libiberty: prevent integer overflow.

Take care of very old bug leading to heap-buffer overflow by processing certain file headers via bfd binary. PR: 200888 Obtained from: OpenBSD MFC after: 2 weeks
svn path=/head/; revision=301291
2025-01-27 16:39:08 +00:00 · 2016-06-03 21:37:24 +00:00 · 2016-06-03 21:37:24 +00:00 · e8c66cf087 · 2020-12-20 02:59:44 +00:00
commit e8c66cf087
parent 987c375f87
2 changed files with 11 additions and 4 deletions
--- a/contrib/gcclibs/include/objalloc.h
+++ b/contrib/gcclibs/include/objalloc.h
@ -1,5 +1,5 @@
 /* objalloc.h -- routines to allocate memory for objects
-   Copyright 1997, 2001 Free Software Foundation, Inc.
+   Copyright 1997, 2001-2012 Free Software Foundation, Inc.
   Written by Ian Lance Taylor, Cygnus Solutions.

 This program is free software; you can redistribute it and/or modify it
@ -91,7 +91,7 @@ extern void *_objalloc_alloc (struct objalloc *, unsigned long);
     if (__len == 0)							\
       __len = 1;							\
     __len = (__len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);	\
-     (__len <= __o->current_space					\
+     (__len != 0 && __len <= __o->current_space				\
      ? (__o->current_ptr += __len,					\
 	 __o->current_space -= __len,					\
 	 (void *) (__o->current_ptr - __len))				\
--- a/contrib/gcclibs/libiberty/objalloc.c
+++ b/contrib/gcclibs/libiberty/objalloc.c
@ -1,5 +1,5 @@
 /* objalloc.c -- routines to allocate memory for objects
-   Copyright 1997 Free Software Foundation, Inc.
+   Copyright 1997-2012 Free Software Foundation, Inc.
   Written by Ian Lance Taylor, Cygnus Solutions.

 This program is free software; you can redistribute it and/or modify it
@ -112,8 +112,10 @@ objalloc_create (void)
 /* Allocate space from an objalloc structure.  */

 PTR
-_objalloc_alloc (struct objalloc *o, unsigned long len)
+_objalloc_alloc (struct objalloc *o, unsigned long original_len)
 {
+  unsigned long len = original_len;
+
  /* We avoid confusion from zero sized objects by always allocating
     at least 1 byte.  */
  if (len == 0)
@ -121,6 +123,11 @@ _objalloc_alloc (struct objalloc *o, unsigned long len)

  len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);

+  /* CVE-2012-3509: Check for overflow in the alignment operation above
+   * and then malloc argument below. */
+  if (len + CHUNK_HEADER_SIZE < original_len)
+      return NULL;
+
  if (len <= o->current_space)
    {
      o->current_ptr += len;