kumquat-buildroot/package/glibc/2.18-svnr23787/0003-CVE-2014-6040.patch

Backport from https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=41488498b6
See https://bugzilla.redhat.com/show_bug.cgi?id=1135841

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

diff -Nura eglibc-2.19.orig/libc/iconvdata/ibm1364.c eglibc-2.19/libc/iconvdata/ibm1364.c
--- eglibc-2.19.orig/libc/iconvdata/ibm1364.c	2015-01-08 16:05:53.918823240 -0300
+++ eglibc-2.19/libc/iconvdata/ibm1364.c	2015-01-08 16:06:02.781555143 -0300
@@ -220,7 +220,8 @@
 	  ++rp2;							      \
 									      \
 	uint32_t res;							      \
-	if (__builtin_expect (ch < rp2->start, 0)			      \
+	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
+	    || __builtin_expect (ch < rp2->start, 0)			      \
 	    || (res = DB_TO_UCS4[ch + rp2->idx],			      \
 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
 	  {								      \
diff -Nura eglibc-2.19.orig/libc/iconvdata/ibm932.c eglibc-2.19/libc/iconvdata/ibm932.c
--- eglibc-2.19.orig/libc/iconvdata/ibm932.c	2015-01-08 16:05:53.910818967 -0300
+++ eglibc-2.19/libc/iconvdata/ibm932.c	2015-01-08 16:06:02.781555143 -0300
@@ -73,11 +73,12 @@
 	  }								      \
 									      \
 	ch = (ch * 0x100) + inptr[1];					      \
+	/* ch was less than 0xfd.  */					      \
+	assert (ch < 0xfd00);						      \
 	while (ch > rp2->end)						      \
 	  ++rp2;							      \
 									      \
-	if (__builtin_expect (rp2 == NULL, 0)				      \
-	    || __builtin_expect (ch < rp2->start, 0)			      \
+	if (__builtin_expect (ch < rp2->start, 0)			      \
 	    || (res = __ibm932db_to_ucs4[ch + rp2->idx],		      \
 	    __builtin_expect (res, '\1') == 0 && ch !=0))		      \
 	  {								      \
diff -Nura eglibc-2.19.orig/libc/iconvdata/ibm933.c eglibc-2.19/libc/iconvdata/ibm933.c
--- eglibc-2.19.orig/libc/iconvdata/ibm933.c	2015-01-08 16:05:53.917822706 -0300
+++ eglibc-2.19/libc/iconvdata/ibm933.c	2015-01-08 16:06:02.781555143 -0300
@@ -161,7 +161,7 @@
 	while (ch > rp2->end)						      \
 	  ++rp2;							      \
 									      \
-	if (__builtin_expect (rp2 == NULL, 0)				      \
+	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
 	    || __builtin_expect (ch < rp2->start, 0)			      \
 	    || (res = __ibm933db_to_ucs4[ch + rp2->idx],		      \
 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
diff -Nura eglibc-2.19.orig/libc/iconvdata/ibm935.c eglibc-2.19/libc/iconvdata/ibm935.c
--- eglibc-2.19.orig/libc/iconvdata/ibm935.c	2015-01-08 16:05:53.921824843 -0300
+++ eglibc-2.19/libc/iconvdata/ibm935.c	2015-01-08 16:06:02.782555677 -0300
@@ -161,7 +161,7 @@
 	while (ch > rp2->end)						      \
 	  ++rp2;							      \
 									      \
-	if (__builtin_expect (rp2 == NULL, 0)				      \
+	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
 	    || __builtin_expect (ch < rp2->start, 0)			      \
 	    || (res = __ibm935db_to_ucs4[ch + rp2->idx],		      \
 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
diff -Nura eglibc-2.19.orig/libc/iconvdata/ibm937.c eglibc-2.19/libc/iconvdata/ibm937.c
--- eglibc-2.19.orig/libc/iconvdata/ibm937.c	2015-01-08 16:05:53.915821638 -0300
+++ eglibc-2.19/libc/iconvdata/ibm937.c	2015-01-08 16:06:02.782555677 -0300
@@ -161,7 +161,7 @@
 	while (ch > rp2->end)						      \
 	  ++rp2;							      \
 									      \
-	if (__builtin_expect (rp2 == NULL, 0)				      \
+	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
 	    || __builtin_expect (ch < rp2->start, 0)			      \
 	    || (res = __ibm937db_to_ucs4[ch + rp2->idx],		      \
 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
diff -Nura eglibc-2.19.orig/libc/iconvdata/ibm939.c eglibc-2.19/libc/iconvdata/ibm939.c
--- eglibc-2.19.orig/libc/iconvdata/ibm939.c	2015-01-08 16:05:53.917822706 -0300
+++ eglibc-2.19/libc/iconvdata/ibm939.c	2015-01-08 16:06:02.782555677 -0300
@@ -161,7 +161,7 @@
 	while (ch > rp2->end)						      \
 	  ++rp2;							      \
 									      \
-	if (__builtin_expect (rp2 == NULL, 0)				      \
+	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
 	    || __builtin_expect (ch < rp2->start, 0)			      \
 	    || (res = __ibm939db_to_ucs4[ch + rp2->idx],		      \
 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
diff -Nura eglibc-2.19.orig/libc/iconvdata/ibm943.c eglibc-2.19/libc/iconvdata/ibm943.c
--- eglibc-2.19.orig/libc/iconvdata/ibm943.c	2015-01-08 16:05:53.918823240 -0300
+++ eglibc-2.19/libc/iconvdata/ibm943.c	2015-01-08 16:06:02.782555677 -0300
@@ -74,11 +74,12 @@
 	  }								      \
 									      \
 	ch = (ch * 0x100) + inptr[1];					      \
+	/* ch was less than 0xfd.  */					      \
+	assert (ch < 0xfd00);						      \
 	while (ch > rp2->end)						      \
 	  ++rp2;							      \
 									      \
-	if (__builtin_expect (rp2 == NULL, 0)				      \
-	    || __builtin_expect (ch < rp2->start, 0)			      \
+	if (__builtin_expect (ch < rp2->start, 0)			      \
 	    || (res = __ibm943db_to_ucs4[ch + rp2->idx],		      \
 	    __builtin_expect (res, '\1') == 0 && ch !=0))		      \
 	  {								      \
diff -Nura eglibc-2.19.orig/libc/iconvdata/Makefile eglibc-2.19/libc/iconvdata/Makefile
--- eglibc-2.19.orig/libc/iconvdata/Makefile	2015-01-08 16:05:53.903815227 -0300
+++ eglibc-2.19/libc/iconvdata/Makefile	2015-01-08 16:06:02.782555677 -0300
@@ -303,6 +303,7 @@
 $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \
 			 $(addprefix $(objpfx),$(modules.so)) \
 			 $(common-objdir)/iconv/iconv_prog TESTS
+	iconv_modules="$(modules)" \
 	$(SHELL) $< $(common-objdir) '$(test-wrapper)' > $@
 
 $(objpfx)tst-tables.out: tst-tables.sh $(objpfx)gconv-modules \
diff -Nura eglibc-2.19.orig/libc/iconvdata/run-iconv-test.sh eglibc-2.19/libc/iconvdata/run-iconv-test.sh
--- eglibc-2.19.orig/libc/iconvdata/run-iconv-test.sh	2015-01-08 16:05:53.894810420 -0300
+++ eglibc-2.19/libc/iconvdata/run-iconv-test.sh	2015-01-08 16:06:02.782555677 -0300
@@ -188,6 +188,24 @@
 
 done < TESTS2
 
+# Check for crashes in decoders.
+printf '\016\377\377\377\377\377\377\377' > $temp1
+for from in $iconv_modules ; do
+    echo $ac_n "test decoder $from $ac_c"
+    PROG=`eval echo $ICONV`
+    if $PROG < $temp1 >/dev/null 2>&1 ; then
+	: # fall through
+    else
+	status=$?
+	if test $status -gt 1 ; then
+	    echo "/FAILED"
+	    failed=1
+	    continue
+	fi
+    fi
+    echo "OK"
+done
+
 exit $failed
 # Local Variables:
 #  mode:shell-script