summaryrefslogtreecommitdiffstats
path: root/patches/source/glibc/glibc-2.17_CVE-2014-6040.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/glibc/glibc-2.17_CVE-2014-6040.diff')
-rw-r--r--patches/source/glibc/glibc-2.17_CVE-2014-6040.diff153
1 files changed, 153 insertions, 0 deletions
diff --git a/patches/source/glibc/glibc-2.17_CVE-2014-6040.diff b/patches/source/glibc/glibc-2.17_CVE-2014-6040.diff
new file mode 100644
index 00000000..07a31037
--- /dev/null
+++ b/patches/source/glibc/glibc-2.17_CVE-2014-6040.diff
@@ -0,0 +1,153 @@
+From 3ca00de1ccc97fae843330fe3335289ac6aab703 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Tue, 21 Oct 2014
+Subject: CVE-2014-6040
+
+A flaw in the validation of input sequences in the character sets
+IBM933, IBM935, IBM937, IBM939, IBM1364 can lead to OOB array
+access and application DoS.
+
+This fix for use on glibc 2.17 is based on the following upstream
+commit:
+
+https://sourceware.org/git/?p=glibc.git;h=41488498b6d9
+
+---
+ iconvdata/Makefile | 1 +
+ iconvdata/ibm1364.c | 3 ++-
+ iconvdata/ibm932.c | 5 +++--
+ iconvdata/ibm933.c | 2 +-
+ iconvdata/ibm935.c | 2 +-
+ iconvdata/ibm937.c | 2 +-
+ iconvdata/ibm939.c | 2 +-
+ iconvdata/ibm943.c | 5 +++--
+ iconvdata/run-iconv-test.sh | 18 ++++++++++++++++++
+ 9 files changed, 31 insertions(+), 9 deletions(-)
+
+--- a/iconvdata/Makefile
++++ b/iconvdata/Makefile
+@@ -299,6 +299,7 @@ $(objpfx)tst-iconv7.out: $(objpfx)gconv-modules \
+ $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \
+ $(addprefix $(objpfx),$(modules.so)) \
+ $(common-objdir)/iconv/iconv_prog TESTS
++ iconv_modules="$(modules)" \
+ $(SHELL) $< $(common-objdir) '$(test-wrapper)' > $@
+
+ $(objpfx)tst-tables.out: tst-tables.sh $(objpfx)gconv-modules \
+--- a/iconvdata/ibm1364.c
++++ b/iconvdata/ibm1364.c
+@@ -220,7 +220,8 @@ enum
+ ++rp2; \
+ \
+ uint32_t res; \
+- if (__builtin_expect (ch < rp2->start, 0) \
++ if (__builtin_expect (rp2->start == 0xffff, 0) \
++ || __builtin_expect (ch < rp2->start, 0) \
+ || (res = DB_TO_UCS4[ch + rp2->idx], \
+ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
+ { \
+--- a/iconvdata/ibm932.c
++++ b/iconvdata/ibm932.c
+@@ -73,11 +73,12 @@
+ } \
+ \
+ ch = (ch * 0x100) + inptr[1]; \
++ /* ch was less than 0xfd. */ \
++ assert (ch < 0xfd00); \
+ while (ch > rp2->end) \
+ ++rp2; \
+ \
+- if (__builtin_expect (rp2 == NULL, 0) \
+- || __builtin_expect (ch < rp2->start, 0) \
++ if (__builtin_expect (ch < rp2->start, 0) \
+ || (res = __ibm932db_to_ucs4[ch + rp2->idx], \
+ __builtin_expect (res, '\1') == 0 && ch !=0)) \
+ { \
+--- a/iconvdata/ibm933.c
++++ b/iconvdata/ibm933.c
+@@ -161,7 +161,7 @@ enum
+ while (ch > rp2->end) \
+ ++rp2; \
+ \
+- if (__builtin_expect (rp2 == NULL, 0) \
++ if (__builtin_expect (rp2->start == 0xffff, 0) \
+ || __builtin_expect (ch < rp2->start, 0) \
+ || (res = __ibm933db_to_ucs4[ch + rp2->idx], \
+ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
+--- a/iconvdata/ibm935.c
++++ b/iconvdata/ibm935.c
+@@ -161,7 +161,7 @@ enum
+ while (ch > rp2->end) \
+ ++rp2; \
+ \
+- if (__builtin_expect (rp2 == NULL, 0) \
++ if (__builtin_expect (rp2->start == 0xffff, 0) \
+ || __builtin_expect (ch < rp2->start, 0) \
+ || (res = __ibm935db_to_ucs4[ch + rp2->idx], \
+ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
+--- a/iconvdata/ibm937.c
++++ b/iconvdata/ibm937.c
+@@ -161,7 +161,7 @@ enum
+ while (ch > rp2->end) \
+ ++rp2; \
+ \
+- if (__builtin_expect (rp2 == NULL, 0) \
++ if (__builtin_expect (rp2->start == 0xffff, 0) \
+ || __builtin_expect (ch < rp2->start, 0) \
+ || (res = __ibm937db_to_ucs4[ch + rp2->idx], \
+ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
+--- a/iconvdata/ibm939.c
++++ b/iconvdata/ibm939.c
+@@ -161,7 +161,7 @@ enum
+ while (ch > rp2->end) \
+ ++rp2; \
+ \
+- if (__builtin_expect (rp2 == NULL, 0) \
++ if (__builtin_expect (rp2->start == 0xffff, 0) \
+ || __builtin_expect (ch < rp2->start, 0) \
+ || (res = __ibm939db_to_ucs4[ch + rp2->idx], \
+ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
+--- a/iconvdata/ibm943.c
++++ b/iconvdata/ibm943.c
+@@ -74,11 +74,12 @@
+ } \
+ \
+ ch = (ch * 0x100) + inptr[1]; \
++ /* ch was less than 0xfd. */ \
++ assert (ch < 0xfd00); \
+ while (ch > rp2->end) \
+ ++rp2; \
+ \
+- if (__builtin_expect (rp2 == NULL, 0) \
+- || __builtin_expect (ch < rp2->start, 0) \
++ if (__builtin_expect (ch < rp2->start, 0) \
+ || (res = __ibm943db_to_ucs4[ch + rp2->idx], \
+ __builtin_expect (res, '\1') == 0 && ch !=0)) \
+ { \
+--- a/iconvdata/run-iconv-test.sh
++++ b/iconvdata/run-iconv-test.sh
+@@ -188,6 +188,24 @@ while read utf8 from filename; do
+
+ done < TESTS2
+
++# Check for crashes in decoders.
++printf '\016\377\377\377\377\377\377\377' > $temp1
++for from in $iconv_modules ; do
++ echo $ac_n "test decoder $from $ac_c"
++ PROG=`eval echo $ICONV`
++ if $PROG < $temp1 >/dev/null 2>&1 ; then
++ : # fall through
++ else
++ status=$?
++ if test $status -gt 1 ; then
++ echo "/FAILED"
++ failed=1
++ continue
++ fi
++ fi
++ echo "OK"
++done
++
+ exit $failed
+ # Local Variables:
+ # mode:shell-script