Index: head/contrib/gcclibs/include/objalloc.h =================================================================== --- head/contrib/gcclibs/include/objalloc.h (revision 301290) +++ head/contrib/gcclibs/include/objalloc.h (revision 301291) @@ -1,115 +1,115 @@ /* objalloc.h -- routines to allocate memory for objects - Copyright 1997, 2001 Free Software Foundation, Inc. + Copyright 1997, 2001-2012 Free Software Foundation, Inc. Written by Ian Lance Taylor, Cygnus Solutions. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ #ifndef OBJALLOC_H #define OBJALLOC_H #include "ansidecl.h" /* These routines allocate space for an object. The assumption is that the object will want to allocate space as it goes along, but will never want to free any particular block. There is a function to free a block, which also frees all more recently allocated blocks. There is also a function to free all the allocated space. This is essentially a specialization of obstacks. The main difference is that a block may not be allocated a bit at a time. Another difference is that these routines are always built on top of malloc, and always pass an malloc failure back to the caller, unlike more recent versions of obstacks. */ /* This is what an objalloc structure looks like. Callers should not refer to these fields, nor should they allocate these structure themselves. Instead, they should only create them via objalloc_init, and only access them via the functions and macros listed below. The structure is only defined here so that we can access it via macros. */ struct objalloc { char *current_ptr; unsigned int current_space; void *chunks; }; /* Work out the required alignment. */ struct objalloc_align { char x; double d; }; #if defined (__STDC__) && __STDC__ #ifndef offsetof #include #endif #endif #ifndef offsetof #define offsetof(TYPE, MEMBER) ((unsigned long) &((TYPE *)0)->MEMBER) #endif #define OBJALLOC_ALIGN offsetof (struct objalloc_align, d) /* Create an objalloc structure. Returns NULL if malloc fails. */ extern struct objalloc *objalloc_create (void); /* Allocate space from an objalloc structure. Returns NULL if malloc fails. */ extern void *_objalloc_alloc (struct objalloc *, unsigned long); /* The macro version of objalloc_alloc. We only define this if using gcc, because otherwise we would have to evaluate the arguments multiple times, or use a temporary field as obstack.h does. */ #if defined (__GNUC__) && defined (__STDC__) && __STDC__ /* NextStep 2.0 cc is really gcc 1.93 but it defines __GNUC__ = 2 and does not implement __extension__. But that compiler doesn't define __GNUC_MINOR__. */ #if __GNUC__ < 2 || (__NeXT__ && !__GNUC_MINOR__) #define __extension__ #endif #define objalloc_alloc(o, l) \ __extension__ \ ({ struct objalloc *__o = (o); \ unsigned long __len = (l); \ if (__len == 0) \ __len = 1; \ __len = (__len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1); \ - (__len <= __o->current_space \ + (__len != 0 && __len <= __o->current_space \ ? (__o->current_ptr += __len, \ __o->current_space -= __len, \ (void *) (__o->current_ptr - __len)) \ : _objalloc_alloc (__o, __len)); }) #else /* ! __GNUC__ */ #define objalloc_alloc(o, l) _objalloc_alloc ((o), (l)) #endif /* ! __GNUC__ */ /* Free an entire objalloc structure. */ extern void objalloc_free (struct objalloc *); /* Free a block allocated by objalloc_alloc. This also frees all more recently allocated blocks. */ extern void objalloc_free_block (struct objalloc *, void *); #endif /* OBJALLOC_H */ Index: head/contrib/gcclibs/libiberty/objalloc.c =================================================================== --- head/contrib/gcclibs/libiberty/objalloc.c (revision 301290) +++ head/contrib/gcclibs/libiberty/objalloc.c (revision 301291) @@ -1,291 +1,298 @@ /* objalloc.c -- routines to allocate memory for objects - Copyright 1997 Free Software Foundation, Inc. + Copyright 1997-2012 Free Software Foundation, Inc. Written by Ian Lance Taylor, Cygnus Solutions. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ #include "config.h" #include "ansidecl.h" #include "objalloc.h" /* Get a definition for NULL. */ #include #if VMS #include #include #else /* Get a definition for size_t. */ #include #ifdef HAVE_STDLIB_H #include #else /* For systems with larger pointers than ints, this must be declared. */ extern PTR malloc (size_t); extern void free (PTR); #endif #endif /* These routines allocate space for an object. Freeing allocated space may or may not free all more recently allocated space. We handle large and small allocation requests differently. If we don't have enough space in the current block, and the allocation request is for more than 512 bytes, we simply pass it through to malloc. */ /* The objalloc structure is defined in objalloc.h. */ /* This structure appears at the start of each chunk. */ struct objalloc_chunk { /* Next chunk. */ struct objalloc_chunk *next; /* If this chunk contains large objects, this is the value of current_ptr when this chunk was allocated. If this chunk contains small objects, this is NULL. */ char *current_ptr; }; /* The aligned size of objalloc_chunk. */ #define CHUNK_HEADER_SIZE \ ((sizeof (struct objalloc_chunk) + OBJALLOC_ALIGN - 1) \ &~ (OBJALLOC_ALIGN - 1)) /* We ask for this much memory each time we create a chunk which is to hold small objects. */ #define CHUNK_SIZE (4096 - 32) /* A request for this amount or more is just passed through to malloc. */ #define BIG_REQUEST (512) /* Create an objalloc structure. */ struct objalloc * objalloc_create (void) { struct objalloc *ret; struct objalloc_chunk *chunk; ret = (struct objalloc *) malloc (sizeof *ret); if (ret == NULL) return NULL; ret->chunks = (PTR) malloc (CHUNK_SIZE); if (ret->chunks == NULL) { free (ret); return NULL; } chunk = (struct objalloc_chunk *) ret->chunks; chunk->next = NULL; chunk->current_ptr = NULL; ret->current_ptr = (char *) chunk + CHUNK_HEADER_SIZE; ret->current_space = CHUNK_SIZE - CHUNK_HEADER_SIZE; return ret; } /* Allocate space from an objalloc structure. */ PTR -_objalloc_alloc (struct objalloc *o, unsigned long len) +_objalloc_alloc (struct objalloc *o, unsigned long original_len) { + unsigned long len = original_len; + /* We avoid confusion from zero sized objects by always allocating at least 1 byte. */ if (len == 0) len = 1; len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1); + + /* CVE-2012-3509: Check for overflow in the alignment operation above + * and then malloc argument below. */ + if (len + CHUNK_HEADER_SIZE < original_len) + return NULL; if (len <= o->current_space) { o->current_ptr += len; o->current_space -= len; return (PTR) (o->current_ptr - len); } if (len >= BIG_REQUEST) { char *ret; struct objalloc_chunk *chunk; ret = (char *) malloc (CHUNK_HEADER_SIZE + len); if (ret == NULL) return NULL; chunk = (struct objalloc_chunk *) ret; chunk->next = (struct objalloc_chunk *) o->chunks; chunk->current_ptr = o->current_ptr; o->chunks = (PTR) chunk; return (PTR) (ret + CHUNK_HEADER_SIZE); } else { struct objalloc_chunk *chunk; chunk = (struct objalloc_chunk *) malloc (CHUNK_SIZE); if (chunk == NULL) return NULL; chunk->next = (struct objalloc_chunk *) o->chunks; chunk->current_ptr = NULL; o->current_ptr = (char *) chunk + CHUNK_HEADER_SIZE; o->current_space = CHUNK_SIZE - CHUNK_HEADER_SIZE; o->chunks = (PTR) chunk; return objalloc_alloc (o, len); } } /* Free an entire objalloc structure. */ void objalloc_free (struct objalloc *o) { struct objalloc_chunk *l; l = (struct objalloc_chunk *) o->chunks; while (l != NULL) { struct objalloc_chunk *next; next = l->next; free (l); l = next; } free (o); } /* Free a block from an objalloc structure. This also frees all more recently allocated blocks. */ void objalloc_free_block (struct objalloc *o, PTR block) { struct objalloc_chunk *p, *small; char *b = (char *) block; /* First set P to the chunk which contains the block we are freeing, and set Q to the last small object chunk we see before P. */ small = NULL; for (p = (struct objalloc_chunk *) o->chunks; p != NULL; p = p->next) { if (p->current_ptr == NULL) { if (b > (char *) p && b < (char *) p + CHUNK_SIZE) break; small = p; } else { if (b == (char *) p + CHUNK_HEADER_SIZE) break; } } /* If we can't find the chunk, the caller has made a mistake. */ if (p == NULL) abort (); if (p->current_ptr == NULL) { struct objalloc_chunk *q; struct objalloc_chunk *first; /* The block is in a chunk containing small objects. We can free every chunk through SMALL, because they have certainly been allocated more recently. After SMALL, we will not see any chunks containing small objects; we can free any big chunk if the current_ptr is greater than or equal to B. We can then reset the new current_ptr to B. */ first = NULL; q = (struct objalloc_chunk *) o->chunks; while (q != p) { struct objalloc_chunk *next; next = q->next; if (small != NULL) { if (small == q) small = NULL; free (q); } else if (q->current_ptr > b) free (q); else if (first == NULL) first = q; q = next; } if (first == NULL) first = p; o->chunks = (PTR) first; /* Now start allocating from this small block again. */ o->current_ptr = b; o->current_space = ((char *) p + CHUNK_SIZE) - b; } else { struct objalloc_chunk *q; char *current_ptr; /* This block is in a large chunk by itself. We can free everything on the list up to and including this block. We then start allocating from the next chunk containing small objects, setting current_ptr from the value stored with the large chunk we are freeing. */ current_ptr = p->current_ptr; p = p->next; q = (struct objalloc_chunk *) o->chunks; while (q != p) { struct objalloc_chunk *next; next = q->next; free (q); q = next; } o->chunks = (PTR) p; while (p->current_ptr != NULL) p = p->next; o->current_ptr = current_ptr; o->current_space = ((char *) p + CHUNK_SIZE) - current_ptr; } }