[Feature][ZXW-285]merge P56U05 version
Only Configure: No
Affected branch: master
Affected module: unknow
Is it affected on both ZXIC and MTK: only ZXIC
Self-test: Yes
Doc Update: No
Change-Id: Ied657102425a179a89ef41847170152e8a5d437c
diff --git a/ap/libc/glibc/glibc-2.23/malloc/malloc.c b/ap/libc/glibc/glibc-2.23/malloc/malloc.c
old mode 100644
new mode 100755
index d20d595..69e2141
--- a/ap/libc/glibc/glibc-2.23/malloc/malloc.c
+++ b/ap/libc/glibc/glibc-2.23/malloc/malloc.c
@@ -1252,14 +1252,21 @@
MINSIZE : \
((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)
-/* Same, except also perform argument check */
-
-#define checked_request2size(req, sz) \
- if (REQUEST_OUT_OF_RANGE (req)) { \
- __set_errno (ENOMEM); \
- return 0; \
- } \
- (sz) = request2size (req);
+/* Same, except also perform an argument and result check. First, we check
+ that the padding done by request2size didn't result in an integer
+ overflow. Then we check (using REQUEST_OUT_OF_RANGE) that the resulting
+ size isn't so large that a later alignment would lead to another integer
+ overflow. */
+#define checked_request2size(req, sz) \
+({ \
+ (sz) = request2size (req); \
+ if (((sz) < (req)) \
+ || REQUEST_OUT_OF_RANGE (sz)) \
+ { \
+ __set_errno (ENOMEM); \
+ return 0; \
+ } \
+})
/*
--------------- Physical chunk operations ---------------
@@ -4415,7 +4422,12 @@
Strategy: find a spot within that chunk that meets the alignment
request, and then possibly free the leading and trailing space.
*/
-
+ /* Check for overflow. */
+ if (nb > SIZE_MAX - alignment - MINSIZE)
+ {
+ __set_errno (ENOMEM);
+ return 0;
+ }
/* Call malloc with worst case padding to hit alignment. */
diff --git a/ap/libc/glibc/glibc-2.23/posix/glob.c b/ap/libc/glibc/glibc-2.23/posix/glob.c
index a1e49ec..02dfd5f 100755
--- a/ap/libc/glibc/glibc-2.23/posix/glob.c
+++ b/ap/libc/glibc/glibc-2.23/posix/glob.c
@@ -827,7 +827,7 @@
*p = '\0';
}
else
- *((char *) mempcpy (newp, dirname + 1, end_name - dirname))
+ *((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
= '\0';
user_name = newp;
}
diff --git a/ap/libc/glibc/glibc-2.23/posix/wordexp.c b/ap/libc/glibc/glibc-2.23/posix/wordexp.c
old mode 100644
new mode 100755
index ecc7615..48cf1d8
--- a/ap/libc/glibc/glibc-2.23/posix/wordexp.c
+++ b/ap/libc/glibc/glibc-2.23/posix/wordexp.c
@@ -1456,7 +1456,7 @@
/* Is it a numeric parameter? */
else if (isdigit (env[0]))
{
- int n = atoi (env);
+ unsigned long n = strtoul (env, NULL, 10);
if (n >= __libc_argc)
/* Substitute NULL. */
diff --git a/ap/libc/glibc/glibc-2.23/sysdeps/unix/sysv/linux/getcwd.c b/ap/libc/glibc/glibc-2.23/sysdeps/unix/sysv/linux/getcwd.c
old mode 100644
new mode 100755
index 3f21ae7..8c33b0f
--- a/ap/libc/glibc/glibc-2.23/sysdeps/unix/sysv/linux/getcwd.c
+++ b/ap/libc/glibc/glibc-2.23/sysdeps/unix/sysv/linux/getcwd.c
@@ -76,7 +76,7 @@
int retval;
retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size);
- if (retval >= 0)
+ if (retval > 0 && path[0] == '/')
{
#ifndef NO_ALLOCATION
if (buf == NULL && size == 0)
@@ -92,10 +92,10 @@
return buf;
}
- /* The system call cannot handle paths longer than a page.
- Neither can the magic symlink in /proc/self. Just use the
- generic implementation right away. */
- if (errno == ENAMETOOLONG)
+ /* The system call either cannot handle paths longer than a page
+ or can succeed without returning an absolute path. Just use the
+ generic implementation right away. */
+ if (retval >= 0 || errno == ENAMETOOLONG)
{
#ifndef NO_ALLOCATION
if (buf == NULL && size == 0)
diff --git a/ap/libc/glibc/glibc-2.23/sysdeps/unix/sysv/linux/if_index.c b/ap/libc/glibc/glibc-2.23/sysdeps/unix/sysv/linux/if_index.c
old mode 100644
new mode 100755
index 7c3bb6c..8a0fd43
--- a/ap/libc/glibc/glibc-2.23/sysdeps/unix/sysv/linux/if_index.c
+++ b/ap/libc/glibc/glibc-2.23/sysdeps/unix/sysv/linux/if_index.c
@@ -38,12 +38,12 @@
return 0;
#else
struct ifreq ifr;
+
+ strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name));
int fd = __opensock ();
if (fd < 0)
return 0;
-
- strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name));
if (__ioctl (fd, SIOCGIFINDEX, &ifr) < 0)
{
int saved_errno = errno;