Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/lib/libwrap check for *. integer overflow over ptrdiff. Poin...
details: https://anonhg.NetBSD.org/src/rev/cfd4f2796fd7
branches: trunk
changeset: 447480:cfd4f2796fd7
user: christos <christos%NetBSD.org@localhost>
date: Sun Jan 13 01:32:51 2019 +0000
description:
check for *. integer overflow over ptrdiff. Pointed out by kre@
diffstat:
lib/libwrap/expandm.c | 27 +++++++++++++++++++++++++--
1 files changed, 25 insertions(+), 2 deletions(-)
diffs (58 lines):
diff -r 2334e6270910 -r cfd4f2796fd7 lib/libwrap/expandm.c
--- a/lib/libwrap/expandm.c Sun Jan 13 00:11:29 2019 +0000
+++ b/lib/libwrap/expandm.c Sun Jan 13 01:32:51 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: expandm.c,v 1.5 2019/01/12 22:14:08 kre Exp $ */
+/* $NetBSD: expandm.c,v 1.6 2019/01/13 01:32:51 christos Exp $ */
/*-
* Copyright (c) 2018 The NetBSD Foundation, Inc.
@@ -29,8 +29,9 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: expandm.c,v 1.5 2019/01/12 22:14:08 kre Exp $");
+__RCSID("$NetBSD: expandm.c,v 1.6 2019/01/13 01:32:51 christos Exp $");
+#include <limits.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -38,6 +39,12 @@
#include "expandm.h"
+#ifdef TEST
+#undef INT_MAX
+#define INT_MAX 31
+#endif
+
+
const char * __attribute__((__format_arg__(1)))
expandm(const char *fmt, const char *sf, char **rbuf)
{
@@ -49,8 +56,24 @@
ptr = m + 2)
{
size_t cnt = 0;
+
for (char *p = m; p >= ptr && *p == '%'; p--)
cnt++;
+
+ if (__predict_false((m - ptr) >= INT_MAX)) {
+ size_t blen = buf ? strlen(buf) : 0;
+ size_t nlen = (size_t)(m - ptr);
+
+ nbuf = realloc(buf, blen + nlen + 1);
+ if (nbuf == NULL)
+ goto out;
+
+ memcpy(nbuf + blen, ptr, nlen);
+ nbuf[blen + nlen] = '\0';
+ ptr += nlen;
+ buf = nbuf;
+ }
+
if (asprintf(&nbuf, "%s%.*s%s", buf ? buf : "",
(int)(m - ptr), ptr, (cnt & 1) ? e : "%m") == -1)
goto out;
Home |
Main Index |
Thread Index |
Old Index