diff --git a/tcsh-6.20-ptr-update.patch b/tcsh-6.20-ptr-update.patch new file mode 100644 index 0000000..d18663d --- /dev/null +++ b/tcsh-6.20-ptr-update.patch @@ -0,0 +1,42 @@ +The code in tw_str_add() attempts to be efficient by sliding the +pointers to reallocated elements within the string list to the new +virtual address using a computed offset between buffers. + +For bounds checked pointers, this produces out of bounds pointers. +Additionally, the subtraction of pointers to different objects is +undefined in C so a sufficently "smart" compiler could chose to do +anything here since in knows the objects are different. + +We need this change on our research platform to avoid crashes in tab +completion. + +-- Brooks + +commit 85489fafb8fd908ba307df0c774e1706c19cd4b8 +Author: Brooks Davis +Date: Wed Dec 7 01:04:14 2016 +0000 + + Fix a pointer provenance error in list extension. + + When updating pointers to a buffer of linked list elements, derive + the new pointers from the new buffer rather than updating the old pointers + to the new virtual memory address of the buffer (resulting in out of bounds + values). + +--- + tw.init.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- tw.init.c ++++ tw.init.c 2016-12-07 15:27:20.024397004 +0000 +@@ -125,9 +125,8 @@ tw_str_add(stringlist_t *sl, size_t len) + sl->buff = xrealloc(sl->buff, sl->tbuff * sizeof(Char)); + /* Re-thread the new pointer list, if changed */ + if (ptr != NULL && ptr != sl->buff) { +- intptr_t offs = sl->buff - ptr; + for (i = 0; i < sl->nlist; i++) +- sl->list[i] += offs; ++ sl->list[i] = sl->buff + (sl->list[i] - ptr); + } + disabled_cleanup(&pintr_disabled); + } diff --git a/tcsh.changes b/tcsh.changes index ef5ebcf..65bd906 100644 --- a/tcsh.changes +++ b/tcsh.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Dec 7 15:29:56 UTC 2016 - werner@suse.de + +- Add patch tcsh-6.20-ptr-update.patch from mailing list to correct + updating pointers to a reallocated buffer of of linked list elements +- Remove --hash-size options as there is no any change in the final + binary nor library anymore + ------------------------------------------------------------------- Thu Dec 1 11:53:40 UTC 2016 - werner@suse.de diff --git a/tcsh.spec b/tcsh.spec index 65aa81f..c6eac8c 100644 --- a/tcsh.spec +++ b/tcsh.spec @@ -39,6 +39,8 @@ Patch10: tcsh-6.18.03-history-merge.dif Patch11: tcsh-6.19.00-history-file-locking-order.patch # PATCH-FIX-COMUNITY fix handling of rmstar Patch12: tcsh-6.20-rmstar.patch +# PATCH-FIX-COMUNITY fix updating pointers to a reallocated buffer of linked list elements +Patch13: tcsh-6.20-ptr-update.patch BuildRequires: autoconf BuildRequires: fdupes BuildRequires: ncurses-devel @@ -68,6 +70,7 @@ correction, a history mechanism, job control, and a C-like syntax. %patch10 -b .histmerg %patch11 -b .histlckord %patch12 -p1 -b .rmstar +%patch13 -p0 -b .ptrbuf %patch0 -b .0 %build @@ -103,7 +106,6 @@ correction, a history mechanism, job control, and a C-like syntax. cflags -ftree-loop-linear CFLAGS cflags -Wl,-O2 LDFLAGS cflags -Wl,--as-needed LDFLAGS - cflags -Wl,--hash-size=16699 LDFLAGS export CC CFLAGS LDFLAGS %ifarch %ix86 CPU=i586