Boost C++ Libraries: Ticket #6701: integer overflows in ordered_malloc()

attachment set

Sun, 18 Mar 2012 02:09:24 GMT

attachment → pool.patch

fix integer overflows in pool::ordered_malloc

owner, status changed

edupuis — Thu, 03 May 2012 16:48:12 GMT

owner changed from Chris Newbold to edupuis
status new → assigned

edupuis — Fri, 04 May 2012 19:31:30 GMT

There are many other overflows in class pool that needs to be fixed.

status changed; resolution set

edupuis — Fri, 04 May 2012 20:35:30 GMT

status assigned → closed
resolution → fixed

(In [78326]) Clamped value of parameters 'next_size' and 'max_size' (which controls the number of memory chunks to allocate) such that when computing the number of bytes that must be allocated, this number of bytes never overflows a 'size_type'. This fixes #6701, in a different manner than the submitted patch.

status changed; resolution deleted

edupuis — Mon, 21 May 2012 06:00:00 GMT

status closed → reopened
resolution fixed

owner, status, type changed

edupuis — Mon, 16 Jul 2012 20:02:28 GMT

owner changed from edupuis to John Maddock
status reopened → new
type Patches → Bugs

https://svn.boost.org/svn/boost/sandbox/pool at revision 79460 contains a solution for tickets #3789, #5902, #6561, #6610, #6701, #6718, #6865 and #6867. Related test cases are also present.

https://svn.boost.org/svn/boost/sandbox/pool at revision 79460 does not contain any other new features or modifications other than those related to the above tickets.

Boost.Pool currently has no maintainer and is thus orphaned.

Denis Arnaud — Fri, 20 Jul 2012 14:36:48 GMT

Would it be possible to apply that patch on the release branch (as well as on the trunk)? So, the milestone could become 1.51, if I understand correctly.

Note that that security/vulnerability issue is tracked by the following page: http://www.openwall.com/lists/oss-security/2012/06/07/13

Reference for Fedora/RedHat/CentOS: https://bugzilla.redhat.com/show_bug.cgi?id=828856

Marshall Clow — Fri, 20 Jul 2012 17:11:28 GMT

Replying to edupuis:

I'm curious why this ticket was reopened. Did [78326] not fix this problem?

All I see is a notice that the ticket has been reopened.

To prevent confusion like this, a test that demonstrates the problem would be useful.

Denis Arnaud — Fri, 20 Jul 2012 18:08:04 GMT

Replying to marshall:

Replying to edupuis:

I'm curious why this ticket was reopened. Did [78326] not fix this problem?

[78326] fixed this problem... but only within the sandbox branch :( So, the fix/patch needs to be applied to both the trunk and release branches.

Hope it clarifies.

Tue, 02 Dec 2014 14:57:53 GMT

I just checked the master branch (a038658 in particular), and the fix is not applied. Is there a reason not to push this to master? In Fedora we have kept lugging the patch along for years, it would be really nice to be able to retire it. Thank you.

anonymous — Fri, 17 Jul 2015 10:01:02 GMT

Still not fixed on master.

attachment set

Fri, 17 Jul 2015 11:17:31 GMT

attachment → boost-1.58.0-pool.patch

Updated patch against 1.58.0, fixing shadowing warning.

attachment set

Fri, 17 Jul 2015 15:22:02 GMT

attachment → boost-1.58.0-pool.2.patch

*Correct* patch against 1.58.0, fixing shadowing warning.

Fri, 17 Jul 2015 15:23:03 GMT

The first patch I attached earlier today was the wrong version, which doesn't build, sorry. The second one is the right version of the file that I'm actually using here.

g.gupta@… — Thu, 20 Aug 2015 08:45:54 GMT

Is this fix applied to trunk code ?

Thu, 20 Aug 2015 09:17:11 GMT

Replying to g.gupta@…:

Is this fix applied to trunk code ?

No.