summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHiltjo Posthuma <hiltjo@codemadness.org>2019-10-12 14:01:17 +0200
committerHiltjo Posthuma <hiltjo@codemadness.org>2019-10-12 14:01:17 +0200
commita811215d22dd40b938021b9f41daf315ac11e685 (patch)
tree84f4b830bc591d42121d24a00739df2bd6188e96
parent0326a6b837a7e5bb490360a7cdb0225947cee166 (diff)
string_append: check for addition and multiplication overflow
This could overflow / wrap the buffer. Note: SIZE_MAX is defined in POSIX to atleast 65535. On most platforms on 64-bit this is 0xffffffffffffffffUL bytes.
-rw-r--r--sfeed.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/sfeed.c b/sfeed.c
index bb79d34..d44b3fd 100644
--- a/sfeed.c
+++ b/sfeed.c
@@ -250,8 +250,12 @@ string_buffer_realloc(String *s, size_t newlen)
{
size_t alloclen;
- for (alloclen = 64; alloclen <= newlen; alloclen *= 2)
- ;
+ if (newlen > SIZE_MAX / 2) {
+ alloclen = SIZE_MAX;
+ } else {
+ for (alloclen = 64; alloclen <= newlen; alloclen *= 2)
+ ;
+ }
if (!(s->data = realloc(s->data, alloclen)))
err(1, "realloc");
s->bufsiz = alloclen;
@@ -262,6 +266,12 @@ string_append(String *s, const char *data, size_t len)
{
if (!len)
return;
+
+ if (s->len >= SIZE_MAX - len) {
+ errno = EOVERFLOW;
+ err(1, "realloc");
+ }
+
/* check if allocation is necessary, don't shrink buffer,
* should be more than bufsiz of course. */
if (s->len + len >= s->bufsiz)