Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 475060 Details for
Bug 620468
<dev-libs/boost-1.74.0-r2 : ordered_malloc() overflow (CVE-2012-2677)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
boost-CVE-2012-2677.patch
boost-CVE-2012-2677.patch (text/plain), 4.65 KB, created by
Andrey Ovcharov
on 2017-06-03 05:14:13 UTC
(
hide
)
Description:
boost-CVE-2012-2677.patch
Filename:
MIME Type:
Creator:
Andrey Ovcharov
Created:
2017-06-03 05:14:13 UTC
Size:
4.65 KB
patch
obsolete
>Reference > >https://svn.boost.org/trac/boost/changeset/78326 > >Upstream-Status: Backport >CVE: CVE-2012-2677 >Signed-off-by: Yue Tao <yue.tao@windriver.com> > >diff --git a/boost/pool/pool.hpp.old b/boost/pool/pool.hpp >index c47b11f..417a1e0 100644 >--- a/boost/pool/pool.hpp.old >+++ b/boost/pool/pool.hpp >@@ -26,6 +26,8 @@ > > #include <boost/pool/poolfwd.hpp> > >+// std::numeric_limits >+#include <boost/limits.hpp> > // boost::integer::static_lcm > #include <boost/integer/common_factor_ct.hpp> > // boost::simple_segregated_storage >@@ -355,6 +357,15 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t > return s; > } > >+ size_type max_chunks() const >+ { //! Calculated maximum number of memory chunks that can be allocated in a single call by this Pool. >+ size_type partition_size = alloc_size(); >+ size_type POD_size = integer::static_lcm<sizeof(size_type), sizeof(void *)>::value + sizeof(size_type); >+ size_type max_chunks = (std::numeric_limits<size_type>::max() - POD_size) / alloc_size(); >+ >+ return max_chunks; >+ } >+ > static void * & nextof(void * const ptr) > { //! \returns Pointer dereferenced. > //! (Provided and used for the sake of code readability :) >@@ -375,6 +386,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t > //! the first time that object needs to allocate system memory. > //! The default is 32. This parameter may not be 0. > //! \param nmax_size is the maximum number of chunks to allocate in one block. >+ set_next_size(nnext_size); >+ set_max_size(nmax_size); > } > > ~pool() >@@ -398,8 +411,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t > } > void set_next_size(const size_type nnext_size) > { //! Set number of chunks to request from the system the next time that object needs to allocate system memory. This value should never be set to 0. >- //! \returns nnext_size. >- next_size = start_size = nnext_size; >+ BOOST_USING_STD_MIN(); >+ next_size = start_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nnext_size, max_chunks()); > } > size_type get_max_size() const > { //! \returns max_size. >@@ -407,7 +420,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t > } > void set_max_size(const size_type nmax_size) > { //! Set max_size. >- max_size = nmax_size; >+ BOOST_USING_STD_MIN(); >+ max_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nmax_size, max_chunks()); > } > size_type get_requested_size() const > { //! \returns the requested size passed into the constructor. >@@ -708,9 +722,9 @@ void * pool<UserAllocator>::malloc_need_resize() > > BOOST_USING_STD_MIN(); > if(!max_size) >- next_size <<= 1; >+ set_next_size(next_size << 1); > else if( next_size*partition_size/requested_size < max_size) >- next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size); >+ set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size)); > > // initialize it, > store().add_block(node.begin(), node.element_size(), partition_size); >@@ -748,9 +762,9 @@ void * pool<UserAllocator>::ordered_malloc_need_resize() > > BOOST_USING_STD_MIN(); > if(!max_size) >- next_size <<= 1; >+ set_next_size(next_size << 1); > else if( next_size*partition_size/requested_size < max_size) >- next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size); >+ set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size)); > > // initialize it, > // (we can use "add_block" here because we know that >@@ -792,6 +806,8 @@ void * pool<UserAllocator>::ordered_malloc(const size_type n) > { //! Gets address of a chunk n, allocating new memory if not already available. > //! \returns Address of chunk n if allocated ok. > //! \returns 0 if not enough memory for n chunks. >+ if (n > max_chunks()) >+ return 0; > > const size_type partition_size = alloc_size(); > const size_type total_req_size = n * requested_size; >@@ -840,9 +856,9 @@ void * pool<UserAllocator>::ordered_malloc(const size_type n) > > BOOST_USING_STD_MIN(); > if(!max_size) >- next_size <<= 1; >+ set_next_size(next_size << 1); > else if( next_size*partition_size/requested_size < max_size) >- next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size); >+ set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size)); > > // insert it into the list, > // handle border case.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=475060">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 620468
: 475060 |
679383
