From 9b85d69584fdb0d2c607fa820b4515ee38202ab9 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 6 May 2016 00:11:56 -0700 Subject: gcc: Security fix CVE-2016-2226 Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- meta/recipes-devtools/gcc/gcc-5.3.inc | 1 + .../gcc/gcc-5.3/CVE-2016-2226.patch | 103 +++++++++++++++++++++ 2 files changed, 104 insertions(+) create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc index 11287e4f94..2ba25a1cec 100644 --- a/meta/recipes-devtools/gcc/gcc-5.3.inc +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc @@ -92,6 +92,7 @@ SRC_URI = "\ file://0060-remove-prototypes-cfns.patch \ file://CVE-2016-4488.patch \ file://CVE-2016-4489.patch \ + file://CVE-2016-2226.patch \ " BACKPORTS = "" diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch new file mode 100644 index 0000000000..4decb84cdd --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch @@ -0,0 +1,103 @@ +From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001 +From: bernds +Date: Fri, 8 Apr 2016 12:10:21 +0000 +Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?= + =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + + PR c++/69687 + * cplus-dem.c: Include if available. + (INT_MAX): Define if necessary. + (remember_type, remember_Ktype, register_Btype, string_need): + Abort if we detect cases where we the size of the allocation would + overflow. + + + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4 +Upstream-Status: Backport +CVE: CVE-2016-2226 + +Signed-off-by: Armin Kuster + +--- + libiberty/ChangeLog | 7 +++++++ + libiberty/cplus-dem.c | 15 +++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog +index 8e82a5f..2a34356 100644 +--- a/libiberty/ChangeLog ++++ b/libiberty/ChangeLog +@@ -1,5 +1,12 @@ + 2016-04-08 Marcel Böhme + ++ PR c++/69687 ++ * cplus-dem.c: Include if available. ++ (INT_MAX): Define if necessary. ++ (remember_type, remember_Ktype, register_Btype, string_need): ++ Abort if we detect cases where we the size of the allocation would ++ overflow. ++ + PR c++/70498 + * cplus-dem.c (gnu_special): Handle case where consume_count returns + -1. +diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c +index abba234..7514e57 100644 +--- a/libiberty/cplus-dem.c ++++ b/libiberty/cplus-dem.c +@@ -56,6 +56,13 @@ void * malloc (); + void * realloc (); + #endif + ++#ifdef HAVE_LIMITS_H ++#include ++#endif ++#ifndef INT_MAX ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */ ++#endif ++ + #include + #undef CURRENT_DEMANGLING_STYLE + #define CURRENT_DEMANGLING_STYLE work->options +@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len) + } + else + { ++ if (work -> typevec_size > INT_MAX / 2) ++ xmalloc_failed (INT_MAX); + work -> typevec_size *= 2; + work -> typevec + = XRESIZEVEC (char *, work->typevec, work->typevec_size); +@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len) + } + else + { ++ if (work -> ksize > INT_MAX / 2) ++ xmalloc_failed (INT_MAX); + work -> ksize *= 2; + work -> ktypevec + = XRESIZEVEC (char *, work->ktypevec, work->ksize); +@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work) + } + else + { ++ if (work -> bsize > INT_MAX / 2) ++ xmalloc_failed (INT_MAX); + work -> bsize *= 2; + work -> btypevec + = XRESIZEVEC (char *, work->btypevec, work->bsize); +@@ -4771,6 +4784,8 @@ string_need (string *s, int n) + else if (s->e - s->p < n) + { + tem = s->p - s->b; ++ if (n > INT_MAX / 2 - tem) ++ xmalloc_failed (INT_MAX); + n += tem; + n *= 2; + s->b = XRESIZEVEC (char, s->b, n); +-- +2.3.5 + -- cgit 1.2.3-korg