[gnome-continuous-yocto/gnomeostree-3.28-rocko: 342/8267] gcc: Security fix CVE-2016-2226

From: Emmanuele Bassi <ebassi src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-continuous-yocto/gnomeostree-3.28-rocko: 342/8267] gcc: Security fix CVE-2016-2226
Date: Sat, 16 Dec 2017 20:17:33 +0000 (UTC)
commit a1928c81e6f6d81e4b50c1d295758b20a2778a61
Author: Armin Kuster <akuster mvista com>
Date:   Fri May 6 00:11:56 2016 -0700

    gcc: Security fix CVE-2016-2226
    
    (From OE-Core rev: 9b85d69584fdb0d2c607fa820b4515ee38202ab9)
    
    Signed-off-by: Armin Kuster <akuster mvista com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 meta/recipes-devtools/gcc/gcc-5.3.inc              |    1 +
 .../gcc/gcc-5.3/CVE-2016-2226.patch                |  103 ++++++++++++++++++++
 2 files changed, 104 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 11287e4..2ba25a1 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -92,6 +92,7 @@ SRC_URI = "\
            file://0060-remove-prototypes-cfns.patch \
            file://CVE-2016-4488.patch \
            file://CVE-2016-4489.patch \
+           file://CVE-2016-2226.patch \
 "
 
 BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch 
b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
new file mode 100644
index 0000000..4decb84
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
@@ -0,0 +1,103 @@
+From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
+From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 8 Apr 2016 12:10:21 +0000
+Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
+ =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+       PR c++/69687
+       * cplus-dem.c: Include <limits.h> if available.
+       (INT_MAX): Define if necessary.
+       (remember_type, remember_Ktype, register_Btype, string_need):
+       Abort if we detect cases where we the size of the allocation would
+       overflow.
+
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
+Upstream-Status: Backport
+CVE: CVE-2016-2226
+
+Signed-off-by: Armin Kuster <akuster mvista com>
+
+---
+ libiberty/ChangeLog   |  7 +++++++
+ libiberty/cplus-dem.c | 15 +++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
+index 8e82a5f..2a34356 100644
+--- a/libiberty/ChangeLog
++++ b/libiberty/ChangeLog
+@@ -1,5 +1,12 @@
+ 2016-04-08  Marcel Böhme  <boehme marcel gmail com>
+ 
++      PR c++/69687
++      * cplus-dem.c: Include <limits.h> if available.
++      (INT_MAX): Define if necessary.
++      (remember_type, remember_Ktype, register_Btype, string_need):
++      Abort if we detect cases where we the size of the allocation would
++      overflow.
++
+       PR c++/70498
+       * cplus-dem.c (gnu_special): Handle case where consume_count returns
+       -1.
+diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
+index abba234..7514e57 100644
+--- a/libiberty/cplus-dem.c
++++ b/libiberty/cplus-dem.c
+@@ -56,6 +56,13 @@ void * malloc ();
+ void * realloc ();
+ #endif
+ 
++#ifdef HAVE_LIMITS_H
++#include <limits.h>
++#endif
++#ifndef INT_MAX
++# define INT_MAX       (int)(((unsigned int) ~0) >> 1)          /* 0x7FFFFFFF */ 
++#endif
++
+ #include <demangle.h>
+ #undef CURRENT_DEMANGLING_STYLE
+ #define CURRENT_DEMANGLING_STYLE work->options
+@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
+       }
+       else
+       {
++          if (work -> typevec_size > INT_MAX / 2)
++          xmalloc_failed (INT_MAX);
+         work -> typevec_size *= 2;
+         work -> typevec
+           = XRESIZEVEC (char *, work->typevec, work->typevec_size);
+@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
+       }
+       else
+       {
++          if (work -> ksize > INT_MAX / 2)
++          xmalloc_failed (INT_MAX);
+         work -> ksize *= 2;
+         work -> ktypevec
+           = XRESIZEVEC (char *, work->ktypevec, work->ksize);
+@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
+       }
+       else
+       {
++          if (work -> bsize > INT_MAX / 2)
++          xmalloc_failed (INT_MAX);
+         work -> bsize *= 2;
+         work -> btypevec
+           = XRESIZEVEC (char *, work->btypevec, work->bsize);
+@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
+   else if (s->e - s->p < n)
+     {
+       tem = s->p - s->b;
++      if (n > INT_MAX / 2 - tem)
++        xmalloc_failed (INT_MAX); 
+       n += tem;
+       n *= 2;
+       s->b = XRESIZEVEC (char, s->b, n);
+-- 
+2.3.5
+
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]