Module Name: src
Committed By: christos
Date: Sun Jan 13 01:32:51 UTC 2019
Modified Files:
src/lib/libwrap: expandm.c
Log Message:
check for *. integer overflow over ptrdiff. Pointed out by kre@
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/lib/libwrap/expandm.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libwrap/expandm.c
diff -u src/lib/libwrap/expandm.c:1.5 src/lib/libwrap/expandm.c:1.6
--- src/lib/libwrap/expandm.c:1.5 Sat Jan 12 17:14:08 2019
+++ src/lib/libwrap/expandm.c Sat Jan 12 20:32:51 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: expandm.c,v 1.5 2019/01/12 22:14:08 kre Exp $ */
+/* $NetBSD: expandm.c,v 1.6 2019/01/13 01:32:51 christos Exp $ */
/*-
* Copyright (c) 2018 The NetBSD Foundation, Inc.
@@ -29,8 +29,9 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: expandm.c,v 1.5 2019/01/12 22:14:08 kre Exp $");
+__RCSID("$NetBSD: expandm.c,v 1.6 2019/01/13 01:32:51 christos Exp $");
+#include <limits.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -38,6 +39,12 @@ __RCSID("$NetBSD: expandm.c,v 1.5 2019/0
#include "expandm.h"
+#ifdef TEST
+#undef INT_MAX
+#define INT_MAX 31
+#endif
+
+
const char * __attribute__((__format_arg__(1)))
expandm(const char *fmt, const char *sf, char **rbuf)
{
@@ -49,8 +56,24 @@ expandm(const char *fmt, const char *sf,
ptr = m + 2)
{
size_t cnt = 0;
+
for (char *p = m; p >= ptr && *p == '%'; p--)
cnt++;
+
+ if (__predict_false((m - ptr) >= INT_MAX)) {
+ size_t blen = buf ? strlen(buf) : 0;
+ size_t nlen = (size_t)(m - ptr);
+
+ nbuf = realloc(buf, blen + nlen + 1);
+ if (nbuf == NULL)
+ goto out;
+
+ memcpy(nbuf + blen, ptr, nlen);
+ nbuf[blen + nlen] = '\0';
+ ptr += nlen;
+ buf = nbuf;
+ }
+
if (asprintf(&nbuf, "%s%.*s%s", buf ? buf : "",
(int)(m - ptr), ptr, (cnt & 1) ? e : "%m") == -1)
goto out;
