core: fix integer overflow in calls to realloc (issue #809)

2016-10-08 13:10:56 +02:00 · 2016-10-08 13:10:56 +02:00 · 997f47f77a
commit 997f47f77a
parent 485aff59c4
2 changed files with 17 additions and 3 deletions
--- a/src/core/wee-util.c
+++ b/src/core/wee-util.c
@ -24,6 +24,7 @@
 #endif

 #include <stdlib.h>
+#include <stdint.h>
 #include <errno.h>
 #include <string.h>
 #include <sys/types.h>
@ -672,6 +673,8 @@ util_file_get_content (const char *filename)

    while (!feof (f))
    {
+        if (fp > SIZE_MAX - (1024 * sizeof (char)))
+            goto error;
        buffer2 = (char *) realloc (buffer, (fp + (1024 * sizeof (char))));
        if (!buffer2)
            goto error;
@ -681,6 +684,8 @@ util_file_get_content (const char *filename)
            goto error;
        fp += count;
    }
+    if (fp > SIZE_MAX - sizeof (char))
+        goto error;
    buffer2 = (char *) realloc (buffer, fp + sizeof (char));
    if (!buffer2)
        goto error;
--- a/src/gui/gui-buffer.c
+++ b/src/gui/gui-buffer.c
@ -24,6 +24,7 @@
 #endif

 #include <stdlib.h>
+#include <stdint.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdarg.h>
@ -791,7 +792,8 @@ char *
 gui_buffer_string_replace_local_var (struct t_gui_buffer *buffer,
                                     const char *string)
 {
-    int length, length_var, index_string, index_result;
+    int index_string, index_result;
+    size_t length, length_var;
    char *result, *result2, *local_var;
    const char *pos_end_name, *ptr_value;

@ -830,8 +832,15 @@ gui_buffer_string_replace_local_var (struct t_gui_buffer *buffer,
                        if (ptr_value)
                        {
                            length_var = strlen (ptr_value);
-                            length += length_var;
-                            result2 = realloc (result, length);
+                            if (length > SIZE_MAX - length_var)
+                            {
+                                result2 = NULL;
+                            }
+                            else
+                            {
+                                length += length_var;
+                                result2 = realloc (result, length);
+                            }
                            if (!result2)
                            {
                                if (result)