1
From 97ac2654b2d831acaa18a2b018b0736245903fd2 Mon Sep 17 00:00:00 2001
2
From: Ulrich Drepper <drepper@gmail.com>
3
Date: Sat, 17 Dec 2011 20:18:42 -0500
4
Subject: [PATCH] Check values from TZ file header
5
Bug: http://sourceware.org/bugzilla/show_bug.cgi?id=13506
9
[Ubuntu note: includes typo fix referred to by Allen McRae in
10
http://sourceware.org/bugzilla/show_bug.cgi?id=13506 as well as dropped
11
changes to the NEWS and Changelog file to reduce patch conflicts.]
14
time/tzfile.c | 53 ++++++++++++++++++++++++++++++++++++++++++++---------
15
3 files changed, 50 insertions(+), 10 deletions(-)
17
diff --git a/time/tzfile.c b/time/tzfile.c
18
index 144e20b..402389c 100644
28
#include <timezone/tzfile.h>
29
@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
33
+ if (__builtin_expect (num_transitions
34
+ > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
35
+ / (sizeof (time_t) + 1)), 0))
37
total_size = num_transitions * (sizeof (time_t) + 1);
38
total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
39
& ~(__alignof__ (struct ttinfo) - 1));
40
types_idx = total_size;
41
- total_size += num_types * sizeof (struct ttinfo) + chars;
42
+ if (__builtin_expect (num_types
43
+ > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
45
+ total_size += num_types * sizeof (struct ttinfo);
46
+ if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
48
+ total_size += chars;
49
+ if (__builtin_expect (__alignof__ (struct leap) - 1
50
+ > SIZE_MAX - total_size, 0))
52
total_size = ((total_size + __alignof__ (struct leap) - 1)
53
& ~(__alignof__ (struct leap) - 1));
54
leaps_idx = total_size;
55
+ if (__builtin_expect (num_leaps
56
+ > (SIZE_MAX - total_size) / sizeof (struct leap), 0))
58
total_size += num_leaps * sizeof (struct leap);
59
- tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
60
- ? st.st_size - (ftello (f)
61
- + num_transitions * (8 + 1)
66
- + num_isgmt) - 1 : 0);
68
+ if (sizeof (time_t) == 8 && trans_width == 8)
70
+ off_t rem = st.st_size - ftello (f);
71
+ if (__builtin_expect (rem < 0
72
+ || (size_t) rem < (num_transitions * (8 + 1)
76
+ tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
79
+ if (__builtin_expect (num_leaps > SIZE_MAX / 12
80
+ || tzspec_len < num_leaps * 12, 0))
82
+ tzspec_len -= num_leaps * 12;
83
+ if (__builtin_expect (tzspec_len < num_isstd, 0))
85
+ tzspec_len -= num_isstd;
86
+ if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0))
88
+ tzspec_len -= num_isgmt + 1;
89
+ if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
92
+ if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
95
/* Allocate enough memory including the extra block requested by the