diff options
Diffstat (limited to 'source/l/glibc/glibc.CVE-2013-4332.diff')
| -rw-r--r-- | source/l/glibc/glibc.CVE-2013-4332.diff | 64 |
1 files changed, 0 insertions, 64 deletions
diff --git a/source/l/glibc/glibc.CVE-2013-4332.diff b/source/l/glibc/glibc.CVE-2013-4332.diff deleted file mode 100644 index 9f7f5886..00000000 --- a/source/l/glibc/glibc.CVE-2013-4332.diff +++ /dev/null @@ -1,64 +0,0 @@ -From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001 -From: mancha <mancha1@hush.com> -Date: Wed, 11 Sep 2013 -Subject: CVE-2013-4332 - -malloc: Check for integer overflow in pvalloc, valloc, and memalign. - -A large bytes parameter to pvalloc, valloc, or memalign could cause -an integer overflow and corrupt allocator internals. Check the -overflow does not occur before continuing with the allocation. - -Note: This is a backport to glibc 2.17 of the following three commits: - * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a - * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef - * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d ---- - -malloc.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - ---- a/malloc/malloc.c -+++ b/malloc/malloc.c -@@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t - /* Otherwise, ensure that it is at least a minimum chunk size */ - if (alignment < MINSIZE) alignment = MINSIZE; - -+ /* Check for overflow. */ -+ if (bytes > SIZE_MAX - alignment - MINSIZE) -+ { -+ __set_errno (ENOMEM); -+ return 0; -+ } -+ - arena_get(ar_ptr, bytes + alignment + MINSIZE); - if(!ar_ptr) - return 0; -@@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes) - - size_t pagesz = GLRO(dl_pagesize); - -+ /* Check for overflow. */ -+ if (bytes > SIZE_MAX - pagesz - MINSIZE) -+ { -+ __set_errno (ENOMEM); -+ return 0; -+ } -+ - __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, - const __malloc_ptr_t)) = - force_reg (__memalign_hook); -@@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes) - size_t page_mask = GLRO(dl_pagesize) - 1; - size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); - -+ /* Check for overflow. */ -+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) -+ { -+ __set_errno (ENOMEM); -+ return 0; -+ } -+ - __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, - const __malloc_ptr_t)) = - force_reg (__memalign_hook); |