From a811215d22dd40b938021b9f41daf315ac11e685 Mon Sep 17 00:00:00 2001 From: Hiltjo Posthuma Date: Sat, 12 Oct 2019 14:01:17 +0200 Subject: string_append: check for addition and multiplication overflow This could overflow / wrap the buffer. Note: SIZE_MAX is defined in POSIX to atleast 65535. On most platforms on 64-bit this is 0xffffffffffffffffUL bytes. --- sfeed.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'sfeed.c') diff --git a/sfeed.c b/sfeed.c index bb79d34..d44b3fd 100644 --- a/sfeed.c +++ b/sfeed.c @@ -250,8 +250,12 @@ string_buffer_realloc(String *s, size_t newlen) { size_t alloclen; - for (alloclen = 64; alloclen <= newlen; alloclen *= 2) - ; + if (newlen > SIZE_MAX / 2) { + alloclen = SIZE_MAX; + } else { + for (alloclen = 64; alloclen <= newlen; alloclen *= 2) + ; + } if (!(s->data = realloc(s->data, alloclen))) err(1, "realloc"); s->bufsiz = alloclen; @@ -262,6 +266,12 @@ string_append(String *s, const char *data, size_t len) { if (!len) return; + + if (s->len >= SIZE_MAX - len) { + errno = EOVERFLOW; + err(1, "realloc"); + } + /* check if allocation is necessary, don't shrink buffer, * should be more than bufsiz of course. */ if (s->len + len >= s->bufsiz) -- cgit v1.2.3