summaryrefslogtreecommitdiff
path: root/libbb
diff options
context:
space:
mode:
authorQuentin Rameau2018-04-01 19:49:58 +0200
committerDenys Vlasenko2018-04-01 19:51:14 +0200
commite2afae6303e871a31a061d03359cfcd5dd86c088 (patch)
tree40482184a4ff53ea4fd3439f96e0e7e967a075cc /libbb
parent2da9724b56169f00bd7fb6b9a11c9409a7620981 (diff)
downloadbusybox-e2afae6303e871a31a061d03359cfcd5dd86c088.zip
busybox-e2afae6303e871a31a061d03359cfcd5dd86c088.tar.gz
sed: prevent overflow of length from bb_get_chunk_from_file
This fragment did not work right: temp = bb_get_chunk_from_file(fp, &len); if (temp) { /* len > 0 here, it's ok to do temp[len-1] */ char c = temp[len-1]; With "int len" _sign-extending_, temp[len-1] can refer to a wrong location if len > 0x7fffffff. Signed-off-by: Quentin Rameau <quinq@fifth.space> Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'libbb')
-rw-r--r--libbb/get_line_from_file.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/libbb/get_line_from_file.c b/libbb/get_line_from_file.c
index 941ea12..d100669 100644
--- a/libbb/get_line_from_file.c
+++ b/libbb/get_line_from_file.c
@@ -10,16 +10,19 @@
*/
#include "libbb.h"
-char* FAST_FUNC bb_get_chunk_from_file(FILE *file, int *end)
+char* FAST_FUNC bb_get_chunk_from_file(FILE *file, size_t *end)
{
int ch;
- unsigned idx = 0;
+ size_t idx = 0;
char *linebuf = NULL;
while ((ch = getc(file)) != EOF) {
/* grow the line buffer as necessary */
- if (!(idx & 0xff))
+ if (!(idx & 0xff)) {
+ if (idx == ((size_t)-1) - 0xff)
+ bb_error_msg_and_die(bb_msg_memory_exhausted);
linebuf = xrealloc(linebuf, idx + 0x100);
+ }
linebuf[idx++] = (char) ch;
if (ch == '\0')
break;
@@ -49,7 +52,7 @@ char* FAST_FUNC xmalloc_fgets(FILE *file)
/* Get line. Remove trailing \n */
char* FAST_FUNC xmalloc_fgetline(FILE *file)
{
- int i;
+ size_t i;
char *c = bb_get_chunk_from_file(file, &i);
if (i && c[--i] == '\n')