1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/patches/glibc/2.1.3/rh62-10-glibc-2.1.3-xdr_array.patch Mon Jul 16 16:34:36 2007 +0000
1.3 @@ -0,0 +1,36 @@
1.4 +--- glibc-2.1.3/sunrpc/rpc/types.h Fri Oct 16 13:43:49 1998
1.5 ++++ glibc-2.1.3/sunrpc/rpc/types.h Thu Aug 1 09:06:38 2002
1.6 +@@ -55,6 +55,10 @@
1.7 +
1.8 + #include <stdlib.h> /* For malloc decl. */
1.9 + #define mem_alloc(bsize) malloc(bsize)
1.10 ++/*
1.11 ++ * XXX: This must not use the second argument, or code in xdr_array.c needs
1.12 ++ * to be modified.
1.13 ++ */
1.14 + #define mem_free(ptr, bsize) free(ptr)
1.15 +
1.16 + #ifndef makedev /* ie, we haven't already included it */
1.17 +--- glibc-2.1.3/sunrpc/xdr_array.c Thu Jul 16 15:23:51 1998
1.18 ++++ glibc-2.1.3/sunrpc/xdr_array.c Thu Aug 1 09:07:45 2002
1.19 +@@ -44,6 +44,7 @@
1.20 + #include <string.h>
1.21 + #include <rpc/types.h>
1.22 + #include <rpc/xdr.h>
1.23 ++#include <limits.h>
1.24 +
1.25 + #define LASTUNSIGNED ((u_int)0-1)
1.26 +
1.27 +@@ -76,7 +77,11 @@
1.28 + return FALSE;
1.29 + }
1.30 + c = *sizep;
1.31 +- if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
1.32 ++ /*
1.33 ++ * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
1.34 ++ * doesn't actually use its second argument anyway.
1.35 ++ */
1.36 ++ if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
1.37 + {
1.38 + return FALSE;
1.39 + }