done = -1;
++ goto all_done;
++ }
++ }
++
++ /* Set up the remaining two arrays to each point past the end of the
++ prior array, since space for all three has been allocated now. */
++ args_size = &args_value[nargs].pa_int;
++ args_type = &args_size[nargs];
+ memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
+- nargs * sizeof (int));
+- args_value = alloca (nargs * sizeof (union printf_arg));
+- args_size = alloca (nargs * sizeof (int));
++ nargs * sizeof (*args_type));
+
+ /* XXX Could do sanity check here: If any element in ARGS_TYPE is
+ still zero after this loop, format is invalid. For now we
+@@ -1973,8 +2002,8 @@ do_positional:
+ }
+
+ all_done:
+- if (__builtin_expect (workstart != NULL, 0))
+- free (workstart);
++ free (args_malloced);
++ free (workstart);
+ /* Unlock the stream. */
+ _IO_funlockfile (s);
+ _IO_cleanup_region_end (0);