|
 |
b40826 |
commit 97ac2654b2d831acaa18a2b018b0736245903fd2
|
|
|
b40826 |
Author: Ulrich Drepper <drepper@gmail.com>
|
|
|
b40826 |
Date: Sat Dec 17 20:18:42 2011 -0500
|
|
|
b40826 |
|
|
|
b40826 |
Check values from TZ file header
|
|
|
b40826 |
|
|
|
b40826 |
|
|
|
b40826 |
[BZ #13506]
|
|
|
b40826 |
* time/tzfile.c (__tzfile_read): Check values from file header.
|
|
|
b40826 |
|
|
|
b40826 |
diff -ru a/time/tzfile.c b/time/tzfile.c
|
|
|
b40826 |
--- a/time/tzfile.c 2010-05-04 11:27:23.000000000 +0000
|
|
|
b40826 |
+++ b/time/tzfile.c 2011-12-19 06:39:49.875358578 +0000
|
|
|
b40826 |
@@ -19,6 +19,7 @@
|
|
|
b40826 |
|
|
|
b40826 |
#include <assert.h>
|
|
|
b40826 |
#include <limits.h>
|
|
|
b40826 |
+#include <stdint.h>
|
|
|
b40826 |
#include <stdio.h>
|
|
|
b40826 |
#include <stdio_ext.h>
|
|
|
b40826 |
#include <stdlib.h>
|
|
|
b40826 |
@@ -234,23 +235,58 @@
|
|
|
b40826 |
goto read_again;
|
|
|
b40826 |
}
|
|
|
b40826 |
|
|
|
b40826 |
+ if (__builtin_expect (num_transitions
|
|
|
b40826 |
+ > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
|
|
|
b40826 |
+ / (sizeof (time_t) + 1)), 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
total_size = num_transitions * (sizeof (time_t) + 1);
|
|
|
b40826 |
total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
|
|
|
b40826 |
& ~(__alignof__ (struct ttinfo) - 1));
|
|
|
b40826 |
types_idx = total_size;
|
|
|
b40826 |
- total_size += num_types * sizeof (struct ttinfo) + chars;
|
|
|
b40826 |
+ if (__builtin_expect (num_types
|
|
|
b40826 |
+ > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
+ total_size += num_types * sizeof (struct ttinfo);
|
|
|
b40826 |
+ if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
+ total_size += chars;
|
|
|
b40826 |
+ if (__builtin_expect (__alignof__ (struct leap) - 1
|
|
|
b40826 |
+ > SIZE_MAX - total_size, 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
total_size = ((total_size + __alignof__ (struct leap) - 1)
|
|
|
b40826 |
& ~(__alignof__ (struct leap) - 1));
|
|
|
b40826 |
leaps_idx = total_size;
|
|
|
b40826 |
+ if (__builtin_expect (num_leaps
|
|
|
b40826 |
+ > (SIZE_MAX - total_size) / sizeof (struct leap), 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
total_size += num_leaps * sizeof (struct leap);
|
|
|
b40826 |
- tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
|
|
|
b40826 |
- ? st.st_size - (ftello (f)
|
|
|
b40826 |
- + num_transitions * (8 + 1)
|
|
|
b40826 |
- + num_types * 6
|
|
|
b40826 |
- + chars
|
|
|
b40826 |
- + num_leaps * 12
|
|
|
b40826 |
- + num_isstd
|
|
|
b40826 |
- + num_isgmt) - 1 : 0);
|
|
|
b40826 |
+ tzspec_len = 0;
|
|
|
b40826 |
+ if (sizeof (time_t) == 8 && trans_width == 8)
|
|
|
b40826 |
+ {
|
|
|
b40826 |
+ off_t rem = st.st_size - ftello (f);
|
|
|
b40826 |
+ if (__builtin_expect (rem < 0
|
|
|
b40826 |
+ || (size_t) rem < (num_transitions * (8 + 1)
|
|
|
b40826 |
+ + num_types * 6
|
|
|
b40826 |
+ + chars), 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
+ tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
|
|
|
b40826 |
+ + num_types * 6
|
|
|
b40826 |
+ + chars);
|
|
|
b40826 |
+ if (__builtin_expect (num_leaps > SIZE_MAX / 12
|
|
|
b40826 |
+ || tzspec_len < num_leaps * 12, 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
+ tzspec_len -= num_leaps * 12;
|
|
|
b40826 |
+ if (__builtin_expect (tzspec_len < num_isstd, 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
+ tzspec_len -= num_isstd;
|
|
|
b40826 |
+ if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
+ tzspec_len -= num_isgmt + 1;
|
|
|
b40826 |
+ if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
+ }
|
|
|
b40826 |
+ if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
|
|
|
b40826 |
+ goto lose;
|
|
|
b40826 |
|
|
|
b40826 |
/* Allocate enough memory including the extra block requested by the
|
|
|
b40826 |
caller. */
|