From 031bc56f658561a6036fa9f1a1b6070b56ca8fd5 Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] tload: Prevent integer overflows of ncols, nrows, and scr_size. Also, use xerrx() instead of xerr() since errno is not set. --- tload.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tload.c b/tload.c index 4b925e37..509c5ff4 100644 --- a/tload.c +++ b/tload.c @@ -43,6 +43,7 @@ #include #include #include +#include static char *screen; @@ -70,9 +71,13 @@ static void setsize(int i) if (win.ws_row > 0) nrows = win.ws_row; } + if (ncols < 2 || ncols >= INT_MAX) + xerrx(EXIT_FAILURE, _("screen too small or too large")); + if (nrows < 2 || nrows >= INT_MAX / ncols) + xerrx(EXIT_FAILURE, _("screen too small or too large")); scr_size = nrows * ncols; if (scr_size < 2) - xerr(EXIT_FAILURE, _("screen too small")); + xerrx(EXIT_FAILURE, _("screen too small")); if (screen == NULL) screen = (char *)xmalloc(scr_size); else