string_append: check for addition and multiplication overflow

This could overflow / wrap the buffer. Note: SIZE_MAX is defined in POSIX to atleast 65535. On most platforms on 64-bit this is 0xffffffffffffffffUL bytes.
author: Hiltjo Posthuma <hiltjo@codemadness.org> 2019-10-12 14:01:17 +0200
committer: Hiltjo Posthuma <hiltjo@codemadness.org> 2019-10-12 14:01:17 +0200
commit: a811215d22dd40b938021b9f41daf315ac11e685 (patch)
tree: 84f4b830bc591d42121d24a00739df2bd6188e96 /sfeed.c
parent: 0326a6b837a7e5bb490360a7cdb0225947cee166 (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/sfeed.c b/sfeed.c
index bb79d34..d44b3fd 100644
--- a/sfeed.c
+++ b/sfeed.c
@@ -250,8 +250,12 @@ string_buffer_realloc(String *s, size_t newlen)
 {
 	size_t alloclen;
 
-	for (alloclen = 64; alloclen <= newlen; alloclen *= 2)
-		;
+	if (newlen > SIZE_MAX / 2) {
+		alloclen = SIZE_MAX;
+	} else {
+		for (alloclen = 64; alloclen <= newlen; alloclen *= 2)
+			;
+	}
 	if (!(s->data = realloc(s->data, alloclen)))
 		err(1, "realloc");
 	s->bufsiz = alloclen;
@@ -262,6 +266,12 @@ string_append(String *s, const char *data, size_t len)
 {
 	if (!len)
 		return;
+
+	if (s->len >= SIZE_MAX - len) {
+		errno = EOVERFLOW;
+		err(1, "realloc");
+	}
+
 	/* check if allocation is necessary, don't shrink buffer,
 	 * should be more than bufsiz of course. */
 	if (s->len + len >= s->bufsiz)
author	Hiltjo Posthuma <hiltjo@codemadness.org>	2019-10-12 14:01:17 +0200
committer	Hiltjo Posthuma <hiltjo@codemadness.org>	2019-10-12 14:01:17 +0200
commit	a811215d22dd40b938021b9f41daf315ac11e685 (patch)
tree	84f4b830bc591d42121d24a00739df2bd6188e96 /sfeed.c
parent	0326a6b837a7e5bb490360a7cdb0225947cee166 (diff)