[hackers] [quark] Prevent overflow in strtonum()-parameters || Laslo Hunhold

Sat, 31 Oct 2020 17:48:56 -0700 

commit 7d26fc695d548b5a73305a97dce274a313e0f602
Author:     Laslo Hunhold <[email protected]>
AuthorDate: Sun Nov 1 01:47:11 2020 +0100
Commit:     Laslo Hunhold <[email protected]>
CommitDate: Sun Nov 1 01:49:27 2020 +0100

    Prevent overflow in strtonum()-parameters
    
    Make sure not to overflow the long long value. Given the standard
    doesn't bring any tangible guarantees for the upper limits of size_t,
    we just determine which (long long or size_t) is larger at compile time.
    
    Thanks José Miguel Sánchez García for reporting this!
    
    Signed-off-by: Laslo Hunhold <[email protected]>

diff --git a/http.c b/http.c
index d43ceaf..dc32290 100644
--- a/http.c
+++ b/http.c
@@ -491,10 +491,13 @@ parse_range(const char *str, size_t size, size_t *lower, 
size_t *upper)
                 * last byte if 'last' is not given),
                 * inclusively, and byte-numbering beginning at 0
                 */
-               *lower = strtonum(first, 0, SIZE_MAX, &err);
+               *lower = strtonum(first, 0, MIN(SIZE_MAX, LLONG_MAX),
+                                 &err);
                if (!err) {
                        if (last[0] != '\0') {
-                               *upper = strtonum(last, 0, SIZE_MAX, &err);
+                               *upper = strtonum(last, 0,
+                                                 MIN(SIZE_MAX, LLONG_MAX),
+                                                 &err);
                        } else {
                                *upper = size - 1;
                        }
@@ -526,7 +529,7 @@ parse_range(const char *str, size_t size, size_t *lower, 
size_t *upper)
                 * use upper as a temporary storage for 'num',
                 * as we know 'upper' is size - 1
                 */
-               *upper = strtonum(last, 0, SIZE_MAX, &err);
+               *upper = strtonum(last, 0, MIN(SIZE_MAX, LLONG_MAX), &err);
                if (err) {
                        return S_BAD_REQUEST;
                }

Reply via email to