overlayfs may have fairly long lines so we use getline to allocate a
buffer dynamically. The buffer will be allocated on first use, expand as
needed, but will never be free'ed.

Downstream bug: http://bugs.alpinelinux.org/issues/5703Signed-off-by: NNatanael Copa <ncopa@alpinelinux.org>

this patch fixes a large number of missed internal signed-overflow
checks and errors in determining when the return value (output length)
would exceed INT_MAX, which should result in EOVERFLOW. some of the
issues fixed were reported by Alexander Cherepanov; others were found
in subsequent review of the code.

aside from the signed overflows being undefined behavior, the
following specific bugs were found to exist in practice:

- overflows computing length of floating point formats with huge
  explicit precisions, integer formats with prefix characters and huge
  explicit precisions, or string arguments or format strings longer
  than INT_MAX, resulted in wrong return value and wrong %n results.

- literal width and precision values outside the range of int were
  misinterpreted, yielding wrong behavior in at least one well-defined
  case: string formats with precision greater than INT_MAX were
  sometimes truncated.

- in cases where EOVERFLOW is produced, incorrect values could be
  written for %n specifiers past the point of exceeding INT_MAX.

in addition to fixing these bugs, we now stop producing output
immediately when output length would exceed INT_MAX, rather than
continuing and returning an error only at the end.

if the requested precision is close to INT_MAX, adding
LDBL_MANT_DIG/3+8 overflows. in practice the resulting undefined
behavior manifests as a large negative result, which is then used to
compute the new end pointer (z) with a wildly out-of-bounds value
(more overflow, more undefined behavior). the end result is at least
incorrect output and character count (return value); worse things do
not seem to happen, but detailed analysis has not been done.

this patch fixes the overflow by performing the intermediate
computation as unsigned; after division by 9, the final result
necessarily fits in int.

we inherited from TRE regexec code that's utterly wrong with respect
to the integer types it's using. while it doesn't appear that
compilers are producing unsafe output, signed integer overflows seem
to happen, and regexec fails to find matches past offset INT_MAX.

this patch fixes the type of all variables/fields used to store
offsets in the string from int to regoff_t. after the changes, basic
testing showed that regexec can now find matches past 2GB (INT_MAX)
and past 4GB on x86_64, and code generation is unchanged on i386.

most of the possible overflows were already ruled out in practice by
regcomp having already succeeded performing larger allocations.
however at least the num_states*num_tags multiplication can clearly
overflow in practice. for safety, check them all, and use the proper
type, size_t, rather than int.

also improve comments, use calloc in place of malloc+memset, and
remove bogus casts.

this is a clone of the fix to the gethostby*_r functions in
commit fe82bb9b. the man pages
document that the getservby*_r functions set this pointer to
NULL if there was an error or if no record was found.

this case statement was accidently left behind when this function
was refactored in commit e8f39ca4.

since cpu sets can be dynamically allocated and have variable size,
accessing their contents via ->__bits is not valid; performing pointer
arithmetic outside the range of the size of the declared __bits array
results in undefined beahavior. instead, only use cpu_set_t for
fixed-size cpu set objects (instantiated by the caller) and as an
abstract pointer type for dynamically allocated ones. perform all
accesses simply by casting the abstract pointer type cpuset_t * back
to unsigned long *.

previously, fflush_unlocked was an alias for an internal backend that
was called by fflush, either for its argument or in a loop for each
file if a null pointer was passed. since the logic for the latter was
in the main fflush function, fflush_unlocked crashed when passed a
null pointer, rather than flushing all open files. since
fflush_unlocked is not a standard function and has no specification,
it's not clear whether it should be expected to accept null pointers
like fflush does, but a reasonable argument could be made that it
should.

this patch eliminates the helper function, simplifying fflush, and
makes fflush_unlocked an alias for fflush, which is valid because the
two functions agree in their behavior in all cases where their
behavior is defined (the unlocked version has undefined behavior if
another thread could hold locks).

these functions had been implemented, but prototypes were not made available

posix requires errno to be set to ENXIO if the interface does not exist.
linux returns ENODEV instead so we handle this.

glibc, freebsd, and openbsd use character pointers (caddr_t) for
these fields. only linux uses void pointer for the ifru_data type.

commit b91cdbe2, in fixing another
issue, changed the logic for how alt-form octal adds the leading zero
to adjust the precision rather than using a prefix character. this
wrongly suppressed the zero flag by mimicing an explicit precision
given by the format string. switch back to using a prefix character.

based on bug report and patch by Dmitry V. Levin, but simplified.

this reverts commit 2c1f8fd5. without
the _Noreturn attribute, the compiler cannot use asserts to perform
reachability/range analysis. this leads to missed optimizations and
spurious warnings.

the original backtrace problem that prompted the removal of _Noreturn
was not clearly documented at the time, but it seems to happen only
when libc was built without -g, which also breaks many other
backtracing cases.

This makes the result consistent with sysconf(_SC_OPEN_MAX).

O_FSYNC was never defined and is legacy/wrong, nothing seems to use it.

the gnu config.sub script recognizes several mipsisa64* cpu types
that musl supports as mips64 targets.

there was a copy paste error that could cause large ulp errors
in atan2l, atanl, asinl and acosl on aarch64, mips64 and mipsn32.

(the implementation is from freebsd fdlibm, but the tail end
of the polynomial was wrong. 128 bit long double functions
are not yet tested so this went undetected.)

linux containers use separate mount namespace so the /proc
symlink might not point to the right device if the fd was
opened in the parent namespace, in this case return ENOENT.

userfaultfd, membarrier and mlock2 syscalls got wired up in linux
commit fbce3befd60d40639bf3c6b60f7477b2f988f92d

only matters if swapcontext is used in a signal handler running on an
altstack, new in linux commit 2a74213838104a41588d86fd5e8d344972891ace

for GPRS tunneling protocol, new in linux commit
459aa660eb1d8ce67080da1983bb81d716aa5a69

macros for qualcom ip router protocol, new in linux commit
bdabad3e363d825ddf9679dd431cca0b2c30f881

despite sh not generally using register-pair alignment for 64-bit
syscall arguments, there are arch-specific versions of the syscall
entry points for pread and pwrite which include a dummy argument for
alignment before the 64-bit offset argument.

revert commit 8c316e9e. it was wrong
and does not match how the kernel API works.

the FIXME comment here was overlooked at the time locale support was
added.

this code was already under #if 0, but could be confusing if a reader
didn't notice that, and it's almost surely full of bugs and/or
inconsistencies with the current code that uses the gethostbyname2_r
backend.

Since commit 2f853dd6, all generated
headers are generated under the obj directory, which is already ignored.

It's identical to the generic version, after evaluating the endian
preprocessor checks in the generic version.

modern compilers (for gcc, versions 4.8 and later) automatically
pre-include <stdc-predef.h> to obtain the values of certain predefined
macros specified by ISO C but which reflect properties of the library
implementation, not just the compiler. provide values indicating that
wchar_t is Unicode-encoded and that Annex F (IEEE floating point) is
supported unless the compiler indicates otherwise.

based on patch by Masanori Ogino.

these changes still do not yield a fully-conforming abort, but they
fix two known issues:

- per POSIX, termination via SIGKILL is not "abnormal", but both ISO C
  and POSIX require abort to yield abnormal termination.

- raising SIGKILL fails to do anything to pid 1 in some containers.

now, the trapping instruction produced by a_crash() is expected to
produce abnormal termination, without the risk of invoking a signal
handler since SIGILL and SIGSEGV are blocked, and _Exit, which
contains an infinite loop analogous to the one being removed from
abort itself, is used as a last resort.

this implementation still fails to produce an exit status as if the
process terminated via SIGABRT in cases where SIGABRT is blocked or
ignored, but fixing that is not easy; the obvious pseudo-solutions all
have subtle race conditions where a concurrent fork or exec can expose
incorrect signal state.

commit befa5866 performed this change
for struct definitions that did not also involve typedef, but omitted
the latter.

last time elf.h was thoroughly updated sh was not yet supported
so these processor specific e_flags were missing.

new regset in linux v3.18 for ptrace.

see
https://sourceware.org/ml/libc-alpha/2016-01/msg00822.html

marks different RLD_MAP for debugging PIE binaries.

following
http://www.sco.com/developers/gabi/latest/ch4.sheader.html