Replace alloca in __tzfile_read by malloc. Fixes bug 15670

2013-10-20 08:25:25 +02:00 · 2013-10-20 08:25:25 +02:00 · 45c30c61c9
parent 3d7dc513b7
commit 45c30c61c9
3 changed files with 18 additions and 23 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+2013-10-19  Ondřej Bílka  <neleai@seznam.cz>
+
+	[BZ #15670]
+	* time/tzfile.c (__tzfile_read): Replace alloca with malloc.
+
 2013-10-18  Carlos O'Donell  <carlos@redhat.com>

 	* manual/crypt.texi (Cryptographic Functions): Using SunRPC and
--- a/10
+++ b/10
@ -11,11 +11,11 @@ Version 2.19

  156, 431, 832, 13028, 13982, 13985, 14155, 14547, 14699, 14910, 15048,
  15218, 15277, 15308, 15362, 15400, 15427, 15522, 15531, 15532, 15608,
-  15609, 15610, 15632, 15640, 15672, 15680, 15681, 15723, 15734, 15735,
-  15736, 15748, 15749, 15754, 15760, 15764, 15797, 15844, 15847, 15849,
-  15855, 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893,
-  15895, 15897, 15905, 15909, 15919, 15921, 15923, 15939, 15948, 15963,
-  15966, 15988, 16032, 16034, 16036, 16041.
+  15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681, 15723, 15734,
+  15735, 15736, 15748, 15749, 15754, 15760, 15764, 15797, 15844, 15847,
+  15849, 15855, 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892,
+  15893, 15895, 15897, 15905, 15909, 15919, 15921, 15923, 15939, 15948,
+  15963, 15966, 15988, 16032, 16034, 16036, 16041.

 * CVE-2012-4412 The strcoll implementation caches indices and rules for
  large collation sequences to optimize multiple passes.  This cache
--- a/time/tzfile.c
+++ b/time/tzfile.c
@ -114,6 +114,7 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
  int was_using_tzfile = __use_tzfile;
  int trans_width = 4;
  size_t tzspec_len;
+  char *new = NULL;

  if (sizeof (time_t) != 4 && sizeof (time_t) != 8)
    abort ();
@ -145,22 +146,12 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
  if (*file != '/')
    {
      const char *tzdir;
-      unsigned int len, tzdir_len;
-      char *new, *tmp;

      tzdir = getenv ("TZDIR");
      if (tzdir == NULL || *tzdir == '\0')
-	{
-	  tzdir = default_tzdir;
-	  tzdir_len = sizeof (default_tzdir) - 1;
-	}
-      else
-	tzdir_len = strlen (tzdir);
-      len = strlen (file) + 1;
-      new = (char *) __alloca (tzdir_len + 1 + len);
-      tmp = __mempcpy (new, tzdir, tzdir_len);
-      *tmp++ = '/';
-      memcpy (tmp, file, len);
+	tzdir = default_tzdir;
+      if (__asprintf (&new, "%s/%s", tzdir, file) == -1)
+	goto ret_free_transitions;
      file = new;
    }

@ -170,11 +161,7 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
      && stat64 (file, &st) == 0
      && tzfile_ino == st.st_ino && tzfile_dev == st.st_dev
      && tzfile_mtime == st.st_mtime)
-    {
-      /* Nothing to do.  */
-      __use_tzfile = 1;
-      return;
-    }
+    goto done;  /* Nothing to do.  */

  /* Note the file is opened with cancellation in the I/O functions
     disabled and if available FD_CLOEXEC set.  */
@ -527,12 +514,15 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
  __daylight = rule_stdoff != rule_dstoff;
  __timezone = -rule_stdoff;

+ done:
  __use_tzfile = 1;
+  free (new);
  return;

 lose:
  fclose (f);
 ret_free_transitions:
+  free (new);
  free ((void *) transitions);
  transitions = NULL;
 }