mirror/glibc
2
0
Fork 0
mirror of git://sourceware.org/git/glibc.git synced 2025-04-12 14:21:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix signed integer overflow in random_r (bug 17343).

Browse Source 
Bug 17343 reports that stdlib/random_r.c has code with undefined
behavior because of signed integer overflow on int32_t.  This patch
changes the code so that the possibly overflowing computations use
unsigned arithmetic instead.

Note that the bug report refers to "Most code" in that file.  The
places changed in this patch are the only ones I found where I think
such overflow can occur.

Tested for x86_64 and x86.

	[BZ #17343]
	* stdlib/random_r.c (__random_r): Use unsigned arithmetic for
	possibly overflowing computations.

(cherry picked from commit 8a07b0c43c46a480da070efd53a2720195e2256f)
This commit is contained in:
Joseph Myers 2018-05-17 14:04:58 +02:00 committed by Florian Weimer
parent 3241353ab2
commit 02f0dd83a4
3 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -1,3 +1,9 @@
2018-03-20 Joseph Myers <joseph@codesourcery.com>
[BZ #17343]
* stdlib/random_r.c (__random_r): Use unsigned arithmetic for
possibly overflowing computations.
2018-03-03 Adhemerval Zanella <adhemerval.zanella@linaro.org>
[BZ #21269]

1
NEWS
View File

@ -74,6 +74,7 @@ Security related changes:
The following bugs are resolved with this release:
[16750] ldd: Never run file directly.
[17343] Fix signed integer overflow in random_r
[17956] crypt: Use NSPR header files in addition to NSS header files
[20532] getaddrinfo: More robust handling of dlopen failures
[21242] assert: Suppress pedantic warning caused by statement expression

9
stdlib/random_r.c
View File

@ -361,8 +361,7 @@ __random_r (struct random_data *buf, int32_t *result)
if (buf->rand_type == TYPE_0)
{
int32_t val = state[0];
val = ((state[0] * 1103515245) + 12345) & 0x7fffffff;
int32_t val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff;
state[0] = val;
*result = val;
}
@ -371,11 +370,11 @@ __random_r (struct random_data *buf, int32_t *result)
int32_t *fptr = buf->fptr;
int32_t *rptr = buf->rptr;
int32_t *end_ptr = buf->end_ptr;
int32_t val;
uint32_t val;
val = *fptr += *rptr;
val = *fptr += (uint32_t) *rptr;
/* Chucking least random bit. */
*result = (val >> 1) & 0x7fffffff;
*result = val >> 1;
++fptr;
if (fptr >= end_ptr)
{