From fc7c0251e53b4ce8d564ca54598c207623f17ecd Mon Sep 17 00:00:00 2001 From: danfe Date: Tue, 12 Dec 2017 12:59:04 +0000 Subject: [PATCH] MFC r301291: libiberty: prevent integer overflow. Take care of very old bug leading to heap-buffer overflow by processing certain file headers via bfd binary. PR: 200888 Obtained from: OpenBSD Approved by: pfg git-svn-id: svn://svn.freebsd.org/base/stable/8@326795 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- contrib/gcclibs/include/objalloc.h | 4 ++-- contrib/gcclibs/libiberty/objalloc.c | 11 +++++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/contrib/gcclibs/include/objalloc.h b/contrib/gcclibs/include/objalloc.h index 36772d17b..e3cc7bbcb 100644 --- a/contrib/gcclibs/include/objalloc.h +++ b/contrib/gcclibs/include/objalloc.h @@ -1,5 +1,5 @@ /* objalloc.h -- routines to allocate memory for objects - Copyright 1997, 2001 Free Software Foundation, Inc. + Copyright 1997, 2001-2012 Free Software Foundation, Inc. Written by Ian Lance Taylor, Cygnus Solutions. This program is free software; you can redistribute it and/or modify it @@ -91,7 +91,7 @@ extern void *_objalloc_alloc (struct objalloc *, unsigned long); if (__len == 0) \ __len = 1; \ __len = (__len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1); \ - (__len <= __o->current_space \ + (__len != 0 && __len <= __o->current_space \ ? (__o->current_ptr += __len, \ __o->current_space -= __len, \ (void *) (__o->current_ptr - __len)) \ diff --git a/contrib/gcclibs/libiberty/objalloc.c b/contrib/gcclibs/libiberty/objalloc.c index 3ddac2ce4..394b3af05 100644 --- a/contrib/gcclibs/libiberty/objalloc.c +++ b/contrib/gcclibs/libiberty/objalloc.c @@ -1,5 +1,5 @@ /* objalloc.c -- routines to allocate memory for objects - Copyright 1997 Free Software Foundation, Inc. + Copyright 1997-2012 Free Software Foundation, Inc. Written by Ian Lance Taylor, Cygnus Solutions. This program is free software; you can redistribute it and/or modify it @@ -112,8 +112,10 @@ objalloc_create (void) /* Allocate space from an objalloc structure. */ PTR -_objalloc_alloc (struct objalloc *o, unsigned long len) +_objalloc_alloc (struct objalloc *o, unsigned long original_len) { + unsigned long len = original_len; + /* We avoid confusion from zero sized objects by always allocating at least 1 byte. */ if (len == 0) @@ -121,6 +123,11 @@ _objalloc_alloc (struct objalloc *o, unsigned long len) len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1); + /* CVE-2012-3509: Check for overflow in the alignment operation above + * and then malloc argument below. */ + if (len + CHUNK_HEADER_SIZE < original_len) + return NULL; + if (len <= o->current_space) { o->current_ptr += len; -- 2.42.0