sfeed

simple feed reader - forked from git.codemadness.org/sfeed
git clone git://src.gearsix.net/sfeed
Log | Files | Refs | Atom | README | LICENSE
commit a811215d22dd40b938021b9f41daf315ac11e685
parent 0326a6b837a7e5bb490360a7cdb0225947cee166
Author: Hiltjo Posthuma <hiltjo@codemadness.org>
Date:   Sat, 12 Oct 2019 14:01:17 +0200

string_append: check for addition and multiplication overflow

This could overflow / wrap the buffer.

Note: SIZE_MAX is defined in POSIX to atleast 65535.

On most platforms on 64-bit this is 0xffffffffffffffffUL bytes.

Diffstat:

Msfeed.c | 14++++++++++++--


1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/sfeed.c b/sfeed.c
@@ -250,8 +250,12 @@ string_buffer_realloc(String *s, size_t newlen)
 {
 	size_t alloclen;
 
-	for (alloclen = 64; alloclen <= newlen; alloclen *= 2)
-		;
+	if (newlen > SIZE_MAX / 2) {
+		alloclen = SIZE_MAX;
+	} else {
+		for (alloclen = 64; alloclen <= newlen; alloclen *= 2)
+			;
+	}
 	if (!(s->data = realloc(s->data, alloclen)))
 		err(1, "realloc");
 	s->bufsiz = alloclen;
@@ -262,6 +266,12 @@ string_append(String *s, const char *data, size_t len)
 {
 	if (!len)
 		return;
+
+	if (s->len >= SIZE_MAX - len) {
+		errno = EOVERFLOW;
+		err(1, "realloc");
+	}
+
 	/* check if allocation is necessary, don't shrink buffer,
 	 * should be more than bufsiz of course. */
 	if (s->len + len >= s->bufsiz)