summaryrefslogtreecommitdiff
path: root/patches/source/glibc/glibc-2.11.1.strtod.CVE-2012-3480.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/glibc/glibc-2.11.1.strtod.CVE-2012-3480.diff')
-rw-r--r--patches/source/glibc/glibc-2.11.1.strtod.CVE-2012-3480.diff328
1 files changed, 328 insertions, 0 deletions
diff --git a/patches/source/glibc/glibc-2.11.1.strtod.CVE-2012-3480.diff b/patches/source/glibc/glibc-2.11.1.strtod.CVE-2012-3480.diff
new file mode 100644
index 00000000..45f83b36
--- /dev/null
+++ b/patches/source/glibc/glibc-2.11.1.strtod.CVE-2012-3480.diff
@@ -0,0 +1,328 @@
+--- ./stdlib/strtod_l.c.orig 2009-12-08 14:10:20.000000000 -0600
++++ ./stdlib/strtod_l.c 2012-08-29 15:40:49.975590298 -0500
+@@ -62,6 +62,7 @@
+ #include <math.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <stdint.h>
+
+ /* The gmp headers need some configuration frobs. */
+ #define HAVE_ALLOCA 1
+@@ -74,7 +75,6 @@
+ #include "longlong.h"
+ #include "fpioconst.h"
+
+-#define NDEBUG 1
+ #include <assert.h>
+
+
+@@ -176,19 +176,19 @@
+ /* Return a floating point number of the needed type according to the given
+ multi-precision number after possible rounding. */
+ static FLOAT
+-round_and_return (mp_limb_t *retval, int exponent, int negative,
++round_and_return (mp_limb_t *retval, intmax_t exponent, int negative,
+ mp_limb_t round_limb, mp_size_t round_bit, int more_bits)
+ {
+ if (exponent < MIN_EXP - 1)
+ {
+- mp_size_t shift = MIN_EXP - 1 - exponent;
+-
+- if (shift > MANT_DIG)
++ if (exponent < MIN_EXP - 1 - MANT_DIG)
+ {
+ __set_errno (EDOM);
+ return 0.0;
+ }
+
++ mp_size_t shift = MIN_EXP - 1 - exponent;
++
+ more_bits |= (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0;
+ if (shift == MANT_DIG)
+ /* This is a special case to handle the very seldom case where
+@@ -235,6 +235,9 @@
+ __set_errno (ERANGE);
+ }
+
++ if (exponent > MAX_EXP)
++ goto overflow;
++
+ if ((round_limb & (((mp_limb_t) 1) << round_bit)) != 0
+ && (more_bits || (retval[0] & 1) != 0
+ || (round_limb & ((((mp_limb_t) 1) << round_bit) - 1)) != 0))
+@@ -260,6 +263,7 @@
+ }
+
+ if (exponent > MAX_EXP)
++ overflow:
+ return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL;
+
+ return MPN2FLOAT (retval, exponent, negative);
+@@ -273,7 +277,7 @@
+ factor for the resulting number (see code) multiply by it. */
+ static const STRING_TYPE *
+ str_to_mpn (const STRING_TYPE *str, int digcnt, mp_limb_t *n, mp_size_t *nsize,
+- int *exponent
++ intmax_t *exponent
+ #ifndef USE_WIDE_CHAR
+ , const char *decimal, size_t decimal_len, const char *thousands
+ #endif
+@@ -303,6 +307,7 @@
+ cy += __mpn_add_1 (n, n, *nsize, low);
+ if (cy != 0)
+ {
++ assert (*nsize < MPNSIZE);
+ n[*nsize] = cy;
+ ++(*nsize);
+ }
+@@ -337,7 +342,7 @@
+ }
+ while (--digcnt > 0);
+
+- if (*exponent > 0 && cnt + *exponent <= MAX_DIG_PER_LIMB)
++ if (*exponent > 0 && *exponent <= MAX_DIG_PER_LIMB - cnt)
+ {
+ low *= _tens_in_limb[*exponent];
+ start = _tens_in_limb[cnt + *exponent];
+@@ -357,7 +362,10 @@
+ cy = __mpn_mul_1 (n, n, *nsize, start);
+ cy += __mpn_add_1 (n, n, *nsize, low);
+ if (cy != 0)
+- n[(*nsize)++] = cy;
++ {
++ assert (*nsize < MPNSIZE);
++ n[(*nsize)++] = cy;
++ }
+ }
+
+ return str;
+@@ -415,7 +423,7 @@
+ {
+ int negative; /* The sign of the number. */
+ MPN_VAR (num); /* MP representation of the number. */
+- int exponent; /* Exponent of the number. */
++ intmax_t exponent; /* Exponent of the number. */
+
+ /* Numbers starting `0X' or `0x' have to be processed with base 16. */
+ int base = 10;
+@@ -437,7 +445,7 @@
+ /* Points at the character following the integer and fractional digits. */
+ const STRING_TYPE *expp;
+ /* Total number of digit and number of digits in integer part. */
+- int dig_no, int_no, lead_zero;
++ size_t dig_no, int_no, lead_zero;
+ /* Contains the last character read. */
+ CHAR_TYPE c;
+
+@@ -769,7 +777,7 @@
+ are all or any is really a fractional digit will be decided
+ later. */
+ int_no = dig_no;
+- lead_zero = int_no == 0 ? -1 : 0;
++ lead_zero = int_no == 0 ? (size_t) -1 : 0;
+
+ /* Read the fractional digits. A special case are the 'american
+ style' numbers like `16.' i.e. with decimal point but without
+@@ -791,12 +799,13 @@
+ (base == 16 && ({ CHAR_TYPE lo = TOLOWER (c);
+ lo >= L_('a') && lo <= L_('f'); })))
+ {
+- if (c != L_('0') && lead_zero == -1)
++ if (c != L_('0') && lead_zero == (size_t) -1)
+ lead_zero = dig_no - int_no;
+ ++dig_no;
+ c = *++cp;
+ }
+ }
++ assert (dig_no <= (uintmax_t) INTMAX_MAX);
+
+ /* Remember start of exponent (if any). */
+ expp = cp;
+@@ -819,24 +828,80 @@
+
+ if (c >= L_('0') && c <= L_('9'))
+ {
+- int exp_limit;
++ intmax_t exp_limit;
+
+ /* Get the exponent limit. */
+ if (base == 16)
+- exp_limit = (exp_negative ?
+- -MIN_EXP + MANT_DIG + 4 * int_no :
+- MAX_EXP - 4 * int_no + 4 * lead_zero + 3);
++ {
++ if (exp_negative)
++ {
++ assert (int_no <= (uintmax_t) (INTMAX_MAX
++ + MIN_EXP - MANT_DIG) / 4);
++ exp_limit = -MIN_EXP + MANT_DIG + 4 * (intmax_t) int_no;
++ }
++ else
++ {
++ if (int_no)
++ {
++ assert (lead_zero == 0
++ && int_no <= (uintmax_t) INTMAX_MAX / 4);
++ exp_limit = MAX_EXP - 4 * (intmax_t) int_no + 3;
++ }
++ else if (lead_zero == (size_t) -1)
++ {
++ /* The number is zero and this limit is
++ arbitrary. */
++ exp_limit = MAX_EXP + 3;
++ }
++ else
++ {
++ assert (lead_zero
++ <= (uintmax_t) (INTMAX_MAX - MAX_EXP - 3) / 4);
++ exp_limit = (MAX_EXP
++ + 4 * (intmax_t) lead_zero
++ + 3);
++ }
++ }
++ }
+ else
+- exp_limit = (exp_negative ?
+- -MIN_10_EXP + MANT_DIG + int_no :
+- MAX_10_EXP - int_no + lead_zero + 1);
++ {
++ if (exp_negative)
++ {
++ assert (int_no
++ <= (uintmax_t) (INTMAX_MAX + MIN_10_EXP - MANT_DIG));
++ exp_limit = -MIN_10_EXP + MANT_DIG + (intmax_t) int_no;
++ }
++ else
++ {
++ if (int_no)
++ {
++ assert (lead_zero == 0
++ && int_no <= (uintmax_t) INTMAX_MAX);
++ exp_limit = MAX_10_EXP - (intmax_t) int_no + 1;
++ }
++ else if (lead_zero == (size_t) -1)
++ {
++ /* The number is zero and this limit is
++ arbitrary. */
++ exp_limit = MAX_10_EXP + 1;
++ }
++ else
++ {
++ assert (lead_zero
++ <= (uintmax_t) (INTMAX_MAX - MAX_10_EXP - 1));
++ exp_limit = MAX_10_EXP + (intmax_t) lead_zero + 1;
++ }
++ }
++ }
++
++ if (exp_limit < 0)
++ exp_limit = 0;
+
+ do
+ {
+- exponent *= 10;
+- exponent += c - L_('0');
+-
+- if (__builtin_expect (exponent > exp_limit, 0))
++ if (__builtin_expect ((exponent > exp_limit / 10
++ || (exponent == exp_limit / 10
++ && c - L_('0') > exp_limit % 10)), 0))
+ /* The exponent is too large/small to represent a valid
+ number. */
+ {
+@@ -845,7 +910,7 @@
+ /* We have to take care for special situation: a joker
+ might have written "0.0e100000" which is in fact
+ zero. */
+- if (lead_zero == -1)
++ if (lead_zero == (size_t) -1)
+ result = negative ? -0.0 : 0.0;
+ else
+ {
+@@ -864,6 +929,9 @@
+ /* NOTREACHED */
+ }
+
++ exponent *= 10;
++ exponent += c - L_('0');
++
+ c = *++cp;
+ }
+ while (c >= L_('0') && c <= L_('9'));
+@@ -932,7 +1000,14 @@
+ }
+ #endif
+ startp += lead_zero + decimal_len;
+- exponent -= base == 16 ? 4 * lead_zero : lead_zero;
++ assert (lead_zero <= (base == 16
++ ? (uintmax_t) INTMAX_MAX / 4
++ : (uintmax_t) INTMAX_MAX));
++ assert (lead_zero <= (base == 16
++ ? ((uintmax_t) exponent
++ - (uintmax_t) INTMAX_MIN) / 4
++ : ((uintmax_t) exponent - (uintmax_t) INTMAX_MIN)));
++ exponent -= base == 16 ? 4 * (intmax_t) lead_zero : (intmax_t) lead_zero;
+ dig_no -= lead_zero;
+ }
+
+@@ -974,7 +1049,10 @@
+ }
+
+ /* Adjust the exponent for the bits we are shifting in. */
+- exponent += bits - 1 + (int_no - 1) * 4;
++ assert (int_no <= (uintmax_t) (exponent < 0
++ ? (INTMAX_MAX - bits + 1) / 4
++ : (INTMAX_MAX - exponent - bits + 1) / 4));
++ exponent += bits - 1 + ((intmax_t) int_no - 1) * 4;
+
+ while (--dig_no > 0 && idx >= 0)
+ {
+@@ -1014,13 +1092,15 @@
+ really integer digits or belong to the fractional part; i.e. we normalize
+ 123e-2 to 1.23. */
+ {
+- register int incr = (exponent < 0 ? MAX (-int_no, exponent)
+- : MIN (dig_no - int_no, exponent));
++ register intmax_t incr = (exponent < 0
++ ? MAX (-(intmax_t) int_no, exponent)
++ : MIN ((intmax_t) dig_no - (intmax_t) int_no,
++ exponent));
+ int_no += incr;
+ exponent -= incr;
+ }
+
+- if (__builtin_expect (int_no + exponent > MAX_10_EXP + 1, 0))
++ if (__builtin_expect (exponent > MAX_10_EXP + 1 - (intmax_t) int_no, 0))
+ {
+ __set_errno (ERANGE);
+ return negative ? -FLOAT_HUGE_VAL : FLOAT_HUGE_VAL;
+@@ -1205,7 +1285,7 @@
+ digits we should have enough bits for the result. The remaining
+ decimal digits give us the information that more bits are following.
+ This can be used while rounding. (Two added as a safety margin.) */
+- if (dig_no - int_no > (MANT_DIG - bits + 2) / 3 + 2)
++ if ((intmax_t) dig_no > (intmax_t) int_no + (MANT_DIG - bits + 2) / 3 + 2)
+ {
+ dig_no = int_no + (MANT_DIG - bits + 2) / 3 + 2;
+ more_bits = 1;
+@@ -1213,7 +1293,7 @@
+ else
+ more_bits = 0;
+
+- neg_exp = dig_no - int_no - exponent;
++ neg_exp = (intmax_t) dig_no - (intmax_t) int_no - exponent;
+
+ /* Construct the denominator. */
+ densize = 0;
+--- ./stdlib/Makefile.orig 2009-12-08 14:10:20.000000000 -0600
++++ ./stdlib/Makefile 2012-08-29 15:42:34.210585861 -0500
+@@ -70,7 +70,8 @@
+ test-a64l tst-qsort tst-system testmb2 bug-strtod2 \
+ tst-atof1 tst-atof2 tst-strtod2 tst-strtod3 tst-rand48-2 \
+ tst-makecontext tst-strtod4 tst-strtod5 tst-qsort2 \
+- tst-makecontext2 tst-strtod6 tst-unsetenv1
++ tst-makecontext2 tst-strtod6 tst-unsetenv1 \
++ tst-strtod-overflow
+
+ include ../Makeconfig
+
generated by cgit v1.2.3 (git 2.26.2) at 2024-11-14 18:10:50 +0000