Re: Changing fgetstr/fgetln to use getdelim

To: Matthew Mondor <mm_lists%pulsar-zone.net@localhost>
Subject: Re: Changing fgetstr/fgetln to use getdelim
From: Roy Marples <roy%NetBSD.org@localhost>
Date: Mon, 21 Sep 2009 08:38:59 +0100

Matthew Mondor wrote:

On Sun, 20 Sep 2009 16:51:05 +0100
Roy Marples <roy%marples.name@localhost> wrote:
One thing I did notice though is that __slbexpand expands the buffer onupto a size_t, but the place holder on the struct is only an int anddoesn't have any bounds checking. Surely this is a potential overflow?
I didn't check the whole file (only the diff), but it appears that the
old expand code added more bytes than requested, possibly in attempt
not to realloc(3) too often.  A common practice is to simply double the
buffer for better performance, although this might be overkill.


Yes, you are correct. But consider this

/* stdio buffers */
struct __sbuf {
        unsigned char *_base;
        int     _size;
};

It's trying to store a size_t in _size without any range checking, whichin my eyes is asking for trouble. Here's the part of my patch whichfixes this.


+       if (size > INT_MAX) {
+               fp->_lb._size = INT_MAX;
+               errno = EOVERFLOW;
+               goto error;
        }

Thanks

Roy

References:
- Changing fgetstr/fgetln to use getdelim
  - From: Roy Marples
- Re: Changing fgetstr/fgetln to use getdelim
  - From: Matthew Mondor

Prev by Date: Re: Changing fgetstr/fgetln to use getdelim
Next by Date: fold(1) and "blank" and add lazy option
Previous by Thread: Re: Changing fgetstr/fgetln to use getdelim
Next by Thread: Re: Changing fgetstr/fgetln to use getdelim
Indexes:

Home | Main Index | Thread Index | Old Index