- Set errno properly in vfprintf (#794797)

- Don't kill application when LD_PROFILE is set. (#800224)

glibc-rh794797-2.patch

@@ -0,0 +1,119 @@
+--- vfprintf.c	2012-03-07 12:16:21.000000000 -0700
++++ /home/law/UPSTREAM/glibc/stdio-common/vfprintf.c	2012-03-07 12:00:28.006630851 -0700
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 1991-2008, 2009, 2010, 2011   Free Software Foundation, Inc.
++/* Copyright (C) 1991-2011, 2012   Free Software Foundation, Inc.
+    This file is part of the GNU C Library.
+ 
+    The GNU C Library is free software; you can redistribute it and/or
+@@ -12,9 +12,8 @@
+    Lesser General Public License for more details.
+ 
+    You should have received a copy of the GNU Lesser General Public
+-   License along with the GNU C Library; if not, write to the Free
+-   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+-   02111-1307 USA.  */
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
+ 
+ #include <ctype.h>
+ #include <limits.h>
+@@ -823,7 +822,7 @@ vfprintf (FILE *s, const CHAR_T *format,
+ 									      \
+ 	if (function_done < 0)						      \
+ 	  {								      \
+-	    /* Error in print handler.  */				      \
++	    /* Error in print handler; up to handler to set errno.  */	      \
+ 	    done = -1;							      \
+ 	    goto all_done;						      \
+ 	  }								      \
+@@ -877,7 +876,7 @@ vfprintf (FILE *s, const CHAR_T *format,
+ 									      \
+ 	if (function_done < 0)						      \
+ 	  {								      \
+-	    /* Error in print handler.  */				      \
++	    /* Error in print handler; up to handler to set errno.  */	      \
+ 	    done = -1;							      \
+ 	    goto all_done;						      \
+ 	  }								      \
+@@ -1118,7 +1117,7 @@ vfprintf (FILE *s, const CHAR_T *format,
+ 			 &mbstate);					      \
+ 	if (len == (size_t) -1)						      \
+ 	  {								      \
+-	    /* Something went wron gduring the conversion.  Bail out.  */     \
++	    /* Something went wrong during the conversion.  Bail out.  */     \
+ 	    done = -1;							      \
+ 	    goto all_done;						      \
+ 	  }								      \
+@@ -1574,6 +1606,7 @@ vfprintf (FILE *s, const CHAR_T *format,
+ 	  if (spec == L_('\0'))
+ 	    {
+ 	      /* The format string ended before the specifier is complete.  */
++	      __set_errno (EINVAL);
+ 	      done = -1;
+ 	      goto all_done;
+ 	    }
+@@ -1671,29 +1704,34 @@ do_positional:
+ 
+     /* Determine the number of arguments the format string consumes.  */
+     nargs = MAX (nargs, max_ref_arg);
+-    bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
+-                    + sizeof (*args_type);
++    /* Calculate total size needed to represent a single argument across
++       all three argument-related arrays.  */
++    bytes_per_arg = (sizeof (*args_value) + sizeof (*args_size)
++		     + sizeof (*args_type));
+ 
+     /* Check for potential integer overflow.  */
+-    if (nargs > SIZE_MAX / bytes_per_arg)
++    if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))
+       {
+-         done = -1;
+-         goto all_done;
++	 __set_errno (ERANGE);
++	 done = -1;
++	 goto all_done;
+       }
+ 
+-    /* Allocate memory for the argument descriptions.  */
++    /* Allocate memory for all three argument arrays.  */
+     if (__libc_use_alloca (nargs * bytes_per_arg))
+-        args_value = alloca (nargs * bytes_per_arg);
++	args_value = alloca (nargs * bytes_per_arg);
+     else
+       {
+-        args_value = args_malloced = malloc (nargs * bytes_per_arg);
+-        if (args_value == NULL)
+-          {
+-            done = -1;
+-            goto all_done;
+-          }
++	args_value = args_malloced = malloc (nargs * bytes_per_arg);
++	if (args_value == NULL)
++	  {
++	    done = -1;
++	    goto all_done;
++	  }
+       }
+ 
++    /* Set up the remaining two arrays to each point past the end of the
++       prior array, since space for all three has been allocated now.  */
+     args_size = &args_value[nargs].pa_int;
+     args_type = &args_size[nargs];
+     memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
+@@ -1912,6 +1950,7 @@ do_positional:
+ 		       about # of chars.  */
+ 		    if (function_done < 0)
+ 		      {
++			/* Function has set errno.  */
+ 			done = -1;
+ 			goto all_done;
+ 		      }
+@@ -1946,6 +1985,7 @@ do_positional:
+ 		 of chars.  */
+ 	      if (function_done < 0)
+ 		{
++		  /* Function has set errno.  */
+ 		  done = -1;
+ 		  goto all_done;
+ 		}

glibc-rh800224.patch

@@ -0,0 +1,78 @@
+
+2012-03-07  Jeff Law  <law@redhat.com>
+
+	* elf/dl-reloc.c (_dl_relocate_object): Move code to allocate
+	l_reloc_result prior to calling ELF_DYNAMIC_RELOCATE.
+
+diff -rup a/elf/dl-reloc.c b/elf/dl-reloc.c
+--- a/elf/dl-reloc.c	2012-01-01 05:16:32.000000000 -0700
++++ b/elf/dl-reloc.c	2012-03-06 15:41:56.486242640 -0700
+@@ -238,32 +238,9 @@ _dl_relocate_object (struct link_map *l,
+     /* String table object symbols.  */
+     const char *strtab = (const void *) D_PTR (l, l_info[DT_STRTAB]);
+ 
+-    /* This macro is used as a callback from the ELF_DYNAMIC_RELOCATE code.  */
+-#define RESOLVE_MAP(ref, version, r_type) \
+-    (ELFW(ST_BIND) ((*ref)->st_info) != STB_LOCAL			      \
+-     ? ((__builtin_expect ((*ref) == l->l_lookup_cache.sym, 0)		      \
+-	 && elf_machine_type_class (r_type) == l->l_lookup_cache.type_class)  \
+-	? (bump_num_cache_relocations (),				      \
+-	   (*ref) = l->l_lookup_cache.ret,				      \
+-	   l->l_lookup_cache.value)					      \
+-	: ({ lookup_t _lr;						      \
+-	     int _tc = elf_machine_type_class (r_type);			      \
+-	     l->l_lookup_cache.type_class = _tc;			      \
+-	     l->l_lookup_cache.sym = (*ref);				      \
+-	     const struct r_found_version *v = NULL;			      \
+-	     if ((version) != NULL && (version)->hash != 0)		      \
+-	       v = (version);						      \
+-	     _lr = _dl_lookup_symbol_x (strtab + (*ref)->st_name, l, (ref),   \
+-					scope, v, _tc,			      \
+-					DL_LOOKUP_ADD_DEPENDENCY, NULL);      \
+-	     l->l_lookup_cache.ret = (*ref);				      \
+-	     l->l_lookup_cache.value = _lr; }))				      \
+-     : l)
+-
+-#include "dynamic-link.h"
+-
+-    ELF_DYNAMIC_RELOCATE (l, lazy, consider_profiling, skip_ifunc);
+-
++    /* ELF_DYNAMIC_RELOCATE may need to examine l_reloc_result
++       when handling MACHINE_IRELATIVE relocs.  So we must
++       allocate l_reloc_result prior to calling ELF_DYNAMIC_RELOCATE.  */
+ #ifndef PROF
+     if (__builtin_expect (consider_profiling, 0))
+       {
+@@ -290,6 +267,32 @@ _dl_relocate_object (struct link_map *l,
+ 	  }
+       }
+ #endif
++
++    /* This macro is used as a callback from the ELF_DYNAMIC_RELOCATE code.  */
++#define RESOLVE_MAP(ref, version, r_type) \
++    (ELFW(ST_BIND) ((*ref)->st_info) != STB_LOCAL			      \
++     ? ((__builtin_expect ((*ref) == l->l_lookup_cache.sym, 0)		      \
++	 && elf_machine_type_class (r_type) == l->l_lookup_cache.type_class)  \
++	? (bump_num_cache_relocations (),				      \
++	   (*ref) = l->l_lookup_cache.ret,				      \
++	   l->l_lookup_cache.value)					      \
++	: ({ lookup_t _lr;						      \
++	     int _tc = elf_machine_type_class (r_type);			      \
++	     l->l_lookup_cache.type_class = _tc;			      \
++	     l->l_lookup_cache.sym = (*ref);				      \
++	     const struct r_found_version *v = NULL;			      \
++	     if ((version) != NULL && (version)->hash != 0)		      \
++	       v = (version);						      \
++	     _lr = _dl_lookup_symbol_x (strtab + (*ref)->st_name, l, (ref),   \
++					scope, v, _tc,			      \
++					DL_LOOKUP_ADD_DEPENDENCY, NULL);      \
++	     l->l_lookup_cache.ret = (*ref);				      \
++	     l->l_lookup_cache.value = _lr; }))				      \
++     : l)
++
++#include "dynamic-link.h"
++
++    ELF_DYNAMIC_RELOCATE (l, lazy, consider_profiling, skip_ifunc);
+   }
+ 
+   /* Mark the object so we know this work has been done.  */

glibc.spec

@@ -28,7 +28,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 25%{?dist}
+Release: 26%{?dist}
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -98,18 +98,22 @@ Patch31 : %{name}-rh697149.patch
 Patch32 : %{name}-rh739743.patch
 # Discussion started upstream, patch needs to be submitted
 Patch33 : %{name}-rh789238.patch
-# Patch posted upstream, discussion ongoing, Paul E. seems to think it's OK
+# From upstream 
 Patch34 : %{name}-rh794797.patch
 # Posted upstream
 Patch35 : %{name}-rh788989.patch
 # Posted upstream
 Patch36 : %{name}-rh795498.patch
-# Posted upstream (bz 13705)
+# From upstream
 Patch37 : %{name}-rh760935.patch
-# Approved upstream, waiting for privs to commit
+# From upstream
 Patch38 : %{name}-rh798471.patch
-
+# From upstream
-
+Patch39 : %{name}-rh758888.patch
+# Submitted upstream BZ 13818
+Patch40 : %{name}-rh800224.patch
+# From upstream
+Patch41 : %{name}-rh794797-2.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Obsoletes: glibc-profile < 2.4
@@ -366,6 +370,9 @@ rm -rf %{glibcportsdir}
 %patch36 -p1
 %patch37 -p1
 %patch38 -p1
+%patch39 -p1
+%patch40 -p1
+%patch41 -p1
 
 # A lot of programs still misuse memcpy when they have to use
 # memmove. The memcpy implementation below is not tolerant at
@@ -1218,6 +1225,10 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Wed Feb 29 2012 Jeff Law <law@redhat.com> - 2.15-26
+  - Set errno properly in vfprintf (#794797)
+  - Don't kill application when LD_PROFILE is set. (#800224)
+
 * Wed Feb 29 2012 Jeff Law <law@redhat.com> - 2.15-25
   - Fix out of bounds memory access in resolver (#798471)
   - Always mark vDSO as used (#758888)
@@ -1226,7 +1237,7 @@ rm -f *.filelist*
   - Fix bogus underflow (#760935)
   - Correctly handle dns request where large numbers of A and AAA records
     are returned (#795498)
-  - Fix nscd crash when group has many members (#788959)
+  - Fix nscd crash when group has many members (#788989)
  
 * Mon Feb 20 2012 Jeff Law <law@redhat.com> - 2.15-23
   - Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE (#794797)