-commit c8fc0c91695b1c7003c7170861274161f9224817
-Author: Ulrich Drepper <drepper@gmail.com>
-Date: Tue May 31 08:45:44 2011 -0400
+commit 58b930ae216bfa98cd60212b954b07b9963d6d04
+Author: Siddhesh Poyarekar <siddhesh@redhat.com>
+Date: Wed Sep 10 21:51:50 2014 +0530
- Don't free non-malloced memory and fix memory leak
+ Return failure in getnetgrent only when all netgroups have been searched (#17363)
+
+ The netgroups lookup code fails when one of the groups in the search
+ tree is empty. In such a case it only returns the leaves of the tree
+ after the blank netgroup. This is because the line parser returns a
+ NOTFOUND status when the netgroup exists but is empty. The
+ __getnetgrent_internal implementation needs to be fixed to try
+ remaining groups if the current group is entry. This patch implements
+ this fix. Tested on x86_64.
+
+ [BZ #17363]
+ * inet/getnetgrent_r.c (__internal_getnetgrent_r): Try next
+ group if the current group is empty.
-diff --git a/nscd/nscd_getserv_r.c b/nscd/nscd_getserv_r.c
-index de96a57..f9ef056 100644
---- a/nscd/nscd_getserv_r.c
-+++ b/nscd/nscd_getserv_r.c
-@@ -124,6 +124,7 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
- s_name = (char *) (&found->data[0].servdata + 1);
- serv_resp = found->data[0].servdata;
- s_proto = s_name + serv_resp.s_name_len;
-+ alloca_aliases_len = 1;
- aliases_len = (uint32_t *) (s_proto + serv_resp.s_proto_len);
- aliases_list = ((char *) aliases_len
- + serv_resp.s_aliases_cnt * sizeof (uint32_t));
-@@ -154,7 +155,9 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
- + (serv_resp.s_aliases_cnt
- * sizeof (uint32_t)));
- if (alloca_aliases_len)
-- tmp = __alloca (serv_resp.s_aliases_cnt * sizeof (uint32_t));
-+ tmp = alloca_account (serv_resp.s_aliases_cnt
-+ * sizeof (uint32_t),
-+ alloca_used);
- else
- {
- tmp = malloc (serv_resp.s_aliases_cnt * sizeof (uint32_t));
-@@ -249,8 +252,9 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
- + (serv_resp.s_aliases_cnt
- * sizeof (uint32_t)));
- if (alloca_aliases_len)
-- aliases_len = alloca (serv_resp.s_aliases_cnt
-- * sizeof (uint32_t));
-+ aliases_len = alloca_account (serv_resp.s_aliases_cnt
-+ * sizeof (uint32_t),
-+ alloca_used);
- else
- {
- aliases_len = malloc (serv_resp.s_aliases_cnt
-@@ -368,7 +372,11 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
- }
-
- if (retval != -1)
-- goto retry;
-+ {
-+ if (!alloca_aliases_len)
-+ free (aliases_len);
-+ goto retry;
-+ }
- }
+diff --git a/inet/getnetgrent_r.c b/inet/getnetgrent_r.c
+index f6d064d..e101537 100644
+--- a/inet/getnetgrent_r.c
++++ b/inet/getnetgrent_r.c
+@@ -297,7 +297,10 @@ __internal_getnetgrent_r (char **hostp, char **userp, char **domainp,
+ {
+ status = DL_CALL_FCT (*fct, (datap, buffer, buflen, &errno));
- if (!alloca_aliases_len)
-commit 8c29731192565b9c917d6b97db78dcd302283df8
-Author: Ulrich Drepper <drepper@gmail.com>
-Date: Tue May 31 14:23:01 2011 -0400
-
- Fix typo in stack guard setup code for old kernels
-
-diff --git a/sysdeps/unix/sysv/linux/dl-osinfo.h b/sysdeps/unix/sysv/linux/dl-osinfo.h
-index eb7fedc..28fce4f 100644
---- a/sysdeps/unix/sysv/linux/dl-osinfo.h
-+++ b/sysdeps/unix/sysv/linux/dl-osinfo.h
-@@ -81,7 +81,7 @@ _dl_setup_stack_chk_guard (void *dl_random)
- {
- ssize_t reslen = read_not_cancel (fd, ret.bytes + 1, filllen);
- close_not_cancel_no_status (fd);
-- if (reslen == (ssize_) filllen)
-+ if (reslen == (ssize_t) filllen)
- return ret.num;
- }
- # endif
-;2011-06-10 Andreas Schwab <schwab@redhat.com>
-;
-; * sysdeps/posix/getaddrinfo.c (gaih_inet): Fix logic allocating
-; tmpbuf.
-;
-diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
-index 1e017b2..469abe2 100644
---- a/sysdeps/posix/getaddrinfo.c
-+++ b/sysdeps/posix/getaddrinfo.c
-@@ -821,7 +821,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
- size_t tmpbuflen = 1024;
- malloc_tmpbuf = !__libc_use_alloca (alloca_used + tmpbuflen);
- assert (tmpbuf == NULL);
-- if (malloc_tmpbuf)
-+ if (!malloc_tmpbuf)
- tmpbuf = alloca_account (tmpbuflen, alloca_used);
- else
- {
-commit 3d29045b5e8329d97693eda8d98f1d1e60b99c8f
-Author: H.J. Lu <hongjiu.lu@intel.com>
-Date: Fri Jun 3 07:01:25 2011 -0400
-
- Assume Intel Core i3/i5/i7 processor if AVX is available
-
-diff --git a/sysdeps/x86_64/multiarch/init-arch.c b/sysdeps/x86_64/multiarch/init-arch.c
-index 34ec2df..809d105 100644
---- a/sysdeps/x86_64/multiarch/init-arch.c
-+++ b/sysdeps/x86_64/multiarch/init-arch.c
-@@ -74,6 +74,7 @@ __init_cpu_features (void)
- }
- else if (family == 0x06)
+- if (status == NSS_STATUS_RETURN)
++ if (status == NSS_STATUS_RETURN
++ /* The service returned a NOTFOUND, but there are more groups that we
++ need to resolve before we give up. */
++ || (status == NSS_STATUS_NOTFOUND && datap->needed_groups != NULL))
{
-+ ecx = __cpu_features.cpuid[COMMON_CPUID_INDEX_1].ecx;
- model += extended_model;
- switch (model)
- {
-@@ -83,6 +84,12 @@ __init_cpu_features (void)
- __cpu_features.feature[index_Slow_BSF] |= bit_Slow_BSF;
- break;
-
-+ default:
-+ /* Unknown family 0x06 processors. Assuming this is one
-+ of Core i3/i5/i7 processors if AVX is available. */
-+ if ((ecx & bit_AVX) == 0)
-+ break;
-+
- case 0x1a:
- case 0x1e:
- case 0x1f:
-commit c71ca1f89c6e89d8c4145e4c2fdcce2fc78812bd
-Author: Andreas Jaeger <aj@suse.de>
-Date: Tue Jun 14 13:11:39 2011 -0700
+ /* This was the last one for this group. Look at next group
+ if available. */
+commit 984c0ea97f649c869130a1ff099098e2b6f70aad
+Author: Tim Lammens <tim.lammens@gmail.com>
+Date: Thu Sep 11 10:35:54 2014 +0530
- Quash two memset undeclared warnings.
+ Fix memory leak in libio/wfileops.c do_ftell_wide [BZ #17370]
-diff --git a/nptl/pthread_rwlock_init.c b/nptl/pthread_rwlock_init.c
-index c0aa194..9ecd48c 100644
---- a/nptl/pthread_rwlock_init.c
-+++ b/nptl/pthread_rwlock_init.c
-@@ -1,4 +1,4 @@
--/* Copyright (C) 2002, 2007, 2009 Free Software Foundation, Inc.
-+/* Copyright (C) 2002,2007,2009,2011 Free Software Foundation, Inc.
- This file is part of the GNU C Library.
- Contributed by Ulrich Drepper <drepper@redhat.com>, 2002.
-
-@@ -18,6 +18,7 @@
- 02111-1307 USA. */
-
- #include "pthreadP.h"
-+#include <string.h>
- #include <kernel-features.h>
+diff --git a/libio/wfileops.c b/libio/wfileops.c
+index f123add..ebc06e8 100644
+--- a/libio/wfileops.c
++++ b/libio/wfileops.c
+@@ -711,6 +711,7 @@ do_ftell_wide (_IO_FILE *fp)
+ return WEOF;
+ offset += outstop - out;
++ free (out);
+ }
-diff --git a/sysdeps/unix/sysv/linux/check_native.c b/sysdeps/unix/sysv/linux/check_native.c
-index 6e6624a..dedce34 100644
---- a/sysdeps/unix/sysv/linux/check_native.c
-+++ b/sysdeps/unix/sysv/linux/check_native.c
-@@ -1,5 +1,5 @@
- /* Determine whether interfaces use native transport. Linux version.
-- Copyright (C) 2007 Free Software Foundation, Inc.
-+ Copyright (C) 2007,2011 Free Software Foundation, Inc.
- This file is part of the GNU C Library.
-
- The GNU C Library is free software; you can redistribute it and/or
-@@ -23,6 +23,7 @@
- #include <stddef.h>
- #include <stdint.h>
- #include <stdlib.h>
-+#include <string.h>
- #include <time.h>
- #include <unistd.h>
- #include <net/if.h>
-commit c5e3c2ae59cc8c5d3ad5e1adfd099c726baad862
-Author: Ulrich Drepper <drepper@gmail.com>
-Date: Tue Jun 21 13:06:42 2011 -0400
+ /* We don't trust _IO_read_end to represent the current file offset
+commit 52ffbdf25a1100986f4ae27bb0febbe5a722ab25
+Author: Florian Weimer <fweimer@redhat.com>
+Date: Wed Sep 10 20:29:15 2014 +0200
- Minor optimization of getaddrinfo after recent patch
+ malloc: additional unlink hardening for non-small bins [BZ #17344]
+
+ Turn two asserts into a conditional call to malloc_printerr. The
+ memory locations are accessed later anyway, so the performance
+ impact is minor.
-diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
-index 469abe2..d68ac83 100644
---- a/sysdeps/posix/getaddrinfo.c
-+++ b/sysdeps/posix/getaddrinfo.c
-@@ -565,7 +565,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
- IPv6 scope ids. */
- if (req->ai_family == AF_INET)
- {
-- int family = req->ai_family;
- size_t tmpbuflen = 512;
- assert (tmpbuf == NULL);
- tmpbuf = alloca_account (tmpbuflen, alloca_used);
-@@ -576,7 +575,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
-
- while (1)
- {
-- rc = __gethostbyname2_r (name, family, &th, tmpbuf,
-+ rc = __gethostbyname2_r (name, AF_INET, &th, tmpbuf,
- tmpbuflen, &h, &herrno);
- if (rc != ERANGE || herrno != NETDB_INTERNAL)
- break;
-@@ -638,18 +637,9 @@ gaih_inet (const char *name, const struct gaih_service *service,
- (*pat)->scopeid = 0;
- }
- (*pat)->next = NULL;
-- (*pat)->family = req->ai_family;
-- if (family == req->ai_family)
-- memcpy ((*pat)->addr, h->h_addr_list[i],
-- h->h_length);
-- else
-- {
-- uint32_t *addr = (uint32_t *) (*pat)->addr;
-- addr[3] = *(uint32_t *) h->h_addr_list[i];
-- addr[2] = htonl (0xffff);
-- addr[1] = 0;
-- addr[0] = 0;
-- }
-+ (*pat)->family = AF_INET;
-+ memcpy ((*pat)->addr, h->h_addr_list[i],
-+ h->h_length);
- pat = &((*pat)->next);
- }
- }
-commit c0244a9dedce43a4b950d91451b16a7cf5408476
-Author: Ulrich Drepper <drepper@gmail.com>
-Date: Tue Jun 21 17:03:38 2011 -0400
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 6ee3840..6cbe9f3 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -1418,8 +1418,10 @@ typedef struct malloc_chunk *mbinptr;
+ BK->fd = FD; \
+ if (!in_smallbin_range (P->size) \
+ && __builtin_expect (P->fd_nextsize != NULL, 0)) { \
+- assert (P->fd_nextsize->bk_nextsize == P); \
+- assert (P->bk_nextsize->fd_nextsize == P); \
++ if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0) \
++ || __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0)) \
++ malloc_printerr (check_action, \
++ "corrupted double-linked list (not small)", P);\
+ if (FD->fd_nextsize == NULL) { \
+ if (P->fd_nextsize == P) \
+ FD->fd_nextsize = FD->bk_nextsize = FD; \
+commit a7b872687073decdcc7effc2289877d69058aca9
+Author: Andreas Schwab <schwab@linux-m68k.org>
+Date: Sat Sep 13 10:10:29 2014 +0200
- Fix IPv6-only lookups through getaddrinfo
-
- A recent patch introduced a problem where IPv6 lookups happily returned
- IPv4 addresses.
+ Handle zero prefix length in getifaddrs (BZ #17371)
-diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
-index d68ac83..3a2737e 100644
---- a/sysdeps/posix/getaddrinfo.c
-+++ b/sysdeps/posix/getaddrinfo.c
-@@ -871,16 +871,44 @@ gaih_inet (const char *name, const struct gaih_service *service,
- }
- }
+diff --git a/sysdeps/unix/sysv/linux/ifaddrs.c b/sysdeps/unix/sysv/linux/ifaddrs.c
+index 2c04e17..a47b2ed 100644
+--- a/sysdeps/unix/sysv/linux/ifaddrs.c
++++ b/sysdeps/unix/sysv/linux/ifaddrs.c
+@@ -770,20 +770,17 @@ getifaddrs_internal (struct ifaddrs **ifap)
-- no_inet6_data = no_data;
--
- if (status == NSS_STATUS_SUCCESS)
+ if (cp != NULL)
{
-+ assert (!no_data);
-+ no_data = 1;
-+
- if ((req->ai_flags & AI_CANONNAME) != 0 && canon == NULL)
- canon = (*pat)->name;
+- char c;
+ unsigned int preflen;
- while (*pat != NULL)
-- pat = &((*pat)->next);
-+ {
-+ if ((*pat)->family == AF_INET
-+ && req->ai_family == AF_INET6
-+ && (req->ai_flags & AI_V4MAPPED) != 0)
-+ {
-+ uint32_t *pataddr = (*pat)->addr;
-+ (*pat)->family = AF_INET6;
-+ pataddr[3] = pataddr[0];
-+ pataddr[2] = htonl (0xffff);
-+ pataddr[1] = 0;
-+ pataddr[0] = 0;
-+ pat = &((*pat)->next);
-+ no_data = 0;
-+ }
-+ else if ((*pat)->family == AF_UNSPEC
-+ || (*pat)->family == req->ai_family)
-+ {
-+ pat = &((*pat)->next);
-+
-+ no_data = 0;
-+ if (req->ai_family == AF_INET6)
-+ got_ipv6 = true;
-+ }
-+ else
-+ *pat = ((*pat)->next);
-+ }
+- if ((max_prefixlen > 0) &&
+- (ifam->ifa_prefixlen > max_prefixlen))
++ if (ifam->ifa_prefixlen > max_prefixlen)
+ preflen = max_prefixlen;
+ else
+ preflen = ifam->ifa_prefixlen;
+
+- for (i = 0; i < ((preflen - 1) / 8); i++)
++ for (i = 0; i < preflen / 8; i++)
+ *cp++ = 0xff;
+- c = 0xff;
+- c <<= ((128 - preflen) % 8);
+- *cp = c;
++ if (preflen % 8)
++ *cp = 0xff << (8 - preflen % 8);
}
-+
-+ no_inet6_data = no_data;
}
- else
- {
-commit 6e502e19455c6110dd4487d91b7b7d6d8121f9ba
-Author: Ulrich Drepper <drepper@gmail.com>
-Date: Wed Jun 22 08:32:55 2011 -0400
+ }
+commit 545583d664b64ff234b99aca0d85e99c8a55808f
+Author: Siddhesh Poyarekar <siddhesh@redhat.com>
+Date: Tue Sep 16 14:20:45 2014 +0530
- Clean up after kernel sigcontext header mess
+ Fix memory leak in error path of do_ftell_wide (BZ #17370)
-diff --git a/sysdeps/unix/sysv/linux/bits/sigcontext.h b/sysdeps/unix/sysv/linux/bits/sigcontext.h
-index 67dcf94..0f5b607 100644
---- a/sysdeps/unix/sysv/linux/bits/sigcontext.h
-+++ b/sysdeps/unix/sysv/linux/bits/sigcontext.h
-@@ -1,4 +1,4 @@
--/* Copyright (C) 1996, 1997, 1998 Free Software Foundation, Inc.
-+/* Copyright (C) 1996, 1997, 1998, 2011 Free Software Foundation, Inc.
- This file is part of the GNU C Library.
+diff --git a/libio/wfileops.c b/libio/wfileops.c
+index ebc06e8..c5ec5f7 100644
+--- a/libio/wfileops.c
++++ b/libio/wfileops.c
+@@ -708,7 +708,10 @@ do_ftell_wide (_IO_FILE *fp)
+ sequences must be complete since they are accepted as
+ wchar_t; if not, then that is an error. */
+ if (__glibc_unlikely (status != __codecvt_ok))
+- return WEOF;
++ {
++ free (out);
++ return WEOF;
++ }
- The GNU C Library is free software; you can redistribute it and/or
-@@ -26,4 +26,8 @@
- # define sigcontext_struct sigcontext
-
- # include <asm/sigcontext.h>
-+
-+/* The Linux kernel headers redefine NULL wrongly, so cleanup afterwards. */
-+# define __need_NULL
-+# include <stddef.h>
- #endif
-commit 852eb34d5c56bc75bdd82327fcf310d98655f6b0
-Author: Ulrich Drepper <drepper@gmail.com>
-Date: Wed Jun 22 09:50:39 2011 -0400
+ offset += outstop - out;
+ free (out);
+commit 04b76b5aa8b2d1d19066e42dd1a56a38f34e274c
+Author: Andreas Schwab <schwab@suse.de>
+Date: Thu Oct 30 12:18:48 2014 +0100
- Rate limit expensive _SC_NPROCESSORS_ONLN computation
+ Don't error out writing a multibyte character to an unbuffered stream (bug 17522)
-diff --git a/sysdeps/unix/sysv/linux/getsysstats.c b/sysdeps/unix/sysv/linux/getsysstats.c
-index af454b6..a13b6e3 100644
---- a/sysdeps/unix/sysv/linux/getsysstats.c
-+++ b/sysdeps/unix/sysv/linux/getsysstats.c
-@@ -1,5 +1,5 @@
- /* Determine various system internal values, Linux version.
-- Copyright (C) 1996-2003,2006,2007,2009,2010 Free Software Foundation, Inc.
-+ Copyright (C) 1996-2003,2006,2007,2009,2010,2011 Free Software Foundation, Inc.
- This file is part of the GNU C Library.
- Contributed by Ulrich Drepper <drepper@cygnus.com>, 1996.
-
-@@ -35,6 +35,16 @@
-
- #include <atomic.h>
- #include <not-cancel.h>
-+#include <kernel-features.h>
+diff --git a/libio/Makefile b/libio/Makefile
+index 56952ce..2742128 100644
+--- a/libio/Makefile
++++ b/libio/Makefile
+@@ -61,7 +61,7 @@ tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf tst_getwc tst_putwc \
+ bug-memstream1 bug-wmemstream1 \
+ tst-setvbuf1 tst-popen1 tst-fgetwc bug-wsetpos tst-fseek \
+ tst-fwrite-error tst-ftell-partial-wide tst-ftell-active-handler \
+- tst-ftell-append
++ tst-ftell-append tst-fputws
+ ifeq (yes,$(build-shared))
+ # Add test-fopenloc only if shared library is enabled since it depends on
+ # shared localedata objects.
+diff --git a/libio/tst-fputws.c b/libio/tst-fputws.c
+new file mode 100644
+index 0000000..09f53df
+--- /dev/null
++++ b/libio/tst-fputws.c
+@@ -0,0 +1,39 @@
++/* Test that we can write a multibyte character to an unbuffered stream.
++ Copyright (C) 2014 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
+
-+#ifndef HAVE_CLOCK_GETTIME_VSYSCALL
-+# undef INTERNAL_VSYSCALL
-+# define INTERNAL_VSYSCALL INTERNAL_SYSCALL
-+# undef INLINE_VSYSCALL
-+# define INLINE_VSYSCALL INLINE_SYSCALL
-+#else
-+# include <bits/libc-vdso.h>
-+#endif
-
-
- /* How we can determine the number of available processors depends on
-@@ -128,6 +138,22 @@ next_line (int fd, char *const buffer, char **cp, char **re,
- int
- __get_nprocs ()
- {
-+ static int cached_result;
-+ static time_t timestamp;
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
+
-+#ifdef __ASSUME_POSIX_TIMERS
-+ struct timespec ts;
-+ INTERNAL_SYSCALL_DECL (err);
-+ INTERNAL_VSYSCALL (clock_gettime, err, 2, CLOCK_REALTIME, &ts);
-+#else
-+ struct timeval ts;
-+ gettimeofday (&ts, NULL);
-+#endif
-+ time_t prev = timestamp;
-+ atomic_read_barrier ();
-+ if (ts.tv_sec == prev)
-+ return cached_result;
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
+
- /* XXX Here will come a test for the new system call. */
-
- const size_t buffer_size = __libc_use_alloca (8192) ? 8192 : 512;
-@@ -169,6 +195,10 @@ __get_nprocs ()
- }
- }
-
-+ cached_result = result;
-+ atomic_write_barrier ();
-+ timestamp = ts.tv_sec;
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
+
- return result;
- }
- weak_alias (__get_nprocs, get_nprocs)
-commit 84e2a551a72c79b020694bb327e33b6d71b09b63
-Author: Ulrich Drepper <drepper@gmail.com>
-Date: Wed Jun 22 10:32:07 2011 -0400
-
- Use a /sys/devices/system/cpu/online for _SC_NPROCESSORS_ONLN implementation
-
-diff --git a/sysdeps/unix/sysv/linux/getsysstats.c b/sysdeps/unix/sysv/linux/getsysstats.c
-index a13b6e3..b74774f 100644
---- a/sysdeps/unix/sysv/linux/getsysstats.c
-+++ b/sysdeps/unix/sysv/linux/getsysstats.c
-@@ -161,20 +161,65 @@ __get_nprocs ()
- char *buffer_end = buffer + buffer_size;
- char *cp = buffer_end;
- char *re = buffer_end;
-- int result = 1;
-
- #ifdef O_CLOEXEC
- const int flags = O_RDONLY | O_CLOEXEC;
- #else
- const int flags = O_RDONLY;
- #endif
-+ int fd = open_not_cancel_2 ("/sys/devices/system/cpu/online", flags);
-+ char *l;
-+ int result = 0;
-+ if (fd != -1)
-+ {
-+ l = next_line (fd, buffer, &cp, &re, buffer_end);
-+ if (l != NULL)
-+ do
-+ {
-+ char *endp;
-+ unsigned long int n = strtoul (l, &endp, 10);
-+ if (l == endp)
-+ {
-+ result = 0;
-+ break;
-+ }
++#include <locale.h>
++#include <stdio.h>
++#include <wchar.h>
+
-+ unsigned long int m = n;
-+ if (*endp == '-')
-+ {
-+ l = endp + 1;
-+ m = strtoul (l, &endp, 10);
-+ if (l == endp)
-+ {
-+ result = 0;
-+ break;
-+ }
-+ }
++static int
++do_test (void)
++{
++ const wchar_t str[] = L"\xbe\n";
+
-+ result += m - n + 1;
++ setlocale (LC_ALL, "en_US.UTF-8");
++ setvbuf (stdout, NULL, _IONBF, 0);
+
-+ l = endp;
-+ while (l < re && isspace (*l))
-+ ++l;
-+ }
-+ while (l < re);
++ if (fputws (str, stdout) < 0)
++ return 1;
+
-+ close_not_cancel_no_status (fd);
++ return 0;
++}
+
-+ if (result > 0)
-+ goto out;
-+ }
++#define TEST_FUNCTION do_test ()
+
-+ cp = buffer_end;
-+ re = buffer_end;
-+ result = 1;
++#include <test-skeleton.c>
+diff --git a/libio/wfileops.c b/libio/wfileops.c
+index c5ec5f7..6a088b1 100644
+--- a/libio/wfileops.c
++++ b/libio/wfileops.c
+@@ -75,17 +75,32 @@ _IO_wdo_write (fp, data, to_do)
+ {
+ enum __codecvt_result result;
+ const wchar_t *new_data;
++ char mb_buf[MB_LEN_MAX];
++ char *write_base, *write_ptr, *buf_end;
+
- /* The /proc/stat format is more uniform, use it by default. */
-- int fd = open_not_cancel_2 ("/proc/stat", flags);
-+ fd = open_not_cancel_2 ("/proc/stat", flags);
- if (fd != -1)
- {
- result = 0;
++ if (fp->_IO_write_ptr - fp->_IO_write_base < sizeof (mb_buf))
++ {
++ /* Make sure we have room for at least one multibyte
++ character. */
++ write_ptr = write_base = mb_buf;
++ buf_end = mb_buf + sizeof (mb_buf);
++ }
++ else
++ {
++ write_ptr = fp->_IO_write_ptr;
++ write_base = fp->_IO_write_base;
++ buf_end = fp->_IO_buf_end;
++ }
-- char *l;
- while ((l = next_line (fd, buffer, &cp, &re, buffer_end)) != NULL)
- /* The current format of /proc/stat has all the cpu* entries
- at the front. We assume here that stays this way. */
-@@ -195,6 +240,7 @@ __get_nprocs ()
- }
- }
+ /* Now convert from the internal format into the external buffer. */
+ result = (*cc->__codecvt_do_out) (cc, &fp->_wide_data->_IO_state,
+ data, data + to_do, &new_data,
+- fp->_IO_write_ptr,
+- fp->_IO_buf_end,
+- &fp->_IO_write_ptr);
++ write_ptr,
++ buf_end,
++ &write_ptr);
+
+ /* Write out what we produced so far. */
+- if (_IO_new_do_write (fp, fp->_IO_write_base,
+- fp->_IO_write_ptr - fp->_IO_write_base) == EOF)
++ if (_IO_new_do_write (fp, write_base, write_ptr - write_base) == EOF)
+ /* Something went wrong. */
+ return WEOF;
-+ out:
- cached_result = result;
- atomic_write_barrier ();
- timestamp = ts.tv_sec;
-commit e12df166d37522c2ed434c2d70a1b04640d2d7c6
-Author: Andreas Schwab <schwab@redhat.com>
-Date: Wed Jun 22 14:35:49 2011 -0400
+commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c
+Author: Carlos O'Donell <carlos@redhat.com>
+Date: Wed Nov 19 11:44:12 2014 -0500
- Fix Ipv4&IPv6 lookup in getaddrinfo
+ CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
- Problem introduced in the last patch.
-
-diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
-index 3a2737e..14e9270 100644
---- a/sysdeps/posix/getaddrinfo.c
-+++ b/sysdeps/posix/getaddrinfo.c
-@@ -894,7 +894,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
- pat = &((*pat)->next);
- no_data = 0;
- }
-- else if ((*pat)->family == AF_UNSPEC
-+ else if (req->ai_family == AF_UNSPEC
- || (*pat)->family == req->ai_family)
- {
- pat = &((*pat)->next);
-commit fa3fc0fe5f452d0aa7e435d8f32e992958683819
-Author: Ulrich Drepper <drepper@gmail.com>
-Date: Wed Jun 22 15:00:54 2011 -0400
-
- Avoid __check_pf calls in getaddrinfo unless really needed
+ The function wordexp() fails to properly handle the WRDE_NOCMD
+ flag when processing arithmetic inputs in the form of "$((... ``))"
+ where "..." can be anything valid. The backticks in the arithmetic
+ epxression are evaluated by in a shell even if WRDE_NOCMD forbade
+ command substitution. This allows an attacker to attempt to pass
+ dangerous commands via constructs of the above form, and bypass
+ the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
+ in exec_comm(), the only place that can execute a shell. All other
+ checks for WRDE_NOCMD are superfluous and removed.
+
+ We expand the testsuite and add 3 new regression tests of roughly
+ the same form but with a couple of nested levels.
+
+ On top of the 3 new tests we add fork validation to the WRDE_NOCMD
+ testing. If any forks are detected during the execution of a wordexp()
+ call with WRDE_NOCMD, the test is marked as failed. This is slightly
+ heuristic since vfork might be used in the future, but it provides a
+ higher level of assurance that no shells were executed as part of
+ command substitution with WRDE_NOCMD in effect. In addition it doesn't
+ require libpthread or libdl, instead we use the public implementation
+ namespace function __register_atfork (already part of the public ABI
+ for libpthread).
+
+ Tested on x86_64 with no regressions.
-diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
-index 14e9270..05c883d 100644
---- a/sysdeps/posix/getaddrinfo.c
-+++ b/sysdeps/posix/getaddrinfo.c
-@@ -2352,14 +2352,17 @@ getaddrinfo (const char *name, const char *service,
- size_t in6ailen = 0;
- bool seen_ipv4 = false;
- bool seen_ipv6 = false;
-- /* We might need information about what interfaces are available.
-- Also determine whether we have IPv4 or IPv6 interfaces or both. We
-- cannot cache the results since new interfaces could be added at
-- any time. */
-- __check_pf (&seen_ipv4, &seen_ipv6, &in6ai, &in6ailen);
-+ bool check_pf_called = false;
+diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
+index 4957006..bdd65e4 100644
+--- a/posix/wordexp-test.c
++++ b/posix/wordexp-test.c
+@@ -27,6 +27,25 @@
- if (hints->ai_flags & AI_ADDRCONFIG)
- {
-+ /* We might need information about what interfaces are available.
-+ Also determine whether we have IPv4 or IPv6 interfaces or both. We
-+ cannot cache the results since new interfaces could be added at
-+ any time. */
-+ __check_pf (&seen_ipv4, &seen_ipv6, &in6ai, &in6ailen);
-+ check_pf_called = true;
+ #define IFS " \n\t"
+
++extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
++extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
+
- /* Now make a decision on what we return, if anything. */
- if (hints->ai_family == PF_UNSPEC && (seen_ipv4 || seen_ipv6))
- {
-@@ -2441,6 +2444,10 @@ getaddrinfo (const char *name, const char *service,
- struct addrinfo *last = NULL;
- char *canonname = NULL;
++static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
++{
++ return __register_atfork (prepare, parent, child,
++ &__dso_handle == NULL ? NULL : __dso_handle);
++}
++
++/* Number of forks seen. */
++static int registered_forks;
++
++/* For each fork increment the fork count. */
++static void
++register_fork (void)
++{
++ registered_forks++;
++}
++
+ struct test_case_struct
+ {
+ int retval;
+@@ -206,6 +225,12 @@ struct test_case_struct
+ { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS },
+ { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS },
+ { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS },
++ /* Test for CVE-2014-7817. We test 3 combinations of command
++ substitution inside an arithmetic expression to make sure that
++ no commands are executed and error is returned. */
++ { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
++ { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
++ { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
-+ /* Now we definitely need the interface information. */
-+ if (! check_pf_called)
-+ __check_pf (&seen_ipv4, &seen_ipv6, &in6ai, &in6ailen);
+ { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
+ };
+@@ -258,6 +283,15 @@ main (int argc, char *argv[])
+ return -1;
+ }
+
++ /* If we are not allowed to do command substitution, we install
++ fork handlers to verify that no forks happened. No forks should
++ happen at all if command substitution is disabled. */
++ if (__app_register_atfork (register_fork, NULL, NULL) != 0)
++ {
++ printf ("Failed to register fork handler.\n");
++ return -1;
++ }
+
- /* If we have information about deprecated and temporary addresses
- sort the array now. */
- if (in6ai != NULL)
-commit 034807a9cbddfa9e7d35df4cdb2ecce569a00851
-Author: Ulrich Drepper <drepper@gmail.com>
-Date: Mon Jun 27 13:10:44 2011 -0400
-
- Fix handling of RES_USE_INET6 big in nscd
-
- This fixes BZ #12350 also for nscd.
-
-diff --git a/nscd/aicache.c b/nscd/aicache.c
-index 3190a13..6c8d83a 100644
---- a/nscd/aicache.c
-+++ b/nscd/aicache.c
-@@ -534,7 +534,7 @@ next_nip:
- }
+ for (test = 0; test_case[test].retval != -1; test++)
+ if (testit (&test_case[test]))
+ ++fail;
+@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc)
- out:
-- _res.options = old_res_options;
-+ _res.options |= old_res_options & RES_USE_INET6;
+ printf ("Test %d (%s): ", ++tests, tc->words);
- if (dataset != NULL && !alloca_used)
++ if (tc->flags & WRDE_NOCMD)
++ registered_forks = 0;
++
+ if (tc->flags & WRDE_APPEND)
{
-commit 89f654c57b3b9a6aee480e25e37f88f06c898901
-Author: Andreas Schwab <schwab@redhat.com>
-Date: Thu Jun 30 06:33:32 2011 -0400
-
- Make sure RES_USE_INET6 is always restored
-
-diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
-index 05c883d..6d574c5 100644
---- a/sysdeps/posix/getaddrinfo.c
-+++ b/sysdeps/posix/getaddrinfo.c
-@@ -818,6 +818,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
- tmpbuf = malloc (tmpbuflen);
- if (tmpbuf == NULL)
- {
-+ _res.options |= old_res_options & RES_USE_INET6;
- result = -EAI_MEMORY;
- goto free_and_return;
- }
-@@ -862,6 +863,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
- 2 * tmpbuflen);
- if (newp == NULL)
- {
-+ _res.options |= old_res_options & RES_USE_INET6;
- result = -EAI_MEMORY;
- goto free_and_return;
- }
-@@ -981,6 +983,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
- canonbuf = malloc (max_fqdn_len);
- if (canonbuf == NULL)
- {
-+ _res.options
-+ |= old_res_options & RES_USE_INET6;
- result = -EAI_MEMORY;
- goto free_and_return;
- }
+ /* initial wordexp() call, to be appended to */
+@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc)
+ }
+ retval = wordexp (tc->words, &we, tc->flags);
+
++ if ((tc->flags & WRDE_NOCMD)
++ && (registered_forks > 0))
++ {
++ printf ("FAILED fork called for WRDE_NOCMD\n");
++ return 1;
++ }
++
+ if (tc->flags & WRDE_DOOFFS)
+ start_offs = sav_we.we_offs;
+
+diff --git a/posix/wordexp.c b/posix/wordexp.c
+index b6b65dd..26f3a26 100644
+--- a/posix/wordexp.c
++++ b/posix/wordexp.c
+@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size_t *word_length, size_t *max_length,
+ pid_t pid;
+ int noexec = 0;
+
++ /* Do nothing if command substitution should not succeed. */
++ if (flags & WRDE_NOCMD)
++ return WRDE_CMDSUB;
++
+ /* Don't fork() unless necessary */
+ if (!comm || !*comm)
+ return 0;
+@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word_length, size_t *max_length,
+ }
+ }
+
+- if (flags & WRDE_NOCMD)
+- return WRDE_CMDSUB;
+-
+ (*offset) += 2;
+ return parse_comm (word, word_length, max_length, words, offset, flags,
+ quoted? NULL : pwordexp, ifs, ifs_white);
+@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_length, size_t *max_length,
+ break;
+
+ case '`':
+- if (flags & WRDE_NOCMD)
+- return WRDE_CMDSUB;
+-
+ ++(*offset);
+ error = parse_backtick (word, word_length, max_length, words,
+ offset, flags, NULL, NULL, NULL);
+@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags)
+ break;
+
+ case '`':
+- if (flags & WRDE_NOCMD)
+- {
+- error = WRDE_CMDSUB;
+- goto do_error;
+- }
+-
+ ++words_offset;
+ error = parse_backtick (&word, &word_length, &max_length, words,
+ &words_offset, flags, pwordexp, ifs,