diff options
Diffstat (limited to 'meta/recipes-devtools/gcc/gcc-5.2')
-rw-r--r-- | meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-2226.patch | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-2226.patch new file mode 100644 index 0000000000..42fc09aca1 --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-5.2/CVE-2016-2226.patch @@ -0,0 +1,103 @@ +From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001 +From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4> +Date: Fri, 8 Apr 2016 12:10:21 +0000 +Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?= + =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + + PR c++/69687 + * cplus-dem.c: Include <limits.h> if available. + (INT_MAX): Define if necessary. + (remember_type, remember_Ktype, register_Btype, string_need): + Abort if we detect cases where we the size of the allocation would + overflow. + + + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4 + +Upstream-Status: Backport + +CVE: CVE-2016-2226 +Signed-off-by: Armin Kuster <akuster@mvista.com> +--- + libiberty/ChangeLog | 7 +++++++ + libiberty/cplus-dem.c | 15 +++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog +index 8e82a5f..2a34356 100644 +--- a/libiberty/ChangeLog ++++ b/libiberty/ChangeLog +@@ -1,5 +1,12 @@ + 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com> + ++ PR c++/69687 ++ * cplus-dem.c: Include <limits.h> if available. ++ (INT_MAX): Define if necessary. ++ (remember_type, remember_Ktype, register_Btype, string_need): ++ Abort if we detect cases where we the size of the allocation would ++ overflow. ++ + PR c++/70498 + * cplus-dem.c (gnu_special): Handle case where consume_count returns + -1. +diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c +index abba234..7514e57 100644 +--- a/libiberty/cplus-dem.c ++++ b/libiberty/cplus-dem.c +@@ -56,6 +56,13 @@ void * malloc (); + void * realloc (); + #endif + ++#ifdef HAVE_LIMITS_H ++#include <limits.h> ++#endif ++#ifndef INT_MAX ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */ ++#endif ++ + #include <demangle.h> + #undef CURRENT_DEMANGLING_STYLE + #define CURRENT_DEMANGLING_STYLE work->options +@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len) + } + else + { ++ if (work -> typevec_size > INT_MAX / 2) ++ xmalloc_failed (INT_MAX); + work -> typevec_size *= 2; + work -> typevec + = XRESIZEVEC (char *, work->typevec, work->typevec_size); +@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len) + } + else + { ++ if (work -> ksize > INT_MAX / 2) ++ xmalloc_failed (INT_MAX); + work -> ksize *= 2; + work -> ktypevec + = XRESIZEVEC (char *, work->ktypevec, work->ksize); +@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work) + } + else + { ++ if (work -> bsize > INT_MAX / 2) ++ xmalloc_failed (INT_MAX); + work -> bsize *= 2; + work -> btypevec + = XRESIZEVEC (char *, work->btypevec, work->bsize); +@@ -4771,6 +4784,8 @@ string_need (string *s, int n) + else if (s->e - s->p < n) + { + tem = s->p - s->b; ++ if (n > INT_MAX / 2 - tem) ++ xmalloc_failed (INT_MAX); + n += tem; + n *= 2; + s->b = XRESIZEVEC (char, s->b, n); +-- +2.3.5 + |