From 997f47f77a135d9119bc167bbe7e5aaede078259 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Sat, 8 Oct 2016 13:10:56 +0200 Subject: [PATCH] core: fix integer overflow in calls to realloc (issue #809) --- src/core/wee-util.c | 5 +++++ src/gui/gui-buffer.c | 15 ++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/src/core/wee-util.c b/src/core/wee-util.c index b1f567916..0dccb1861 100644 --- a/src/core/wee-util.c +++ b/src/core/wee-util.c @@ -24,6 +24,7 @@ #endif #include +#include #include #include #include @@ -672,6 +673,8 @@ util_file_get_content (const char *filename) while (!feof (f)) { + if (fp > SIZE_MAX - (1024 * sizeof (char))) + goto error; buffer2 = (char *) realloc (buffer, (fp + (1024 * sizeof (char)))); if (!buffer2) goto error; @@ -681,6 +684,8 @@ util_file_get_content (const char *filename) goto error; fp += count; } + if (fp > SIZE_MAX - sizeof (char)) + goto error; buffer2 = (char *) realloc (buffer, fp + sizeof (char)); if (!buffer2) goto error; diff --git a/src/gui/gui-buffer.c b/src/gui/gui-buffer.c index d85f06aff..66cd1fb14 100644 --- a/src/gui/gui-buffer.c +++ b/src/gui/gui-buffer.c @@ -24,6 +24,7 @@ #endif #include +#include #include #include #include @@ -791,7 +792,8 @@ char * gui_buffer_string_replace_local_var (struct t_gui_buffer *buffer, const char *string) { - int length, length_var, index_string, index_result; + int index_string, index_result; + size_t length, length_var; char *result, *result2, *local_var; const char *pos_end_name, *ptr_value; @@ -830,8 +832,15 @@ gui_buffer_string_replace_local_var (struct t_gui_buffer *buffer, if (ptr_value) { length_var = strlen (ptr_value); - length += length_var; - result2 = realloc (result, length); + if (length > SIZE_MAX - length_var) + { + result2 = NULL; + } + else + { + length += length_var; + result2 = realloc (result, length); + } if (!result2) { if (result)