tech-userlevel: Re: rm(1) and cp(1) printable characters diff

Subject: Re: rm(1) and cp(1) printable characters diff
To: None <tech-userlevel@netbsd.org>
From: Charles Blundell <cb@kittenz.org>
List: tech-userlevel
Date: 07/21/2003 11:52:50

on Sun, Jul 20, 2003 at 07:51:26PM -0400, Jan Schaumann wrote:
> +char *
> +printescaped(const char *src)
> +{
> +	char *retval;
> +
> +	retval = (char *)malloc(((strlen(src) * 4) + 1));
> +	if (stdin_ok && (retval != NULL)) {
> +		(void)strvis(retval, src, VIS_NL | VIS_CSTYLE);
> +		return retval;

For what it's worth, this will overflow for certain large lengths of 
src. I think the magic values start at strlen(src) = SIZE_T_MAX/4.
[(4*SIZE_T_MAX/4) + 1 = SIZE_T_MAX + 1 -> int overflow.]
This will result in less memory being allocated than is expected
when using gcc.

I think this will prevent it:

    size_t len;

    len = strlen(src);
    if (len != 0 && SIZE_T_MAX/len <= 4)
	    error;
    retval = malloc(4*len + 1);
    if (stdin_ok && retval != NULL) {
    ...

Of course whether the kernel is willing to accept a quarter of a
32-bit address space's worth of data to be passed as arguments to
a program is another matter entirely...