gcc: Security fix CVE-2016-2226

(From OE-Core rev: 3152fc813db81398bd225323f7de3d59034ed879) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-05-05 15:14:46 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-05-17 20:53:36 +0100
commit: 5b97ffa9808e8bb1b16680f44a98b521d4f25a6c (patch)
tree: 3d4958fdd004b32c3a5ae9e6070d41bfb5d007de /meta/recipes-devtools
parent: 93f29f536e3b105c9ba4cec540887190a3bfd04f (diff)
download: poky-5b97ffa9808e8bb1b16680f44a98b521d4f25a6c.tar.gz
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 421bb0c82e..bf33d12343 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -91,6 +91,7 @@ SRC_URI = "\
           file://0059-libgcc-use-ldflags.patch \
           file://CVE-2016-4488.patch \
           file://CVE-2016-4489.patch \
+           file://CVE-2016-2226.patch \
 "
 BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
new file mode 100644
index 0000000000..4decb84cdd
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
@@ -0,0 +1,103 @@
+From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
+From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 8 Apr 2016 12:10:21 +0000
+Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
+ =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+        PR c++/69687
+        * cplus-dem.c: Include <limits.h> if available.
+        (INT_MAX): Define if necessary.
+        (remember_type, remember_Ktype, register_Btype, string_need):
+        Abort if we detect cases where we the size of the allocation would
+        overflow.
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
+Upstream-Status: Backport
+CVE: CVE-2016-2226
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libiberty/ChangeLog   |  7 +++++++
+ libiberty/cplus-dem.c | 15 +++++++++++++++
+ 2 files changed, 22 insertions(+)
+diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
+index 8e82a5f..2a34356 100644
+--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
+@@ -1,5 +1,12 @@
+ 2016-04-08  Marcel Böhme  <boehme.marcel@gmail.com>
+ 
+       PR c++/69687
+       * cplus-dem.c: Include <limits.h> if available.
+       (INT_MAX): Define if necessary.
+       (remember_type, remember_Ktype, register_Btype, string_need):
+       Abort if we detect cases where we the size of the allocation would
+       overflow.
+
+        PR c++/70498
+        * cplus-dem.c (gnu_special): Handle case where consume_count returns
+        -1.
+diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
+index abba234..7514e57 100644
+--- a/libiberty/cplus-dem.c
+++ b/libiberty/cplus-dem.c
+@@ -56,6 +56,13 @@ void * malloc ();
+ void * realloc ();
+ #endif
+ 
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+#ifndef INT_MAX
+# define INT_MAX       (int)(((unsigned int) ~0) >> 1)          /* 0x7FFFFFFF */ 
+#endif
+
+ #include <demangle.h>
+ #undef CURRENT_DEMANGLING_STYLE
+ #define CURRENT_DEMANGLING_STYLE work->options
+@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
+        }
+       else
+        {
+          if (work -> typevec_size > INT_MAX / 2)
+           xmalloc_failed (INT_MAX);
+          work -> typevec_size *= 2;
+          work -> typevec
+            = XRESIZEVEC (char *, work->typevec, work->typevec_size);
+@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
+        }
+       else
+        {
+          if (work -> ksize > INT_MAX / 2)
+           xmalloc_failed (INT_MAX);
+          work -> ksize *= 2;
+          work -> ktypevec
+            = XRESIZEVEC (char *, work->ktypevec, work->ksize);
+@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
+        }
+       else
+        {
+          if (work -> bsize > INT_MAX / 2)
+           xmalloc_failed (INT_MAX);
+          work -> bsize *= 2;
+          work -> btypevec
+            = XRESIZEVEC (char *, work->btypevec, work->bsize);
+@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
+   else if (s->e - s->p < n)
+     {
+       tem = s->p - s->b;
+      if (n > INT_MAX / 2 - tem)
+        xmalloc_failed (INT_MAX); 
+       n += tem;
+       n *= 2;
+       s->b = XRESIZEVEC (char, s->b, n);
+-- 
+2.3.5
author	Armin Kuster <akuster@mvista.com>	2016-05-05 15:14:46 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-05-17 20:53:36 +0100
commit	5b97ffa9808e8bb1b16680f44a98b521d4f25a6c (patch)
tree	3d4958fdd004b32c3a5ae9e6070d41bfb5d007de /meta/recipes-devtools
parent	93f29f536e3b105c9ba4cec540887190a3bfd04f (diff)
download	poky-5b97ffa9808e8bb1b16680f44a98b521d4f25a6c.tar.gz

diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc index 421bb0c82e..bf33d12343 100644 --- a/meta/recipes-devtools/gcc/gcc-5.3.inc +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -91,6 +91,7 @@ SRC_URI = "\
91	file://0059-libgcc-use-ldflags.patch \	91	file://0059-libgcc-use-ldflags.patch \
92	file://CVE-2016-4488.patch \	92	file://CVE-2016-4488.patch \
93	file://CVE-2016-4489.patch \	93	file://CVE-2016-4489.patch \
		94	file://CVE-2016-2226.patch \
94	"	95	"
95		96
96	BACKPORTS = ""	97	BACKPORTS = ""


diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch new file mode 100644 index 0000000000..4decb84cdd --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
@@ -0,0 +1,103 @@
		1	From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
		2	From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
		3	Date: Fri, 8 Apr 2016 12:10:21 +0000
		4	Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
		5	=?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	PR c++/69687
		11	* cplus-dem.c: Include <limits.h> if available.
		12	(INT_MAX): Define if necessary.
		13	(remember_type, remember_Ktype, register_Btype, string_need):
		14	Abort if we detect cases where we the size of the allocation would
		15	overflow.
		16
		17
		18
		19	git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
		20	Upstream-Status: Backport
		21	CVE: CVE-2016-2226
		22
		23	Signed-off-by: Armin Kuster <akuster@mvista.com>
		24
		25	---
		26	libiberty/ChangeLog \| 7 +++++++
		27	libiberty/cplus-dem.c \| 15 +++++++++++++++
		28	2 files changed, 22 insertions(+)
		29
		30	diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
		31	index 8e82a5f..2a34356 100644
		32	--- a/libiberty/ChangeLog
		33	+++ b/libiberty/ChangeLog
		34	@@ -1,5 +1,12 @@
		35	2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
		36
		37	+ PR c++/69687
		38	+ * cplus-dem.c: Include <limits.h> if available.
		39	+ (INT_MAX): Define if necessary.
		40	+ (remember_type, remember_Ktype, register_Btype, string_need):
		41	+ Abort if we detect cases where we the size of the allocation would
		42	+ overflow.
		43	+
		44	PR c++/70498
		45	* cplus-dem.c (gnu_special): Handle case where consume_count returns
		46	-1.
		47	diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
		48	index abba234..7514e57 100644
		49	--- a/libiberty/cplus-dem.c
		50	+++ b/libiberty/cplus-dem.c
		51	@@ -56,6 +56,13 @@ void * malloc ();
		52	void * realloc ();
		53	#endif
		54
		55	+#ifdef HAVE_LIMITS_H
		56	+#include <limits.h>
		57	+#endif
		58	+#ifndef INT_MAX
		59	+# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
		60	+#endif
		61	+
		62	#include <demangle.h>
		63	#undef CURRENT_DEMANGLING_STYLE
		64	#define CURRENT_DEMANGLING_STYLE work->options
		65	@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff work, const char start, int len)
		66	}
		67	else
		68	{
		69	+ if (work -> typevec_size > INT_MAX / 2)
		70	+ xmalloc_failed (INT_MAX);
		71	work -> typevec_size *= 2;
		72	work -> typevec
		73	= XRESIZEVEC (char *, work->typevec, work->typevec_size);
		74	@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff work, const char start, int len)
		75	}
		76	else
		77	{
		78	+ if (work -> ksize > INT_MAX / 2)
		79	+ xmalloc_failed (INT_MAX);
		80	work -> ksize *= 2;
		81	work -> ktypevec
		82	= XRESIZEVEC (char *, work->ktypevec, work->ksize);
		83	@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
		84	}
		85	else
		86	{
		87	+ if (work -> bsize > INT_MAX / 2)
		88	+ xmalloc_failed (INT_MAX);
		89	work -> bsize *= 2;
		90	work -> btypevec
		91	= XRESIZEVEC (char *, work->btypevec, work->bsize);
		92	@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
		93	else if (s->e - s->p < n)
		94	{
		95	tem = s->p - s->b;
		96	+ if (n > INT_MAX / 2 - tem)
		97	+ xmalloc_failed (INT_MAX);
		98	n += tem;
		99	n *= 2;
		100	s->b = XRESIZEVEC (char, s->b, n);
		101	--
		102	2.3.5
		103