gcc: Security fix CVE-2016-2226
(From OE-Core rev: 9b85d69584fdb0d2c607fa820b4515ee38202ab9) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
23f00321e9
commit
a1928c81e6
|
@ -92,6 +92,7 @@ SRC_URI = "\
|
||||||
file://0060-remove-prototypes-cfns.patch \
|
file://0060-remove-prototypes-cfns.patch \
|
||||||
file://CVE-2016-4488.patch \
|
file://CVE-2016-4488.patch \
|
||||||
file://CVE-2016-4489.patch \
|
file://CVE-2016-4489.patch \
|
||||||
|
file://CVE-2016-2226.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
BACKPORTS = ""
|
BACKPORTS = ""
|
||||||
|
|
|
@ -0,0 +1,103 @@
|
||||||
|
From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
|
||||||
|
From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
|
||||||
|
Date: Fri, 8 Apr 2016 12:10:21 +0000
|
||||||
|
Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
|
||||||
|
=?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
PR c++/69687
|
||||||
|
* cplus-dem.c: Include <limits.h> if available.
|
||||||
|
(INT_MAX): Define if necessary.
|
||||||
|
(remember_type, remember_Ktype, register_Btype, string_need):
|
||||||
|
Abort if we detect cases where we the size of the allocation would
|
||||||
|
overflow.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
|
||||||
|
Upstream-Status: Backport
|
||||||
|
CVE: CVE-2016-2226
|
||||||
|
|
||||||
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
libiberty/ChangeLog | 7 +++++++
|
||||||
|
libiberty/cplus-dem.c | 15 +++++++++++++++
|
||||||
|
2 files changed, 22 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
|
||||||
|
index 8e82a5f..2a34356 100644
|
||||||
|
--- a/libiberty/ChangeLog
|
||||||
|
+++ b/libiberty/ChangeLog
|
||||||
|
@@ -1,5 +1,12 @@
|
||||||
|
2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
|
||||||
|
|
||||||
|
+ PR c++/69687
|
||||||
|
+ * cplus-dem.c: Include <limits.h> if available.
|
||||||
|
+ (INT_MAX): Define if necessary.
|
||||||
|
+ (remember_type, remember_Ktype, register_Btype, string_need):
|
||||||
|
+ Abort if we detect cases where we the size of the allocation would
|
||||||
|
+ overflow.
|
||||||
|
+
|
||||||
|
PR c++/70498
|
||||||
|
* cplus-dem.c (gnu_special): Handle case where consume_count returns
|
||||||
|
-1.
|
||||||
|
diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
|
||||||
|
index abba234..7514e57 100644
|
||||||
|
--- a/libiberty/cplus-dem.c
|
||||||
|
+++ b/libiberty/cplus-dem.c
|
||||||
|
@@ -56,6 +56,13 @@ void * malloc ();
|
||||||
|
void * realloc ();
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef HAVE_LIMITS_H
|
||||||
|
+#include <limits.h>
|
||||||
|
+#endif
|
||||||
|
+#ifndef INT_MAX
|
||||||
|
+# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#include <demangle.h>
|
||||||
|
#undef CURRENT_DEMANGLING_STYLE
|
||||||
|
#define CURRENT_DEMANGLING_STYLE work->options
|
||||||
|
@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
+ if (work -> typevec_size > INT_MAX / 2)
|
||||||
|
+ xmalloc_failed (INT_MAX);
|
||||||
|
work -> typevec_size *= 2;
|
||||||
|
work -> typevec
|
||||||
|
= XRESIZEVEC (char *, work->typevec, work->typevec_size);
|
||||||
|
@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
+ if (work -> ksize > INT_MAX / 2)
|
||||||
|
+ xmalloc_failed (INT_MAX);
|
||||||
|
work -> ksize *= 2;
|
||||||
|
work -> ktypevec
|
||||||
|
= XRESIZEVEC (char *, work->ktypevec, work->ksize);
|
||||||
|
@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
+ if (work -> bsize > INT_MAX / 2)
|
||||||
|
+ xmalloc_failed (INT_MAX);
|
||||||
|
work -> bsize *= 2;
|
||||||
|
work -> btypevec
|
||||||
|
= XRESIZEVEC (char *, work->btypevec, work->bsize);
|
||||||
|
@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
|
||||||
|
else if (s->e - s->p < n)
|
||||||
|
{
|
||||||
|
tem = s->p - s->b;
|
||||||
|
+ if (n > INT_MAX / 2 - tem)
|
||||||
|
+ xmalloc_failed (INT_MAX);
|
||||||
|
n += tem;
|
||||||
|
n *= 2;
|
||||||
|
s->b = XRESIZEVEC (char, s->b, n);
|
||||||
|
--
|
||||||
|
2.3.5
|
||||||
|
|
Loading…
Reference in New Issue