summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-05-06 00:11:56 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-05-17 14:43:30 +0100
commita1928c81e6f6d81e4b50c1d295758b20a2778a61 (patch)
tree8405a11bab9030c2282b6b9c973a55a9bddbd7ea /meta
parent23f00321e97abebbfe1298691487f5bb0dbcf2b4 (diff)
downloadpoky-a1928c81e6f6d81e4b50c1d295758b20a2778a61.tar.gz
gcc: Security fix CVE-2016-2226
(From OE-Core rev: 9b85d69584fdb0d2c607fa820b4515ee38202ab9) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/gcc/gcc-5.3.inc1
-rw-r--r--meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch103
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 11287e4f94..2ba25a1cec 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -92,6 +92,7 @@ SRC_URI = "\
92 file://0060-remove-prototypes-cfns.patch \ 92 file://0060-remove-prototypes-cfns.patch \
93 file://CVE-2016-4488.patch \ 93 file://CVE-2016-4488.patch \
94 file://CVE-2016-4489.patch \ 94 file://CVE-2016-4489.patch \
95 file://CVE-2016-2226.patch \
95" 96"
96 97
97BACKPORTS = "" 98BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
new file mode 100644
index 0000000000..4decb84cdd
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
@@ -0,0 +1,103 @@
1From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
2From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
3Date: Fri, 8 Apr 2016 12:10:21 +0000
4Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
5 =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10 PR c++/69687
11 * cplus-dem.c: Include <limits.h> if available.
12 (INT_MAX): Define if necessary.
13 (remember_type, remember_Ktype, register_Btype, string_need):
14 Abort if we detect cases where we the size of the allocation would
15 overflow.
16
17
18
19git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
20Upstream-Status: Backport
21CVE: CVE-2016-2226
22
23Signed-off-by: Armin Kuster <akuster@mvista.com>
24
25---
26 libiberty/ChangeLog | 7 +++++++
27 libiberty/cplus-dem.c | 15 +++++++++++++++
28 2 files changed, 22 insertions(+)
29
30diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
31index 8e82a5f..2a34356 100644
32--- a/libiberty/ChangeLog
33+++ b/libiberty/ChangeLog
34@@ -1,5 +1,12 @@
35 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
36
37+ PR c++/69687
38+ * cplus-dem.c: Include <limits.h> if available.
39+ (INT_MAX): Define if necessary.
40+ (remember_type, remember_Ktype, register_Btype, string_need):
41+ Abort if we detect cases where we the size of the allocation would
42+ overflow.
43+
44 PR c++/70498
45 * cplus-dem.c (gnu_special): Handle case where consume_count returns
46 -1.
47diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
48index abba234..7514e57 100644
49--- a/libiberty/cplus-dem.c
50+++ b/libiberty/cplus-dem.c
51@@ -56,6 +56,13 @@ void * malloc ();
52 void * realloc ();
53 #endif
54
55+#ifdef HAVE_LIMITS_H
56+#include <limits.h>
57+#endif
58+#ifndef INT_MAX
59+# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
60+#endif
61+
62 #include <demangle.h>
63 #undef CURRENT_DEMANGLING_STYLE
64 #define CURRENT_DEMANGLING_STYLE work->options
65@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
66 }
67 else
68 {
69+ if (work -> typevec_size > INT_MAX / 2)
70+ xmalloc_failed (INT_MAX);
71 work -> typevec_size *= 2;
72 work -> typevec
73 = XRESIZEVEC (char *, work->typevec, work->typevec_size);
74@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
75 }
76 else
77 {
78+ if (work -> ksize > INT_MAX / 2)
79+ xmalloc_failed (INT_MAX);
80 work -> ksize *= 2;
81 work -> ktypevec
82 = XRESIZEVEC (char *, work->ktypevec, work->ksize);
83@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
84 }
85 else
86 {
87+ if (work -> bsize > INT_MAX / 2)
88+ xmalloc_failed (INT_MAX);
89 work -> bsize *= 2;
90 work -> btypevec
91 = XRESIZEVEC (char *, work->btypevec, work->bsize);
92@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
93 else if (s->e - s->p < n)
94 {
95 tem = s->p - s->b;
96+ if (n > INT_MAX / 2 - tem)
97+ xmalloc_failed (INT_MAX);
98 n += tem;
99 n *= 2;
100 s->b = XRESIZEVEC (char, s->b, n);
101--
1022.3.5
103