Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 7 Sep 2009 09:30:38 +0000 (UTC)
From:      Attilio Rao <attilio@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r196916 - head/contrib/gdtoa
Message-ID:  <200909070930.n879UcSC009647@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: attilio
Date: Mon Sep  7 09:30:37 2009
New Revision: 196916
URL: http://svn.freebsd.org/changeset/base/196916

Log:
  Import a vendor fix for a list overrun.
  This has been considered as a security hole on some specialized ml,
  but currently the secteam@ doesn't consider that way.
  
  Reviewed by:	emaste, des
  Sponsored by:	Sandvine Incorporated
  MFC after:	3 days

Modified:
  head/contrib/gdtoa/gdtoaimp.h
  head/contrib/gdtoa/misc.c

Modified: head/contrib/gdtoa/gdtoaimp.h
==============================================================================
--- head/contrib/gdtoa/gdtoaimp.h	Mon Sep  7 08:52:15 2009	(r196915)
+++ head/contrib/gdtoa/gdtoaimp.h	Mon Sep  7 09:30:37 2009	(r196916)
@@ -485,7 +485,7 @@ extern pthread_mutex_t __gdtoa_locks[2];
 		_pthread_mutex_unlock(&__gdtoa_locks[n]);	\
 } while(0)
 
-#define Kmax 15
+#define Kmax 9
 
  struct
 Bigint {

Modified: head/contrib/gdtoa/misc.c
==============================================================================
--- head/contrib/gdtoa/misc.c	Mon Sep  7 08:52:15 2009	(r196915)
+++ head/contrib/gdtoa/misc.c	Mon Sep  7 09:30:37 2009	(r196916)
@@ -55,7 +55,9 @@ Balloc
 #endif
 
 	ACQUIRE_DTOA_LOCK(0);
-	if ( (rv = freelist[k]) !=0) {
+	/* The k > Kmax case does not need ACQUIRE_DTOA_LOCK(0), */
+	/* but this case seems very unlikely. */
+	if (k <= Kmax && (rv = freelist[k]) !=0) {
 		freelist[k] = rv->next;
 		}
 	else {
@@ -65,7 +67,7 @@ Balloc
 #else
 		len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
 			/sizeof(double);
-		if (pmem_next - private_mem + len <= PRIVATE_mem) {
+		if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
 			rv = (Bigint*)pmem_next;
 			pmem_next += len;
 			}
@@ -89,10 +91,14 @@ Bfree
 #endif
 {
 	if (v) {
-		ACQUIRE_DTOA_LOCK(0);
-		v->next = freelist[v->k];
-		freelist[v->k] = v;
-		FREE_DTOA_LOCK(0);
+		if (v->k > Kmax)
+			free((void*)v);
+		else {
+			ACQUIRE_DTOA_LOCK(0);
+			v->next = freelist[v->k];
+			freelist[v->k] = v;
+			FREE_DTOA_LOCK(0);
+			}
 		}
 	}
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909070930.n879UcSC009647>