diff options
| author |   Patrick J Volkerding <volkerdi@slackware.com> | 2012-09-26 01:10:42 +0000 |
|---|---|---|
| committer |   Eric Hameleers <alien@slackware.com> | 2018-05-31 22:51:55 +0200 |
| commit | 9664bee729d487bcc0a0bc35859f8e13d5421c75 (patch) | |
| tree | b428a16618e36ed864a8d76ea3435e19a452bf90 /source/l/glibc/glibc.strtod.CVE-2012-3480.diff | |
| parent | 75a4a592e5ccda30715f93563d741b83e0dcf39e (diff) | |
| download | current-9664bee729d487bcc0a0bc35859f8e13d5421c75.tar.gz current-9664bee729d487bcc0a0bc35859f8e13d5421c75.tar.xz | |
Slackware 14.0slackware-14.0
Wed Sep 26 01:10:42 UTC 2012
Slackware 14.0 x86_64 stable is released!
We're perfectionists here at Slackware, so this release has been a long
time a-brewing. But we think you'll agree that it was worth the wait.
Slackware 14.0 combines modern components, ease of use, and flexible
configuration... our "KISS" philosophy demands it.
The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a
dual-sided
32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware
project by picking up a copy from store.slackware.com. We're taking
pre-orders now, and offer a discount if you sign up for a subscription.
Thanks to everyone who helped make this happen. The Slackware team, the
upstream developers, and (of course) the awesome Slackware user
community.
Have fun! :-)
Diffstat (limited to 'source/l/glibc/glibc.strtod.CVE-2012-3480.diff')
| -rw-r--r-- | source/l/glibc/glibc.strtod.CVE-2012-3480.diff | 407 |
1 files changed, 407 insertions, 0 deletions
diff --git a/source/l/glibc/glibc.strtod.CVE-2012-3480.diff b/source/l/glibc/glibc.strtod.CVE-2012-3480.diff new file mode 100644 index 000000000..7a7bdeb7d --- /dev/null +++ b/source/l/glibc/glibc.strtod.CVE-2012-3480.diff @@ -0,0 +1,407 @@ +From 8a780f7f68a1cd4c575bb17973a9e18826b05ef9 Mon Sep 17 00:00:00 2001 +From: Joseph Myers <joseph@codesourcery.com> +Date: Mon, 27 Aug 2012 15:59:24 +0000 +Subject: [PATCH 1/1] Fix strtod integer/buffer overflow (bug 14459). + (cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4) + +Conflicts: + + ChangeLog + NEWS + stdlib/Makefile +--- + ChangeLog | 17 +++++ + NEWS | 2 +- + stdlib/Makefile | 2 +- + stdlib/strtod_l.c | 142 ++++++++++++++++++++++++++++++++--------- + stdlib/tst-strtod-overflow.c | 48 ++++++++++++++ + 5 files changed, 178 insertions(+), 33 deletions(-) + create mode 100644 stdlib/tst-strtod-overflow.c + +diff --git a/stdlib/Makefile b/stdlib/Makefile +index 04c6ac5..b55f573 100644 +--- a/stdlib/Makefile ++++ b/stdlib/Makefile +@@ -71,7 +71,7 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ + tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \ + tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2 \ + tst-makecontext2 tst-strtod6 tst-unsetenv1 \ +- tst-makecontext3 bug-getcontext ++ tst-makecontext3 bug-getcontext tst-strtod-overflow + + include ../Makeconfig + +diff --git a/stdlib/strtod_l.c b/stdlib/strtod_l.c +index f24d4de..0deaebf 100644 +--- a/stdlib/strtod_l.c ++++ b/stdlib/strtod_l.c +@@ -62,6 +62,7 @@ extern unsigned long long int ____strtoull_l_internal (const char *, char **, + #include <math.h> + #include <stdlib.h> + #include <string.h> ++#include <stdint.h> + + /* The gmp headers need some configuration frobs. */ + #define HAVE_ALLOCA 1 +@@ -74,7 +75,6 @@ extern unsigned long long int ____strtoull_l_internal (const char *, char **, + #include "longlong.h" + #include "fpioconst.h" + +-#define NDEBUG 1 + #include <assert.h> + + +@@ -176,19 +176,19 @@ extern const mp_limb_t _tens_in_limb[MAX_DIG_PER_LIMB + 1]; + /* Return a floating point number of the needed type according to the given + multi-precision number after possible rounding. */ + static FLOAT +-round_and_return (mp_limb_t *retval, int exponent, int negative, ++round_and_return (mp_limb_t *retval, intmax_t exponent, int negative, + mp_limb_t round_limb, mp_size_t round_bit, int more_bits) + { + if (exponent < MIN_EXP - 1) + { +- mp_size_t shift = MIN_EXP - 1 - exponent; +- +- if (shift > MANT_DIG) ++ if (exponent < MIN_EXP - 1 - MANT_DIG) + { + __set_errno (ERANGE); + return 0.0; + } + ++ mp_size_t shift = MIN_EXP - 1 - exponent; ++ + more_bits |= (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0; + if (shift == MANT_DIG) + /* This is a special case to handle the very seldom case where +@@ -235,6 +235,9 @@ round_and_return (mp_limb_t *retval, int exponent, int negative, + __set_errno (ERANGE); + } + ++ if (exponent > MAX_EXP) ++ goto overflow; ++ + if ((round_limb & (((mp_limb_t) 1) << round_bit)) != 0 + && (more_bits || (retval[0] & 1) != 0 + || (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0)) +@@ -260,6 +263,7 @@ round_and_return (mp_limb_t *retval, int exponent, int negative, + } + + if (exponent > MAX_EXP) ++ overflow: + return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL; + + return MPN2FLOAT (retval, exponent, negative); +@@ -273,7 +277,7 @@ round_and_return (mp_limb_t *retval, int exponent, int negative, + factor for the resulting number (see code) multiply by it. */ + static const STRING_TYPE * + str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize, +- int *exponent ++ intmax_t *exponent + #ifndef USE_WIDE_CHAR + , const char *decimal, size_t decimal_len, const char *thousands + #endif +@@ -303,6 +307,7 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize, + cy += __mpn_add_1 (n, n, *nsize, low); + if (cy != 0) + { ++ assert (*nsize < MPNSIZE); + n[*nsize] = cy; + ++(*nsize); + } +@@ -337,7 +342,7 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize, + } + while (--digcnt > 0); + +- if (*exponent > 0 && cnt + *exponent <= MAX_DIG_PER_LIMB) ++ if (*exponent > 0 && *exponent <= MAX_DIG_PER_LIMB - cnt) + { + low *= _tens_in_limb[*exponent]; + start = _tens_in_limb[cnt + *exponent]; +@@ -357,7 +362,10 @@ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize, + cy = __mpn_mul_1 (n, n, *nsize, start); + cy += __mpn_add_1 (n, n, *nsize, low); + if (cy != 0) +- n[(*nsize)++] = cy; ++ { ++ assert (*nsize < MPNSIZE); ++ n[(*nsize)++] = cy; ++ } + } + + return str; +@@ -415,7 +423,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + { + int negative; /* The sign of the number. */ + MPN_VAR (num); /* MP representation of the number. */ +- int exponent; /* Exponent of the number. */ ++ intmax_t exponent; /* Exponent of the number. */ + + /* Numbers starting `0X' or `0x' have to be processed with base 16. */ + int base = 10; +@@ -437,7 +445,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + /* Points at the character following the integer and fractional digits. */ + const STRING_TYPE *expp; + /* Total number of digit and number of digits in integer part. */ +- int dig_no, int_no, lead_zero; ++ size_t dig_no, int_no, lead_zero; + /* Contains the last character read. */ + CHAR_TYPE c; + +@@ -769,7 +777,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + are all or any is really a fractional digit will be decided + later. */ + int_no = dig_no; +- lead_zero = int_no == 0 ? -1 : 0; ++ lead_zero = int_no == 0 ? (size_t) -1 : 0; + + /* Read the fractional digits. A special case are the 'american + style' numbers like `16.' i.e. with decimal point but without +@@ -791,12 +799,13 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + (base == 16 && ({ CHAR_TYPE lo = TOLOWER (c); + lo >= L_('a') && lo <= L_('f'); }))) + { +- if (c != L_('0') && lead_zero == -1) ++ if (c != L_('0') && lead_zero == (size_t) -1) + lead_zero = dig_no - int_no; + ++dig_no; + c = *++cp; + } + } ++ assert (dig_no <= (uintmax_t) INTMAX_MAX); + + /* Remember start of exponent (if any). */ + expp = cp; +@@ -819,24 +828,80 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + + if (c >= L_('0') && c <= L_('9')) + { +- int exp_limit; ++ intmax_t exp_limit; + + /* Get the exponent limit. */ + if (base == 16) +- exp_limit = (exp_negative ? +- -MIN_EXP + MANT_DIG + 4 * int_no : +- MAX_EXP - 4 * int_no + 4 * lead_zero + 3); ++ { ++ if (exp_negative) ++ { ++ assert (int_no <= (uintmax_t) (INTMAX_MAX ++ + MIN_EXP - MANT_DIG) / 4); ++ exp_limit = -MIN_EXP + MANT_DIG + 4 * (intmax_t) int_no; ++ } ++ else ++ { ++ if (int_no) ++ { ++ assert (lead_zero == 0 ++ && int_no <= (uintmax_t) INTMAX_MAX / 4); ++ exp_limit = MAX_EXP - 4 * (intmax_t) int_no + 3; ++ } ++ else if (lead_zero == (size_t) -1) ++ { ++ /* The number is zero and this limit is ++ arbitrary. */ ++ exp_limit = MAX_EXP + 3; ++ } ++ else ++ { ++ assert (lead_zero ++ <= (uintmax_t) (INTMAX_MAX - MAX_EXP - 3) / 4); ++ exp_limit = (MAX_EXP ++ + 4 * (intmax_t) lead_zero ++ + 3); ++ } ++ } ++ } + else +- exp_limit = (exp_negative ? +- -MIN_10_EXP + MANT_DIG + int_no : +- MAX_10_EXP - int_no + lead_zero + 1); ++ { ++ if (exp_negative) ++ { ++ assert (int_no ++ <= (uintmax_t) (INTMAX_MAX + MIN_10_EXP - MANT_DIG)); ++ exp_limit = -MIN_10_EXP + MANT_DIG + (intmax_t) int_no; ++ } ++ else ++ { ++ if (int_no) ++ { ++ assert (lead_zero == 0 ++ && int_no <= (uintmax_t) INTMAX_MAX); ++ exp_limit = MAX_10_EXP - (intmax_t) int_no + 1; ++ } ++ else if (lead_zero == (size_t) -1) ++ { ++ /* The number is zero and this limit is ++ arbitrary. */ ++ exp_limit = MAX_10_EXP + 1; ++ } ++ else ++ { ++ assert (lead_zero ++ <= (uintmax_t) (INTMAX_MAX - MAX_10_EXP - 1)); ++ exp_limit = MAX_10_EXP + (intmax_t) lead_zero + 1; ++ } ++ } ++ } ++ ++ if (exp_limit < 0) ++ exp_limit = 0; + + do + { +- exponent *= 10; +- exponent += c - L_('0'); +- +- if (__builtin_expect (exponent > exp_limit, 0)) ++ if (__builtin_expect ((exponent > exp_limit / 10 ++ || (exponent == exp_limit / 10 ++ && c - L_('0') > exp_limit % 10)), 0)) + /* The exponent is too large/small to represent a valid + number. */ + { +@@ -845,7 +910,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + /* We have to take care for special situation: a joker + might have written "0.0e100000" which is in fact + zero. */ +- if (lead_zero == -1) ++ if (lead_zero == (size_t) -1) + result = negative ? -0.0 : 0.0; + else + { +@@ -864,6 +929,9 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + /* NOTREACHED */ + } + ++ exponent *= 10; ++ exponent += c - L_('0'); ++ + c = *++cp; + } + while (c >= L_('0') && c <= L_('9')); +@@ -932,7 +1000,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + } + #endif + startp += lead_zero + decimal_len; +- exponent -= base == 16 ? 4 * lead_zero : lead_zero; ++ assert (lead_zero <= (base == 16 ++ ? (uintmax_t) INTMAX_MAX / 4 ++ : (uintmax_t) INTMAX_MAX)); ++ assert (lead_zero <= (base == 16 ++ ? ((uintmax_t) exponent ++ - (uintmax_t) INTMAX_MIN) / 4 ++ : ((uintmax_t) exponent - (uintmax_t) INTMAX_MIN))); ++ exponent -= base == 16 ? 4 * (intmax_t) lead_zero : (intmax_t) lead_zero; + dig_no -= lead_zero; + } + +@@ -974,7 +1049,10 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + } + + /* Adjust the exponent for the bits we are shifting in. */ +- exponent += bits - 1 + (int_no - 1) * 4; ++ assert (int_no <= (uintmax_t) (exponent < 0 ++ ? (INTMAX_MAX - bits + 1) / 4 ++ : (INTMAX_MAX - exponent - bits + 1) / 4)); ++ exponent += bits - 1 + ((intmax_t) int_no - 1) * 4; + + while (--dig_no > 0 && idx >= 0) + { +@@ -1014,13 +1092,15 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + really integer digits or belong to the fractional part; i.e. we normalize + 123e-2 to 1.23. */ + { +- register int incr = (exponent < 0 ? MAX (-int_no, exponent) +- : MIN (dig_no - int_no, exponent)); ++ register intmax_t incr = (exponent < 0 ++ ? MAX (-(intmax_t) int_no, exponent) ++ : MIN ((intmax_t) dig_no - (intmax_t) int_no, ++ exponent)); + int_no += incr; + exponent -= incr; + } + +- if (__builtin_expect (int_no + exponent > MAX_10_EXP + 1, 0)) ++ if (__builtin_expect (exponent > MAX_10_EXP + 1 - (intmax_t) int_no, 0)) + { + __set_errno (ERANGE); + return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL; +@@ -1205,7 +1285,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + digits we should have enough bits for the result. The remaining + decimal digits give us the information that more bits are following. + This can be used while rounding. (Two added as a safety margin.) */ +- if (dig_no - int_no > (MANT_DIG - bits + 2) / 3 + 2) ++ if ((intmax_t) dig_no > (intmax_t) int_no + (MANT_DIG - bits + 2) / 3 + 2) + { + dig_no = int_no + (MANT_DIG - bits + 2) / 3 + 2; + more_bits = 1; +@@ -1213,7 +1293,7 @@ ____STRTOF_INTERNAL (nptr, endptr, group, loc) + else + more_bits = 0; + +- neg_exp = dig_no - int_no - exponent; ++ neg_exp = (intmax_t) dig_no - (intmax_t) int_no - exponent; + + /* Construct the denominator. */ + densize = 0; +diff --git a/stdlib/tst-strtod-overflow.c b/stdlib/tst-strtod-overflow.c +new file mode 100644 +index 0000000..668d55b +--- /dev/null ++++ b/stdlib/tst-strtod-overflow.c +@@ -0,0 +1,48 @@ ++/* Test for integer/buffer overflow in strtod. ++ Copyright (C) 2012 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++ ++#define EXPONENT "e-2147483649" ++#define SIZE 214748364 ++ ++static int ++do_test (void) ++{ ++ char *p = malloc (1 + SIZE + sizeof (EXPONENT)); ++ if (p == NULL) ++ { ++ puts ("malloc failed, cannot test for overflow"); ++ return 0; ++ } ++ p[0] = '1'; ++ memset (p + 1, '0', SIZE); ++ memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT)); ++ double d = strtod (p, NULL); ++ if (d != 0) ++ { ++ printf ("strtod returned wrong value: %a\n", d); ++ return 1; ++ } ++ return 0; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +-- +1.7.3.4 |