# DP: Fix PR other/54411, libiberty: objalloc_alloc integer overflows (CVE-2012-3509)

include/

2012-09-18  Florian Weimer  <fweimer@redhat.com>

	PR other/54411
	* objalloc.h (objalloc_alloc): Do not use fast path on wraparound.

libiberty/

2012-09-18  Florian Weimer  <fweimer@redhat.com>

	PR other/54411
	* objalloc.c (_objalloc_alloc): Add overflow check covering
	alignment and CHUNK_HEADER_SIZE addition.

 
Index: include/objalloc.h
===================================================================
--- a/src/include/objalloc.h	(Revision 191412)
+++ b/src/include/objalloc.h	(Revision 191413)
@@ -1,5 +1,5 @@
 /* objalloc.h -- routines to allocate memory for objects
-   Copyright 1997, 2001 Free Software Foundation, Inc.
+   Copyright 1997-2012 Free Software Foundation, Inc.
    Written by Ian Lance Taylor, Cygnus Solutions.
 
 This program is free software; you can redistribute it and/or modify it
@@ -91,7 +91,7 @@
      if (__len == 0)							\
        __len = 1;							\
      __len = (__len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);	\
-     (__len <= __o->current_space					\
+     (__len != 0 && __len <= __o->current_space				\
       ? (__o->current_ptr += __len,					\
 	 __o->current_space -= __len,					\
 	 (void *) (__o->current_ptr - __len))				\
Index: libiberty/objalloc.c
===================================================================
--- a/src/libiberty/objalloc.c	(Revision 191412)
+++ b/src/libiberty/objalloc.c	(Revision 191413)
@@ -1,5 +1,5 @@
 /* objalloc.c -- routines to allocate memory for objects
-   Copyright 1997 Free Software Foundation, Inc.
+   Copyright 1997-2012 Free Software Foundation, Inc.
    Written by Ian Lance Taylor, Cygnus Solutions.
 
 This program is free software; you can redistribute it and/or modify it
@@ -112,8 +112,10 @@
 /* Allocate space from an objalloc structure.  */
 
 PTR
-_objalloc_alloc (struct objalloc *o, unsigned long len)
+_objalloc_alloc (struct objalloc *o, unsigned long original_len)
 {
+  unsigned long len = original_len;
+
   /* We avoid confusion from zero sized objects by always allocating
      at least 1 byte.  */
   if (len == 0)
@@ -121,6 +123,11 @@
 
   len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);
 
+  /* Check for overflow in the alignment operation above and the
+     malloc argument below. */
+  if (len + CHUNK_HEADER_SIZE < original_len)
+    return NULL;
+
   if (len <= o->current_space)
     {
       o->current_ptr += len;