xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-support/boost/boost/boost-CVE-2012-2677.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1Reference
2
3https://svn.boost.org/trac/boost/changeset/78326
4
5Upstream-Status: Backport
6CVE: CVE-2012-2677
7Signed-off-by: Yue Tao <yue.tao@windriver.com>
8
9diff --git a/boost/pool/pool.hpp.old b/boost/pool/pool.hpp
10index c47b11f..417a1e0 100644
11--- a/boost/pool/pool.hpp.old
12+++ b/boost/pool/pool.hpp
13@@ -26,6 +26,8 @@
14
15 #include <boost/pool/poolfwd.hpp>
16
17+// std::numeric_limits
18+#include <boost/limits.hpp>
19 // boost::integer::static_lcm
20 #include <boost/integer/common_factor_ct.hpp>
21 // boost::simple_segregated_storage
22@@ -355,6 +357,15 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
23       return s;
24     }
25
26+    size_type max_chunks() const
27+    { //! Calculated maximum number of memory chunks that can be allocated in a single call by this Pool.
28+      size_type partition_size = alloc_size();
29+      size_type POD_size = integer::static_lcm<sizeof(size_type), sizeof(void *)>::value + sizeof(size_type);
30+      size_type max_chunks = (std::numeric_limits<size_type>::max() - POD_size) / alloc_size();
31+
32+      return max_chunks;
33+    }
34+
35     static void * & nextof(void * const ptr)
36     { //! \returns Pointer dereferenced.
37       //! (Provided and used for the sake of code readability :)
38@@ -375,6 +386,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
39       //!   the first time that object needs to allocate system memory.
40       //!   The default is 32. This parameter may not be 0.
41       //! \param nmax_size is the maximum number of chunks to allocate in one block.
42+      set_next_size(nnext_size);
43+      set_max_size(nmax_size);
44     }
45
46     ~pool()
47@@ -398,8 +411,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
48     }
49     void set_next_size(const size_type nnext_size)
50     { //! Set number of chunks to request from the system the next time that object needs to allocate system memory. This value should never be set to 0.
51-      //! \returns nnext_size.
52-      next_size = start_size = nnext_size;
53+      BOOST_USING_STD_MIN();
54+      next_size = start_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nnext_size, max_chunks());
55     }
56     size_type get_max_size() const
57     { //! \returns max_size.
58@@ -407,7 +420,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
59     }
60     void set_max_size(const size_type nmax_size)
61     { //! Set max_size.
62-      max_size = nmax_size;
63+      BOOST_USING_STD_MIN();
64+      max_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nmax_size, max_chunks());
65     }
66     size_type get_requested_size() const
67     { //!   \returns the requested size passed into the constructor.
68@@ -708,9 +722,9 @@ void * pool<UserAllocator>::malloc_need_resize()
69
70   BOOST_USING_STD_MIN();
71   if(!max_size)
72-    next_size <<= 1;
73+    set_next_size(next_size << 1);
74   else if( next_size*partition_size/requested_size < max_size)
75-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
76+    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
77
78   //  initialize it,
79   store().add_block(node.begin(), node.element_size(), partition_size);
80@@ -748,9 +762,9 @@ void * pool<UserAllocator>::ordered_malloc_need_resize()
81
82   BOOST_USING_STD_MIN();
83   if(!max_size)
84-    next_size <<= 1;
85+    set_next_size(next_size << 1);
86   else if( next_size*partition_size/requested_size < max_size)
87-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
88+    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
89
90   //  initialize it,
91   //  (we can use "add_block" here because we know that
92@@ -792,6 +806,8 @@ void * pool<UserAllocator>::ordered_malloc(const size_type n)
93 { //! Gets address of a chunk n, allocating new memory if not already available.
94   //! \returns Address of chunk n if allocated ok.
95   //! \returns 0 if not enough memory for n chunks.
96+  if (n > max_chunks())
97+    return 0;
98
99   const size_type partition_size = alloc_size();
100   const size_type total_req_size = n * requested_size;
101@@ -840,9 +856,9 @@ void * pool<UserAllocator>::ordered_malloc(const size_type n)
102
103   BOOST_USING_STD_MIN();
104   if(!max_size)
105-    next_size <<= 1;
106+    set_next_size(next_size << 1);
107   else if( next_size*partition_size/requested_size < max_size)
108-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
109+    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
110
111   //  insert it into the list,
112   //   handle border case.
113