From patchwork Sat Jul 11 15:44:10 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?b?T25kxZllaiBCw61sa2E=?= <neleai@seznam.cz>
X-Patchwork-Id: 494021
Return-Path: 
 <libc-alpha-return-60893-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 533601402B3
	for <incoming@patchwork.ozlabs.org>;
	Sun, 12 Jul 2015 01:44:42 +1000 (AEST)
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	secure) header.d=sourceware.org header.i=@sourceware.org
	header.b=QoKvPja7; dkim-atps=neutral
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:mime-version
	:content-type; q=dns; s=default; b=i9P2JdZsJpLyKc4uwEIWROPBDXusp
	Zs9B4OugTMR2AxE9+9zoQEbn4I722sHGifqoeoPZ2512HiJQNFngh2DgbOVGBXpr
	6Ntjc4KZfh3Pe3XWT9heOoST4faYJiukZ5Zaoc/7BnMi5kQLyKShVeO/LM8/pIy4
	JwvTmULegq/gSM=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:mime-version
	:content-type; s=default; bh=Zx3kwQLIsZMoCtw6FFEckEO9VoU=; b=QoK
	vPja7GGgJg8au6DeGLja/DU0E+XwfKrTtn/XYaw3GZtTEahIE5dxLiG+wsC2b+NO
	wIB24dHT09tgXczqrbNOVOS5fx7QVLn66dqn8neXBtliHNbCowyxfgHTJmVOCysf
	J4COCLz378LIKTk3QW5C/b4kisPaVBKD9R3iaR9o=
Received: (qmail 16666 invoked by alias); 11 Jul 2015 15:44:36 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 16653 invoked by uid 89); 11 Jul 2015 15:44:35 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.3 required=5.0 tests=AWL, BAYES_40,
	FREEMAIL_FROM, SPF_NEUTRAL autolearn=no version=3.3.2
X-HELO: popelka.ms.mff.cuni.cz
Date: Sat, 11 Jul 2015 17:44:10 +0200
From: =?utf-8?B?T25kxZllaiBCw61sa2E=?= <neleai@seznam.cz>
To: libc-alpha@sourceware.org
Subject: [PATCH][BZ #18240] Handle overflow in __hcreate_r
Message-ID: <20150711154410.GA10704@domone>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-06-14)

Hi,

As in bugzilla entry there is overflow in hsearch when looking for prime
number as SIZE_MAX - 1 is divisible by 5. We fix that by rejecting large
inputs before looking for prime.

	* misc/hsearch_r.c (__hcreate_r): Handle overflow.

diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c
index 9f55e84..559df29 100644
--- a/misc/hsearch_r.c
+++ b/misc/hsearch_r.c
@@ -19,7 +19,7 @@
 #include <errno.h>
 #include <malloc.h>
 #include <string.h>
-
+#include <stdint.h>
 #include <search.h>
 
 /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986
@@ -73,6 +73,13 @@ __hcreate_r (nel, htab)
       return 0;
     }
 
+  if (nel >= SIZE_MAX / sizeof (_ENTRY))
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
+
   /* There is still another table active. Return with error. */
   if (htab->table != NULL)
     return 0;