[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[commits] r9713 - in /fsf/trunk/libc: ChangeLog locale/loadlocale.c posix/regex_internal.c posix/regexec.c
- To: commits@xxxxxxxxxx
- Subject: [commits] r9713 - in /fsf/trunk/libc: ChangeLog locale/loadlocale.c posix/regex_internal.c posix/regexec.c
- From: eglibc@xxxxxxxxxx
- Date: Sat, 23 Jan 2010 08:03:37 -0000
Author: eglibc
Date: Sat Jan 23 00:03:36 2010
New Revision: 9713
Log:
Import glibc-mainline for 2010-01-23
Modified:
fsf/trunk/libc/ChangeLog
fsf/trunk/libc/locale/loadlocale.c
fsf/trunk/libc/posix/regex_internal.c
fsf/trunk/libc/posix/regexec.c
Modified: fsf/trunk/libc/ChangeLog
==============================================================================
--- fsf/trunk/libc/ChangeLog (original)
+++ fsf/trunk/libc/ChangeLog Sat Jan 23 00:03:36 2010
@@ -1,3 +1,62 @@
+2010-01-22 Ulrich Drepper <drepper@xxxxxxxxxx>
+
+ [BZ #11200]
+ * locale/loadlocale.c (_nl_load_locale): Fix recognition of genuine
+ mmap resource problem. Patch by Joe Landers <jlanders@xxxxxxxxxx>.
+
+2010-01-22 Jim Meyering <jim@xxxxxxxxxxxx>
+
+ [BZ #11193]
+ * posix/regexec.c (extend_buffers): Avoid overflow in realloc
+ buffer length computation.
+
+ [BZ #11192]
+ * posix/regexec.c (re_copy_regs): Don't leak when allocation
+ of the start buffer succeeds but allocation of the "end" one fails.
+
+ [BZ #11191]
+ * posix/regexec.c (re_search_2_stub): Check for overflow
+ when adding the sizes of the two strings.
+
+ [BZ #11190]
+ * posix/regexec.c (re_search_internal): Avoid overflow
+ in computing re_malloc buffer size.
+
+ [BZ #11189]
+ * posix/regexec.c (prune_impossible_nodes): Avoid overflow
+ in computing re_malloc buffer size.
+
+ [BZ #11188]
+ * posix/regexec.c (build_trtable): Avoid arithmetic overflow
+ in size calculation.
+
+ [BZ #11187]
+ * posix/regexec.c (re_search_2_stub): Use simpler method than
+ boolean for freeing internal storage.
+
+2010-01-22 Ulrich Drepper <drepper@xxxxxxxxxx>
+
+ * posix/regex_internal.c (re_string_skip_chars): Simplify test for
+ failed mbrtowc call.
+
+2010-01-22 Jim Meyering <jim@xxxxxxxxxxxx>
+
+ [BZ #11186]
+ * posix/regex_internal.c (re_string_skip_chars): Don't assume WEOF
+ fits in wchar_t. Problem reported by Eric Blake.
+
+ [BZ #11185]
+ * posix/regex_internal.c (re_string_reconstruct): Remove declaration
+ and stores into set-but-not-used local, "q".
+
+ [BZ #11184]
+ * posix/regex_internal.c (re_dfa_add_node): Extend the overflow
+ detection test. Patch by Paul Eggert.
+
+ [BZ #11183]
+ * posix/regex_internal.c (re_string_realloc_buffers):
+ Detect and handle internal overflow. Patch by Paul Eggert
+
2010-01-20 Andreas Schwab <schwab@xxxxxxxxxx>
* sysdeps/unix/sysv/linux/s390/s390-32/____longjmp_chk.c
Modified: fsf/trunk/libc/locale/loadlocale.c
==============================================================================
--- fsf/trunk/libc/locale/loadlocale.c (original)
+++ fsf/trunk/libc/locale/loadlocale.c Sat Jan 23 00:03:36 2010
@@ -224,6 +224,7 @@
PROT_READ, MAP_FILE|MAP_COPY, fd, 0);
if (__builtin_expect (filedata == MAP_FAILED, 0))
{
+ filedata = NULL;
if (__builtin_expect (errno, ENOSYS) == ENOSYS)
{
#endif /* _POSIX_MAPPED_FILES */
Modified: fsf/trunk/libc/posix/regex_internal.c
==============================================================================
--- fsf/trunk/libc/posix/regex_internal.c (original)
+++ fsf/trunk/libc/posix/regex_internal.c Sat Jan 23 00:03:36 2010
@@ -133,7 +133,14 @@
#ifdef RE_ENABLE_I18N
if (pstr->mb_cur_max > 1)
{
- wint_t *new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len);
+ wint_t *new_wcs;
+
+ /* Avoid overflow in realloc. */
+ const size_t max_object_size = MAX (sizeof (wint_t), sizeof (int));
+ if (BE (SIZE_MAX / max_object_size < new_buf_len, 0))
+ return REG_ESPACE;
+
+ new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len);
if (BE (new_wcs == NULL, 0))
return REG_ESPACE;
pstr->wcs = new_wcs;
@@ -482,18 +489,18 @@
mbstate_t prev_st;
int rawbuf_idx;
size_t mbclen;
- wchar_t wc = WEOF;
+ wint_t wc = WEOF;
/* Skip the characters which are not necessary to check. */
for (rawbuf_idx = pstr->raw_mbs_idx + pstr->valid_raw_len;
rawbuf_idx < new_raw_idx;)
{
- int remain_len;
- remain_len = pstr->len - rawbuf_idx;
+ wchar_t wc2;
+ int remain_len = pstr->len - rawbuf_idx;
prev_st = pstr->cur_state;
- mbclen = __mbrtowc (&wc, (const char *) pstr->raw_mbs + rawbuf_idx,
+ mbclen = __mbrtowc (&wc2, (const char *) pstr->raw_mbs + rawbuf_idx,
remain_len, &pstr->cur_state);
- if (BE (mbclen == (size_t) -2 || mbclen == (size_t) -1 || mbclen == 0, 0))
+ if (BE ((ssize_t) mbclen <= 0, 0))
{
/* We treat these cases as a single byte character. */
if (mbclen == 0 || remain_len == 0)
@@ -503,10 +510,12 @@
mbclen = 1;
pstr->cur_state = prev_st;
}
+ else
+ wc = (wint_t) wc2;
/* Then proceed the next character. */
rawbuf_idx += mbclen;
}
- *last_wc = (wint_t) wc;
+ *last_wc = wc;
return rawbuf_idx;
}
#endif /* RE_ENABLE_I18N */
@@ -694,7 +703,7 @@
if (pstr->is_utf8)
{
- const unsigned char *raw, *p, *q, *end;
+ const unsigned char *raw, *p, *end;
/* Special case UTF-8. Multi-byte chars start with any
byte other than 0x80 - 0xbf. */
@@ -723,13 +732,11 @@
unsigned char buf[6];
size_t mbclen;
- q = p;
if (BE (pstr->trans != NULL, 0))
{
int i = mlen < 6 ? mlen : 6;
while (--i >= 0)
buf[i] = pstr->trans[p[i]];
- q = buf;
}
/* XXX Don't use mbrtowc, we know which conversion
to use (UTF-8 -> UCS4). */
@@ -1404,8 +1411,11 @@
re_node_set *new_edests, *new_eclosures;
re_token_t *new_nodes;
- /* Avoid overflows. */
- if (BE (new_nodes_alloc < dfa->nodes_alloc, 0))
+ /* Avoid overflows in realloc. */
+ const size_t max_object_size = MAX (sizeof (re_token_t),
+ MAX (sizeof (re_node_set),
+ sizeof (int)));
+ if (BE (SIZE_MAX / max_object_size < new_nodes_alloc, 0))
return -1;
new_nodes = re_realloc (dfa->nodes, re_token_t, new_nodes_alloc);
Modified: fsf/trunk/libc/posix/regexec.c
==============================================================================
--- fsf/trunk/libc/posix/regexec.c (original)
+++ fsf/trunk/libc/posix/regexec.c Sat Jan 23 00:03:36 2010
@@ -368,16 +368,16 @@
const char *str;
int rval;
int len = length1 + length2;
- int free_str = 0;
-
- if (BE (length1 < 0 || length2 < 0 || stop < 0, 0))
+ char *s = NULL;
+
+ if (BE (length1 < 0 || length2 < 0 || stop < 0 || len < length1, 0))
return -2;
/* Concatenate the strings. */
if (length2 > 0)
if (length1 > 0)
{
- char *s = re_malloc (char, len);
+ s = re_malloc (char, len);
if (BE (s == NULL, 0))
return -2;
@@ -388,17 +388,14 @@
memcpy (s + length1, string2, length2);
#endif
str = s;
- free_str = 1;
}
else
str = string2;
else
str = string1;
- rval = re_search_stub (bufp, str, len, start, range, stop, regs,
- ret_len);
- if (free_str)
- re_free ((char *) str);
+ rval = re_search_stub (bufp, str, len, start, range, stop, regs, ret_len);
+ re_free (s);
return rval;
}
@@ -512,9 +509,14 @@
if (regs_allocated == REGS_UNALLOCATED)
{ /* No. So allocate them with malloc. */
regs->start = re_malloc (regoff_t, need_regs);
+ if (BE (regs->start == NULL, 0))
+ return REGS_UNALLOCATED;
regs->end = re_malloc (regoff_t, need_regs);
- if (BE (regs->start == NULL, 0) || BE (regs->end == NULL, 0))
- return REGS_UNALLOCATED;
+ if (BE (regs->end == NULL, 0))
+ {
+ re_free (regs->start);
+ return REGS_UNALLOCATED;
+ }
regs->num_regs = need_regs;
}
else if (regs_allocated == REGS_REALLOCATE)
@@ -524,9 +526,15 @@
if (BE (need_regs > regs->num_regs, 0))
{
regoff_t *new_start = re_realloc (regs->start, regoff_t, need_regs);
- regoff_t *new_end = re_realloc (regs->end, regoff_t, need_regs);
- if (BE (new_start == NULL, 0) || BE (new_end == NULL, 0))
+ regoff_t *new_end;
+ if (BE (new_start == NULL, 0))
return REGS_UNALLOCATED;
+ new_end = re_realloc (regs->end, regoff_t, need_regs);
+ if (BE (new_end == NULL, 0))
+ {
+ re_free (new_start);
+ return REGS_UNALLOCATED;
+ }
regs->start = new_start;
regs->end = new_end;
regs->num_regs = need_regs;
@@ -694,6 +702,13 @@
multi character collating element. */
if (nmatch > 1 || dfa->has_mb_node)
{
+ /* Avoid overflow. */
+ if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0))
+ {
+ err = REG_ESPACE;
+ goto free_return;
+ }
+
mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1);
if (BE (mctx.state_log == NULL, 0))
{
@@ -952,6 +967,11 @@
#endif
match_last = mctx->match_last;
halt_node = mctx->last_node;
+
+ /* Avoid overflow. */
+ if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= match_last, 0))
+ return REG_ESPACE;
+
sifted_states = re_malloc (re_dfastate_t *, match_last + 1);
if (BE (sifted_states == NULL, 0))
{
@@ -3362,6 +3382,13 @@
if (BE (err != REG_NOERROR, 0))
goto out_free;
+ /* Avoid arithmetic overflow in size calculation. */
+ if (BE ((((SIZE_MAX - (sizeof (re_node_set) + sizeof (bitset_t)) * SBC_MAX)
+ / (3 * sizeof (re_dfastate_t *)))
+ < ndests),
+ 0))
+ goto out_free;
+
if (__libc_use_alloca ((sizeof (re_node_set) + sizeof (bitset_t)) * SBC_MAX
+ ndests * 3 * sizeof (re_dfastate_t *)))
dest_states = (re_dfastate_t **)
@@ -4077,6 +4104,10 @@
reg_errcode_t ret;
re_string_t *pstr = &mctx->input;
+ /* Avoid overflow. */
+ if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
+ return REG_ESPACE;
+
/* Double the lengthes of the buffers. */
ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2);
if (BE (ret != REG_NOERROR, 0))