Merge remote branch 'origin/master' into fedora/master

ChangeLog

@@ -1,3 +1,71 @@
+2010-01-26  Samuel Thibault  <samuel.thibault@ens-lyon.org>
+
+	* sysdeps/mach/getsysstats.c (get_nprocs_conf, get_nprocs,
+	get_phys_pages, get_avphys_pages): Add weak aliases.
+
+2010-01-25  Andreas Schwab  <schwab@redhat.com>
+
+	* iconv/iconv_prog.c (write_output): Fix check for open failure.
+
+2010-01-22  Ulrich Drepper  <drepper@redhat.com>
+
+	[BZ #11200]
+	* locale/loadlocale.c (_nl_load_locale): Fix recognition of genuine
+	mmap resource problem.  Patch by Joe Landers <jlanders@vmware.com>.
+
+2010-01-22  Jim Meyering  <jim@meyering.net>
+
+	[BZ #11193]
+	* posix/regexec.c (extend_buffers): Avoid overflow in realloc
+	buffer length computation.
+
+	[BZ #11192]
+	* posix/regexec.c (re_copy_regs): Don't leak when allocation
+	of the start buffer succeeds but allocation of the "end" one fails.
+
+	[BZ #11191]
+	* posix/regexec.c (re_search_2_stub): Check for overflow
+	when adding the sizes of the two strings.
+
+	[BZ #11190]
+	* posix/regexec.c (re_search_internal): Avoid overflow
+	in computing re_malloc buffer size.
+
+	[BZ #11189]
+	* posix/regexec.c (prune_impossible_nodes): Avoid overflow
+	in computing re_malloc buffer size.
+
+	[BZ #11188]
+	* posix/regexec.c (build_trtable): Avoid arithmetic overflow
+	in size calculation.
+
+	[BZ #11187]
+	* posix/regexec.c (re_search_2_stub): Use simpler method than
+	boolean for freeing internal storage.
+
+2010-01-22  Ulrich Drepper  <drepper@redhat.com>
+
+	* posix/regex_internal.c (re_string_skip_chars): Simplify test for
+	failed mbrtowc call.
+
+2010-01-22  Jim Meyering  <jim@meyering.net>
+
+	[BZ #11186]
+	* posix/regex_internal.c (re_string_skip_chars): Don't assume WEOF
+	fits in wchar_t.  Problem reported by Eric Blake.
+
+	[BZ #11185]
+	* posix/regex_internal.c (re_string_reconstruct): Remove declaration
+	and stores into set-but-not-used local, "q".
+
+	[BZ #11184]
+	* posix/regex_internal.c (re_dfa_add_node): Extend the overflow
+	detection test.  Patch by Paul Eggert.
+
+	[BZ #11183]
+	* posix/regex_internal.c (re_string_realloc_buffers):
+	Detect and handle internal overflow.  Patch by Paul Eggert
+
 2010-01-20  Andreas Schwab  <schwab@redhat.com>
 
 	* sysdeps/unix/sysv/linux/s390/s390-32/____longjmp_chk.c

iconv/iconv_prog.c

@@ -442,7 +442,7 @@ write_output (const char *outbuf, const char *outptr, FILE **output,
       if (output_file != NULL && strcmp (output_file, "-") != 0)
 	{
 	  *output = fopen (output_file, "w");
-	  if (output == NULL)
+	  if (*output == NULL)
 	    error (EXIT_FAILURE, errno, _("cannot open output file"));
 	}
       else

locale/loadlocale.c

@@ -224,6 +224,7 @@ _nl_load_locale (struct loaded_l10nfile *file, int category)
 		     PROT_READ, MAP_FILE|MAP_COPY, fd, 0);
   if (__builtin_expect (filedata == MAP_FAILED, 0))
     {
+      filedata = NULL;
       if (__builtin_expect (errno, ENOSYS) == ENOSYS)
 	{
 #endif	/* _POSIX_MAPPED_FILES */

localedata/ChangeLog

@@ -1,3 +1,7 @@
+2010-01-25  Andreas Schwab  <schwab@redhat.com>
+
+	* locales/i18n: Don't map U00DF to U1E9E in toupper table.
+
 2009-11-24  Ulrich Drepper  <drepper@redhat.com>
 
 	* locales/hsb_DE: Define week, first_weekday, and first_workday.

localedata/locales/i18n

@@ -928,8 +928,7 @@ toupper /
    (<U006D>,<U004D>);(<U006E>,<U004E>);(<U006F>,<U004F>);(<U0070>,<U0050>);/
    (<U0071>,<U0051>);(<U0072>,<U0052>);(<U0073>,<U0053>);(<U0074>,<U0054>);/
    (<U0075>,<U0055>);(<U0076>,<U0056>);(<U0077>,<U0057>);(<U0078>,<U0058>);/
-   (<U0079>,<U0059>);(<U007A>,<U005A>);(<U00B5>,<U039C>);(<U00DF>,<U1E9E>);/
-   (<U00E0>,<U00C0>);/
+   (<U0079>,<U0059>);(<U007A>,<U005A>);(<U00B5>,<U039C>);(<U00E0>,<U00C0>);/
    (<U00E1>,<U00C1>);(<U00E2>,<U00C2>);(<U00E3>,<U00C3>);(<U00E4>,<U00C4>);/
    (<U00E5>,<U00C5>);(<U00E6>,<U00C6>);(<U00E7>,<U00C7>);(<U00E8>,<U00C8>);/
    (<U00E9>,<U00C9>);(<U00EA>,<U00CA>);(<U00EB>,<U00CB>);(<U00EC>,<U00CC>);/

posix/regex_internal.c

@@ -133,7 +133,14 @@ re_string_realloc_buffers (re_string_t *pstr, int new_buf_len)
 #ifdef RE_ENABLE_I18N
   if (pstr->mb_cur_max > 1)
     {
-      wint_t *new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len);
+      wint_t *new_wcs;
+
+      /* Avoid overflow in realloc.  */
+      const size_t max_object_size = MAX (sizeof (wint_t), sizeof (int));
+      if (BE (SIZE_MAX / max_object_size < new_buf_len, 0))
+	return REG_ESPACE;
+
+      new_wcs = re_realloc (pstr->wcs, wint_t, new_buf_len);
       if (BE (new_wcs == NULL, 0))
 	return REG_ESPACE;
       pstr->wcs = new_wcs;
@@ -482,18 +489,18 @@ re_string_skip_chars (re_string_t *pstr, int new_raw_idx, wint_t *last_wc)
   mbstate_t prev_st;
   int rawbuf_idx;
   size_t mbclen;
-  wchar_t wc = WEOF;
+  wint_t wc = WEOF;
 
   /* Skip the characters which are not necessary to check.  */
   for (rawbuf_idx = pstr->raw_mbs_idx + pstr->valid_raw_len;
        rawbuf_idx < new_raw_idx;)
     {
-      int remain_len;
-      remain_len = pstr->len - rawbuf_idx;
+      wchar_t wc2;
+      int remain_len = pstr->len - rawbuf_idx;
       prev_st = pstr->cur_state;
-      mbclen = __mbrtowc (&wc, (const char *) pstr->raw_mbs + rawbuf_idx,
+      mbclen = __mbrtowc (&wc2, (const char *) pstr->raw_mbs + rawbuf_idx,
 			  remain_len, &pstr->cur_state);
-      if (BE (mbclen == (size_t) -2 || mbclen == (size_t) -1 || mbclen == 0, 0))
+      if (BE ((ssize_t) mbclen <= 0, 0))
 	{
 	  /* We treat these cases as a single byte character.  */
 	  if (mbclen == 0 || remain_len == 0)
@@ -503,10 +510,12 @@ re_string_skip_chars (re_string_t *pstr, int new_raw_idx, wint_t *last_wc)
 	  mbclen = 1;
 	  pstr->cur_state = prev_st;
 	}
+      else
+	wc = (wint_t) wc2;
       /* Then proceed the next character.  */
       rawbuf_idx += mbclen;
     }
-  *last_wc = (wint_t) wc;
+  *last_wc = wc;
   return rawbuf_idx;
 }
 #endif /* RE_ENABLE_I18N  */
@@ -694,7 +703,7 @@ re_string_reconstruct (re_string_t *pstr, int idx, int eflags)
 
 	      if (pstr->is_utf8)
 		{
-		  const unsigned char *raw, *p, *q, *end;
+		  const unsigned char *raw, *p, *end;
 
 		  /* Special case UTF-8.  Multi-byte chars start with any
 		     byte other than 0x80 - 0xbf.  */
@@ -723,13 +732,11 @@ re_string_reconstruct (re_string_t *pstr, int idx, int eflags)
 			  unsigned char buf[6];
 			  size_t mbclen;
 
-			  q = p;
 			  if (BE (pstr->trans != NULL, 0))
 			    {
 			      int i = mlen < 6 ? mlen : 6;
 			      while (--i >= 0)
 				buf[i] = pstr->trans[p[i]];
-			      q = buf;
 			    }
 			  /* XXX Don't use mbrtowc, we know which conversion
 			     to use (UTF-8 -> UCS4).  */
@@ -1404,8 +1411,11 @@ re_dfa_add_node (re_dfa_t *dfa, re_token_t token)
       re_node_set *new_edests, *new_eclosures;
       re_token_t *new_nodes;
 
-      /* Avoid overflows.  */
-      if (BE (new_nodes_alloc < dfa->nodes_alloc, 0))
+      /* Avoid overflows in realloc.  */
+      const size_t max_object_size = MAX (sizeof (re_token_t),
+					  MAX (sizeof (re_node_set),
+					       sizeof (int)));
+      if (BE (SIZE_MAX / max_object_size < new_nodes_alloc, 0))
 	return -1;
 
       new_nodes = re_realloc (dfa->nodes, re_token_t, new_nodes_alloc);

posix/regexec.c

@@ -368,16 +368,16 @@ re_search_2_stub (bufp, string1, length1, string2, length2, start, range, regs,
   const char *str;
   int rval;
   int len = length1 + length2;
-  int free_str = 0;
+  char *s = NULL;
 
-  if (BE (length1 < 0 || length2 < 0 || stop < 0, 0))
+  if (BE (length1 < 0 || length2 < 0 || stop < 0 || len < length1, 0))
     return -2;
 
   /* Concatenate the strings.  */
   if (length2 > 0)
     if (length1 > 0)
       {
-	char *s = re_malloc (char, len);
+	s = re_malloc (char, len);
 
 	if (BE (s == NULL, 0))
 	  return -2;
@@ -388,17 +388,14 @@ re_search_2_stub (bufp, string1, length1, string2, length2, start, range, regs,
 	memcpy (s + length1, string2, length2);
 #endif
 	str = s;
-	free_str = 1;
       }
     else
       str = string2;
   else
     str = string1;
 
-  rval = re_search_stub (bufp, str, len, start, range, stop, regs,
-			 ret_len);
-  if (free_str)
-    re_free ((char *) str);
+  rval = re_search_stub (bufp, str, len, start, range, stop, regs, ret_len);
+  re_free (s);
   return rval;
 }
 
@@ -512,9 +509,14 @@ re_copy_regs (regs, pmatch, nregs, regs_allocated)
   if (regs_allocated == REGS_UNALLOCATED)
     { /* No.  So allocate them with malloc.  */
       regs->start = re_malloc (regoff_t, need_regs);
-      regs->end = re_malloc (regoff_t, need_regs);
-      if (BE (regs->start == NULL, 0) || BE (regs->end == NULL, 0))
+      if (BE (regs->start == NULL, 0))
 	return REGS_UNALLOCATED;
+      regs->end = re_malloc (regoff_t, need_regs);
+      if (BE (regs->end == NULL, 0))
+	{
+	  re_free (regs->start);
+	  return REGS_UNALLOCATED;
+	}
       regs->num_regs = need_regs;
     }
   else if (regs_allocated == REGS_REALLOCATE)
@@ -524,9 +526,15 @@ re_copy_regs (regs, pmatch, nregs, regs_allocated)
       if (BE (need_regs > regs->num_regs, 0))
 	{
 	  regoff_t *new_start = re_realloc (regs->start, regoff_t, need_regs);
-	  regoff_t *new_end = re_realloc (regs->end, regoff_t, need_regs);
-	  if (BE (new_start == NULL, 0) || BE (new_end == NULL, 0))
+	  regoff_t *new_end;
+	  if (BE (new_start == NULL, 0))
 	    return REGS_UNALLOCATED;
+	  new_end = re_realloc (regs->end, regoff_t, need_regs);
+	  if (BE (new_end == NULL, 0))
+	    {
+	      re_free (new_start);
+	      return REGS_UNALLOCATED;
+	    }
 	  regs->start = new_start;
 	  regs->end = new_end;
 	  regs->num_regs = need_regs;
@@ -694,6 +702,13 @@ re_search_internal (preg, string, length, start, range, stop, nmatch, pmatch,
      multi character collating element.  */
   if (nmatch > 1 || dfa->has_mb_node)
     {
+      /* Avoid overflow.  */
+      if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= mctx.input.bufs_len, 0))
+	{
+	  err = REG_ESPACE;
+	  goto free_return;
+	}
+
       mctx.state_log = re_malloc (re_dfastate_t *, mctx.input.bufs_len + 1);
       if (BE (mctx.state_log == NULL, 0))
 	{
@@ -952,6 +967,11 @@ prune_impossible_nodes (mctx)
 #endif
   match_last = mctx->match_last;
   halt_node = mctx->last_node;
+
+  /* Avoid overflow.  */
+  if (BE (SIZE_MAX / sizeof (re_dfastate_t *) <= match_last, 0))
+    return REG_ESPACE;
+
   sifted_states = re_malloc (re_dfastate_t *, match_last + 1);
   if (BE (sifted_states == NULL, 0))
     {
@@ -3362,6 +3382,13 @@ build_trtable (const re_dfa_t *dfa, re_dfastate_t *state)
   if (BE (err != REG_NOERROR, 0))
     goto out_free;
 
+  /* Avoid arithmetic overflow in size calculation.  */
+  if (BE ((((SIZE_MAX - (sizeof (re_node_set) + sizeof (bitset_t)) * SBC_MAX)
+	    / (3 * sizeof (re_dfastate_t *)))
+	   < ndests),
+	  0))
+    goto out_free;
+
   if (__libc_use_alloca ((sizeof (re_node_set) + sizeof (bitset_t)) * SBC_MAX
 			 + ndests * 3 * sizeof (re_dfastate_t *)))
     dest_states = (re_dfastate_t **)
@@ -4077,6 +4104,10 @@ extend_buffers (re_match_context_t *mctx)
   reg_errcode_t ret;
   re_string_t *pstr = &mctx->input;
 
+  /* Avoid overflow.  */
+  if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
+    return REG_ESPACE;
+
   /* Double the lengthes of the buffers.  */
   ret = re_string_realloc_buffers (pstr, pstr->bufs_len * 2);
   if (BE (ret != REG_NOERROR, 0))

sysdeps/mach/getsysstats.c

@@ -40,6 +40,7 @@ __get_nprocs_conf ()
 
   return hbi.max_cpus;
 }
+weak_alias (__get_nprocs_conf, get_nprocs_conf)
 
 /* Return the number of processors currently available on the system. */
 int
@@ -58,6 +59,7 @@ __get_nprocs ()
 
   return hbi.avail_cpus;
 }
+weak_alias (__get_nprocs, get_nprocs)
 
 /* Return the number of physical pages on the system. */
 long int
@@ -76,6 +78,7 @@ __get_phys_pages ()
 
   return hbi.memory_size / __vm_page_size;
 }
+weak_alias (__get_phys_pages, get_phys_pages)
 
 /* Return the number of available physical pages */
 long int
@@ -100,3 +103,4 @@ __get_avphys_pages ()
 
   return vs.free_count;
 }
+weak_alias (__get_avphys_pages, get_avphys_pages)