Module Name: src Committed By: christos Date: Sun Jan 13 01:32:51 UTC 2019
Modified Files: src/lib/libwrap: expandm.c Log Message: check for *. integer overflow over ptrdiff. Pointed out by kre@ To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/lib/libwrap/expandm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/lib/libwrap/expandm.c diff -u src/lib/libwrap/expandm.c:1.5 src/lib/libwrap/expandm.c:1.6 --- src/lib/libwrap/expandm.c:1.5 Sat Jan 12 17:14:08 2019 +++ src/lib/libwrap/expandm.c Sat Jan 12 20:32:51 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: expandm.c,v 1.5 2019/01/12 22:14:08 kre Exp $ */ +/* $NetBSD: expandm.c,v 1.6 2019/01/13 01:32:51 christos Exp $ */ /*- * Copyright (c) 2018 The NetBSD Foundation, Inc. @@ -29,8 +29,9 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include <sys/cdefs.h> -__RCSID("$NetBSD: expandm.c,v 1.5 2019/01/12 22:14:08 kre Exp $"); +__RCSID("$NetBSD: expandm.c,v 1.6 2019/01/13 01:32:51 christos Exp $"); +#include <limits.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -38,6 +39,12 @@ __RCSID("$NetBSD: expandm.c,v 1.5 2019/0 #include "expandm.h" +#ifdef TEST +#undef INT_MAX +#define INT_MAX 31 +#endif + + const char * __attribute__((__format_arg__(1))) expandm(const char *fmt, const char *sf, char **rbuf) { @@ -49,8 +56,24 @@ expandm(const char *fmt, const char *sf, ptr = m + 2) { size_t cnt = 0; + for (char *p = m; p >= ptr && *p == '%'; p--) cnt++; + + if (__predict_false((m - ptr) >= INT_MAX)) { + size_t blen = buf ? strlen(buf) : 0; + size_t nlen = (size_t)(m - ptr); + + nbuf = realloc(buf, blen + nlen + 1); + if (nbuf == NULL) + goto out; + + memcpy(nbuf + blen, ptr, nlen); + nbuf[blen + nlen] = '\0'; + ptr += nlen; + buf = nbuf; + } + if (asprintf(&nbuf, "%s%.*s%s", buf ? buf : "", (int)(m - ptr), ptr, (cnt & 1) ? e : "%m") == -1) goto out;