diff options
Diffstat (limited to '')
-rw-r--r-- | patches/source/glibc/glibc-2.17_CVE-2014-6040.diff | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/patches/source/glibc/glibc-2.17_CVE-2014-6040.diff b/patches/source/glibc/glibc-2.17_CVE-2014-6040.diff new file mode 100644 index 000000000..07a310372 --- /dev/null +++ b/patches/source/glibc/glibc-2.17_CVE-2014-6040.diff @@ -0,0 +1,153 @@ +From 3ca00de1ccc97fae843330fe3335289ac6aab703 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Tue, 21 Oct 2014 +Subject: CVE-2014-6040 + +A flaw in the validation of input sequences in the character sets +IBM933, IBM935, IBM937, IBM939, IBM1364 can lead to OOB array +access and application DoS. + +This fix for use on glibc 2.17 is based on the following upstream +commit: + +https://sourceware.org/git/?p=glibc.git;h=41488498b6d9 + +--- + iconvdata/Makefile | 1 + + iconvdata/ibm1364.c | 3 ++- + iconvdata/ibm932.c | 5 +++-- + iconvdata/ibm933.c | 2 +- + iconvdata/ibm935.c | 2 +- + iconvdata/ibm937.c | 2 +- + iconvdata/ibm939.c | 2 +- + iconvdata/ibm943.c | 5 +++-- + iconvdata/run-iconv-test.sh | 18 ++++++++++++++++++ + 9 files changed, 31 insertions(+), 9 deletions(-) + +--- a/iconvdata/Makefile ++++ b/iconvdata/Makefile +@@ -299,6 +299,7 @@ $(objpfx)tst-iconv7.out: $(objpfx)gconv-modules \ + $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \ + $(addprefix $(objpfx),$(modules.so)) \ + $(common-objdir)/iconv/iconv_prog TESTS ++ iconv_modules="$(modules)" \ + $(SHELL) $< $(common-objdir) '$(test-wrapper)' > $@ + + $(objpfx)tst-tables.out: tst-tables.sh $(objpfx)gconv-modules \ +--- a/iconvdata/ibm1364.c ++++ b/iconvdata/ibm1364.c +@@ -220,7 +220,8 @@ enum + ++rp2; \ + \ + uint32_t res; \ +- if (__builtin_expect (ch < rp2->start, 0) \ ++ if (__builtin_expect (rp2->start == 0xffff, 0) \ ++ || __builtin_expect (ch < rp2->start, 0) \ + || (res = DB_TO_UCS4[ch + rp2->idx], \ + __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ + { \ +--- a/iconvdata/ibm932.c ++++ b/iconvdata/ibm932.c +@@ -73,11 +73,12 @@ + } \ + \ + ch = (ch * 0x100) + inptr[1]; \ ++ /* ch was less than 0xfd. */ \ ++ assert (ch < 0xfd00); \ + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ +- || __builtin_expect (ch < rp2->start, 0) \ ++ if (__builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm932db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, '\1') == 0 && ch !=0)) \ + { \ +--- a/iconvdata/ibm933.c ++++ b/iconvdata/ibm933.c +@@ -161,7 +161,7 @@ enum + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ ++ if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm933db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ +--- a/iconvdata/ibm935.c ++++ b/iconvdata/ibm935.c +@@ -161,7 +161,7 @@ enum + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ ++ if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm935db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ +--- a/iconvdata/ibm937.c ++++ b/iconvdata/ibm937.c +@@ -161,7 +161,7 @@ enum + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ ++ if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm937db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ +--- a/iconvdata/ibm939.c ++++ b/iconvdata/ibm939.c +@@ -161,7 +161,7 @@ enum + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ ++ if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm939db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ +--- a/iconvdata/ibm943.c ++++ b/iconvdata/ibm943.c +@@ -74,11 +74,12 @@ + } \ + \ + ch = (ch * 0x100) + inptr[1]; \ ++ /* ch was less than 0xfd. */ \ ++ assert (ch < 0xfd00); \ + while (ch > rp2->end) \ + ++rp2; \ + \ +- if (__builtin_expect (rp2 == NULL, 0) \ +- || __builtin_expect (ch < rp2->start, 0) \ ++ if (__builtin_expect (ch < rp2->start, 0) \ + || (res = __ibm943db_to_ucs4[ch + rp2->idx], \ + __builtin_expect (res, '\1') == 0 && ch !=0)) \ + { \ +--- a/iconvdata/run-iconv-test.sh ++++ b/iconvdata/run-iconv-test.sh +@@ -188,6 +188,24 @@ while read utf8 from filename; do + + done < TESTS2 + ++# Check for crashes in decoders. ++printf '\016\377\377\377\377\377\377\377' > $temp1 ++for from in $iconv_modules ; do ++ echo $ac_n "test decoder $from $ac_c" ++ PROG=`eval echo $ICONV` ++ if $PROG < $temp1 >/dev/null 2>&1 ; then ++ : # fall through ++ else ++ status=$? ++ if test $status -gt 1 ; then ++ echo "/FAILED" ++ failed=1 ++ continue ++ fi ++ fi ++ echo "OK" ++done ++ + exit $failed + # Local Variables: + # mode:shell-script |