From c0564b95e0a7c2400e1f983cddd23779a85fcdae Mon Sep 17 00:00:00 2001
From: Jeff Law <law@redhat.com>
Date: Feb 24 2012 17:41:06 +0000
Subject:   - Fix bogus underflow (#760935)

  - Correctly handle dns request where large numbers of A and AAA
    records
    are returned (#795498)
  - Fix nscd crash when group has many members (#788959)

---

diff --git a/glibc-rh760935.patch b/glibc-rh760935.patch
new file mode 100644
index 0000000..d32e238
--- /dev/null
+++ b/glibc-rh760935.patch
@@ -0,0 +1,18 @@
+diff -rup a/sysdeps/ieee754/dbl-64/w_exp.c b/sysdeps/ieee754/dbl-64/w_exp.c
+--- a/sysdeps/ieee754/dbl-64/w_exp.c	2012-01-01 05:16:32.000000000 -0700
++++ b/sysdeps/ieee754/dbl-64/w_exp.c	2012-02-24 10:32:52.769230965 -0700
+@@ -32,12 +32,12 @@ __exp (double x)
+   if (__builtin_expect (x > o_threshold, 0))
+     {
+       if (_LIB_VERSION != _IEEE_)
+-	return __kernel_standard_f (x, x, 6);
++	return __kernel_standard (x, x, 6);
+     }
+   else if (__builtin_expect (x < u_threshold, 0))
+     {
+       if (_LIB_VERSION != _IEEE_)
+-	return __kernel_standard_f (x, x, 7);
++	return __kernel_standard (x, x, 7);
+     }
+ 
+   return __ieee754_exp (x);
diff --git a/glibc-rh788989.patch b/glibc-rh788989.patch
new file mode 100644
index 0000000..4e730ce
--- /dev/null
+++ b/glibc-rh788989.patch
@@ -0,0 +1,131 @@
+diff --git a/nis/nss_compat/compat-initgroups.c b/nis/nss_compat/compat-initgroups.c
+index a70d66d..ad6ab35 100644
+--- a/nis/nss_compat/compat-initgroups.c
++++ b/nis/nss_compat/compat-initgroups.c
+@@ -296,6 +296,8 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
+       if (nss_initgroups_dyn (user, group, &mystart, &mysize, &mygroups,
+ 			      limit, errnop) == NSS_STATUS_SUCCESS)
+ 	{
++	  status = NSS_STATUS_NOTFOUND;
++
+ 	  /* If there is no blacklist we can trust the underlying
+ 	     initgroups implementation.  */
+ 	  if (ent->blacklist.current <= 1)
+@@ -308,6 +310,7 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
+ 		 overwrite the pointer with one to a bigger buffer.  */
+ 	      char *tmpbuf = buffer;
+ 	      size_t tmplen = buflen;
++	      bool use_malloc = false;
+ 
+ 	      for (int i = 0; i < mystart; i++)
+ 		{
+@@ -315,21 +318,36 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
+ 						   tmpbuf, tmplen, errnop))
+ 			 == NSS_STATUS_TRYAGAIN
+ 			 && *errnop == ERANGE)
+-		    if (tmpbuf == buffer)
+-		      {
+-			tmplen *= 2;
+-			tmpbuf = __alloca (tmplen);
+-		      }
+-		    else
+-		      tmpbuf = extend_alloca (tmpbuf, tmplen, 2 * tmplen);
++                    {
++                      if (__libc_use_alloca (tmplen * 2))
++                        {
++                          if (tmpbuf == buffer)
++                            {
++                              tmplen *= 2;
++                              tmpbuf = __alloca (tmplen);
++                            }
++                          else
++                            tmpbuf = extend_alloca (tmpbuf, tmplen, tmplen * 2);
++                        }
++                      else
++                        {
++                          tmplen *= 2;
++                          char *newbuf = realloc (use_malloc ? tmpbuf : NULL, tmplen);
++
++                          if (newbuf == NULL)
++                            {
++                              status = NSS_STATUS_TRYAGAIN;
++			      goto done;
++                            }
++                          use_malloc = true;
++                          tmpbuf = newbuf;
++                        }
++                    }
+ 
+ 		  if (__builtin_expect  (status != NSS_STATUS_NOTFOUND, 1))
+ 		    {
+ 		      if (__builtin_expect  (status != NSS_STATUS_SUCCESS, 0))
+-			{
+-			  free (mygroups);
+-			  return status;
+-			}
++		        goto done;
+ 
+ 		      if (!in_blacklist (grpbuf.gr_name,
+ 					 strlen (grpbuf.gr_name), ent)
+@@ -347,11 +365,17 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
+ 			}
+ 		    }
+ 		}
++
++	      status = NSS_STATUS_NOTFOUND;
++
++ done:
++	      if (use_malloc)
++	        free (tmpbuf);
+ 	    }
+ 
+ 	  free (mygroups);
+ 
+-	  return NSS_STATUS_NOTFOUND;
++	  return status;
+ 	}
+ 
+       free (mygroups);
+@@ -508,6 +532,7 @@ _nss_compat_initgroups_dyn (const char *user, gid_t group, long int *start,
+   char *tmpbuf;
+   enum nss_status status;
+   ent_t intern = { true, false, false, NULL, {NULL, 0, 0} };
++  bool use_malloc = false;
+ 
+   status = internal_setgrent (&intern);
+   if (status != NSS_STATUS_SUCCESS)
+@@ -521,13 +546,32 @@ _nss_compat_initgroups_dyn (const char *user, gid_t group, long int *start,
+ 					    user, group, start, size,
+ 					    groupsp, limit, errnop))
+ 	     == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
+-	tmpbuf = extend_alloca (tmpbuf, buflen, 2 * buflen);
++        if (__libc_use_alloca (buflen * 2))
++          tmpbuf = extend_alloca (tmpbuf, buflen, 2 * buflen);
++        else
++          {
++            buflen *= 2;
++            char *newbuf = realloc (use_malloc ? tmpbuf : NULL, buflen);
++            if (newbuf == NULL)
++              {
++                status = NSS_STATUS_TRYAGAIN;
++                goto done;
++              }
++            use_malloc = true;
++            tmpbuf = newbuf;
++          }
+     }
+   while (status == NSS_STATUS_SUCCESS);
+ 
++  status = NSS_STATUS_SUCCESS;
++
++ done:
++  if (use_malloc)
++    free (tmpbuf);
++
+   internal_endgrent (&intern);
+ 
+-  return NSS_STATUS_SUCCESS;
++  return status;
+ }
+ 
+ 
diff --git a/glibc-rh795498.patch b/glibc-rh795498.patch
new file mode 100644
index 0000000..729c5a4
--- /dev/null
+++ b/glibc-rh795498.patch
@@ -0,0 +1,13 @@
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 01369f6..44ad04d 100644
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -1219,7 +1219,7 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
+ 				  &first);
+   if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
+        || (status == NSS_STATUS_TRYAGAIN
+-	   && (errno != ERANGE || *h_errnop != NO_RECOVERY)))
++	   && (*errnop != ERANGE || *h_errnop == NO_RECOVERY)))
+       && answer2 != NULL && anslen2 > 0)
+     {
+       enum nss_status status2 = gaih_getanswer_slice(answer2, anslen2, qname,
diff --git a/glibc.spec b/glibc.spec
index 00dea67..72e0740 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -28,7 +28,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 23%{?dist}
+Release: 24%{?dist}
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -100,6 +100,13 @@ Patch32 : %{name}-rh739743.patch
 Patch33 : %{name}-rh789238.patch
 # Patch posted upstream, discussion ongoing, Paul E. seems to think it's OK
 Patch34 : %{name}-rh794797.patch
+# Posted upstream
+Patch35 : %{name}-rh788989.patch
+# Posted upstream
+Patch36 : %{name}-rh795498.patch
+# Posted upstream (bz 13705)
+Patch37 : %{name}-rh795498.patch
+
 
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -353,6 +360,9 @@ rm -rf %{glibcportsdir}
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
 
 # A lot of programs still misuse memcpy when they have to use
 # memmove. The memcpy implementation below is not tolerant at
@@ -1205,6 +1215,12 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Fri Feb 24 2012 Jeff Law <law@redhat.com> - 2.15-24
+  - Fix bogus underflow (#760935)
+  - Correctly handle dns request where large numbers of A and AAA records
+    are returned (#795498)
+  - Fix nscd crash when group has many members (#788959)
+ 
 * Mon Feb 20 2012 Jeff Law <law@redhat.com> - 2.15-23
   - Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE (#794797)