Author: omote.masahito
Date: Thu Dec 11 09:14:22 2008
New Revision: 5648
Modified:
trunk/uim/curl.c
Log:
* uim/curl.c
- Add checks for size_t overflow. It's not tested completely because of
no environment for checking 4G over 'in memory' transfers.
- The first check is taken from jemalloc.c.
Modified: trunk/uim/curl.c
==============================================================================
--- trunk/uim/curl.c (original)
+++ trunk/uim/curl.c Thu Dec 11 09:14:22 2008
@@ -84,6 +84,19 @@
struct curl_memory_struct *mem = (struct curl_memory_struct *)data;
size_t realsize = size * nmemb;
+ /*
+ * We know that it isn't possible to overflow during multiplication if
+ * neither operand uses any of the most significant half of the bits in
+ * a size_t.
+ */
+ if((unsigned long long)((nmemb | size) &
+ ((unsigned long long)SIZE_MAX << (sizeof(size_t) << 2))) &&
+ (realsize / size != nmemb))
+ return 0;
+
+ if(SIZE_MAX - mem->size - 1 < realsize)
+ realsize = SIZE_MAX - mem->size - 1;
+
if(mem->str != NULL)
mem->str = uim_realloc(mem->str, mem->size + realsize + 1);
else
