diff options
| author | Hiltjo Posthuma <hiltjo@codemadness.org> | 2019-10-12 14:01:17 +0200 |
|---|---|---|
| committer | Hiltjo Posthuma <hiltjo@codemadness.org> | 2019-10-12 14:01:17 +0200 |
| commit | a811215d22dd40b938021b9f41daf315ac11e685 (patch) | |
| tree | 84f4b830bc591d42121d24a00739df2bd6188e96 | |
| parent | 0326a6b837a7e5bb490360a7cdb0225947cee166 (diff) | |
string_append: check for addition and multiplication overflow
This could overflow / wrap the buffer.
Note: SIZE_MAX is defined in POSIX to atleast 65535.
On most platforms on 64-bit this is 0xffffffffffffffffUL bytes.
| -rw-r--r-- | sfeed.c | 14 |
1 files changed, 12 insertions, 2 deletions
@@ -250,8 +250,12 @@ string_buffer_realloc(String *s, size_t newlen) { size_t alloclen; - for (alloclen = 64; alloclen <= newlen; alloclen *= 2) - ; + if (newlen > SIZE_MAX / 2) { + alloclen = SIZE_MAX; + } else { + for (alloclen = 64; alloclen <= newlen; alloclen *= 2) + ; + } if (!(s->data = realloc(s->data, alloclen))) err(1, "realloc"); s->bufsiz = alloclen; @@ -262,6 +266,12 @@ string_append(String *s, const char *data, size_t len) { if (!len) return; + + if (s->len >= SIZE_MAX - len) { + errno = EOVERFLOW; + err(1, "realloc"); + } + /* check if allocation is necessary, don't shrink buffer, * should be more than bufsiz of course. */ if (s->len + len >= s->bufsiz) |