Do not rely on unspecified behavior for the overflow check.
- todd
Index: usr.bin/vi/common/delete.c
===================================================================
RCS file: /cvs/src/usr.bin/vi/common/delete.c,v
retrieving revision 1.9
diff -u -r1.9 delete.c
--- usr.bin/vi/common/delete.c 12 Nov 2014 04:28:41 -0000 1.9
+++ usr.bin/vi/common/delete.c 6 Feb 2015 21:38:10 -0000
@@ -16,7 +16,7 @@
#include <bitstring.h>
#include <errno.h>
-#include <limits.h>
+#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -113,17 +113,11 @@
if (db_get(sp, tm->lno, DBG_FATAL, &p, &len))
goto err;
if (len != 0 && tm->cno != len - 1) {
- /*
- * XXX
- * We can overflow memory here, if the total length is greater
- * than SIZE_T_MAX. The only portable way I've found to test
- * is depending on the overflow being less than the value.
- */
- nlen = (len - (tm->cno + 1)) + tlen;
- if (tlen > nlen) {
+ if (len < tm->cno + 1 || len - (tm->cno + 1) > SIZE_MAX - tlen)
{
msgq(sp, M_ERR, "002|Line length overflow");
goto err;
}
+ nlen = (len - (tm->cno + 1)) + tlen;
if (tlen == 0) {
GET_SPACE_RET(sp, bp, blen, nlen);
} else
