FreeBSD Bugzilla – Attachment 157772 Details for
Bug 200888
[patch] libiberty: integer overflow (CVE-2012-3509)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
fix from OpenBSD
CVE-2012-3509.diff (text/plain), 2.08 KB, created by
Pedro F. Giffuni
on 2015-06-15 22:11:49 UTC
(
hide
)
Description:
fix from OpenBSD
Filename:
MIME Type:
Creator:
Pedro F. Giffuni
Created:
2015-06-15 22:11:49 UTC
Size:
2.08 KB
patch
obsolete
>Index: contrib/gcclibs/include/objalloc.h >=================================================================== >--- contrib/gcclibs/include/objalloc.h (revision 284419) >+++ contrib/gcclibs/include/objalloc.h (working copy) >@@ -1,5 +1,5 @@ > /* objalloc.h -- routines to allocate memory for objects >- Copyright 1997, 2001 Free Software Foundation, Inc. >+ Copyright 1997, 2001-2012 Free Software Foundation, Inc. > Written by Ian Lance Taylor, Cygnus Solutions. > > This program is free software; you can redistribute it and/or modify it >@@ -91,7 +91,7 @@ > if (__len == 0) \ > __len = 1; \ > __len = (__len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1); \ >- (__len <= __o->current_space \ >+ (__len != 0 && __len <= __o->current_space \ > ? (__o->current_ptr += __len, \ > __o->current_space -= __len, \ > (void *) (__o->current_ptr - __len)) \ >Index: contrib/gcclibs/libiberty/objalloc.c >=================================================================== >--- contrib/gcclibs/libiberty/objalloc.c (revision 284419) >+++ contrib/gcclibs/libiberty/objalloc.c (working copy) >@@ -1,5 +1,5 @@ > /* objalloc.c -- routines to allocate memory for objects >- Copyright 1997 Free Software Foundation, Inc. >+ Copyright 1997-2012 Free Software Foundation, Inc. > Written by Ian Lance Taylor, Cygnus Solutions. > > This program is free software; you can redistribute it and/or modify it >@@ -112,8 +112,10 @@ > /* Allocate space from an objalloc structure. */ > > PTR >-_objalloc_alloc (struct objalloc *o, unsigned long len) >+_objalloc_alloc (struct objalloc *o, unsigned long original_len) > { >+ unsigned long len = original_len; >+ > /* We avoid confusion from zero sized objects by always allocating > at least 1 byte. */ > if (len == 0) >@@ -121,6 +123,11 @@ > > len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1); > >+ /* CVE-2012-3509: Check for overflow in the alignment operation above >+ * and then malloc argument below. */ >+ if (len + CHUNK_HEADER_SIZE < original_len) >+ return NULL; >+ > if (len <= o->current_space) > { > o->current_ptr += len;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=157772">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 200888
: 157772