101f62ad33
CVE-2012-4412, CVE-2012-4424, CVE-2013-4237, CVE-2013-4332, CVE-2013-4458, CVE-2013-4788.
57 lines
1.6 KiB
Diff
57 lines
1.6 KiB
Diff
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch?h=packages/glibc
|
|
|
|
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
index dd295f5..7f43ba3 100644
|
|
--- a/malloc/malloc.c
|
|
+++ b/malloc/malloc.c
|
|
@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
|
|
size_t page_mask = GLRO(dl_pagesize) - 1;
|
|
size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
|
|
|
|
+ /* Check for overflow. */
|
|
+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
|
|
+ {
|
|
+ __set_errno (ENOMEM);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
void *(*hook) (size_t, size_t, const void *) =
|
|
force_reg (__memalign_hook);
|
|
if (__builtin_expect (hook != NULL, 0))
|
|
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
index 7f43ba3..3148c5f 100644
|
|
--- a/malloc/malloc.c
|
|
+++ b/malloc/malloc.c
|
|
@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
|
|
|
|
size_t pagesz = GLRO(dl_pagesize);
|
|
|
|
+ /* Check for overflow. */
|
|
+ if (bytes > SIZE_MAX - pagesz - MINSIZE)
|
|
+ {
|
|
+ __set_errno (ENOMEM);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
void *(*hook) (size_t, size_t, const void *) =
|
|
force_reg (__memalign_hook);
|
|
if (__builtin_expect (hook != NULL, 0))
|
|
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
index 3148c5f..f7718a9 100644
|
|
--- a/malloc/malloc.c
|
|
+++ b/malloc/malloc.c
|
|
@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
|
|
/* Otherwise, ensure that it is at least a minimum chunk size */
|
|
if (alignment < MINSIZE) alignment = MINSIZE;
|
|
|
|
+ /* Check for overflow. */
|
|
+ if (bytes > SIZE_MAX - alignment - MINSIZE)
|
|
+ {
|
|
+ __set_errno (ENOMEM);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
arena_get(ar_ptr, bytes + alignment + MINSIZE);
|
|
if(!ar_ptr)
|
|
return 0;
|