pgrep: Prevent integer overflow of list size.
Not exploitable (not under an attacker's control), but still a potential non-security problem. Copied, fixed, and used the grow_size() macro from pidof.c.
This commit is contained in:
parent
657053f5d0
commit
4ea5b22d62
16
pgrep.c
16
pgrep.c
@ -54,6 +54,12 @@
|
|||||||
#include "proc/devname.h"
|
#include "proc/devname.h"
|
||||||
#include "proc/sysinfo.h"
|
#include "proc/sysinfo.h"
|
||||||
|
|
||||||
|
#define grow_size(x) do { \
|
||||||
|
if ((x) < 0 || (size_t)(x) >= INT_MAX / 5 / sizeof(struct el)) \
|
||||||
|
xerrx(EXIT_FAILURE, _("integer overflow")); \
|
||||||
|
(x) = (x) * 5 / 4 + 4; \
|
||||||
|
} while (0)
|
||||||
|
|
||||||
static int i_am_pkill = 0;
|
static int i_am_pkill = 0;
|
||||||
|
|
||||||
struct el {
|
struct el {
|
||||||
@ -158,7 +164,7 @@ static struct el *split_list (const char *restrict str, int (*convert)(const cha
|
|||||||
|
|
||||||
do {
|
do {
|
||||||
if (i == size) {
|
if (i == size) {
|
||||||
size = size * 5 / 4 + 4;
|
grow_size(size);
|
||||||
/* add 1 because slot zero is a count */
|
/* add 1 because slot zero is a count */
|
||||||
list = xrealloc (list, (1 + size) * sizeof *list);
|
list = xrealloc (list, (1 + size) * sizeof *list);
|
||||||
}
|
}
|
||||||
@ -600,7 +606,7 @@ static struct el * select_procs (int *num)
|
|||||||
matches = 0;
|
matches = 0;
|
||||||
}
|
}
|
||||||
if (matches == size) {
|
if (matches == size) {
|
||||||
size = size * 5 / 4 + 4;
|
grow_size(size);
|
||||||
list = xrealloc(list, size * sizeof *list);
|
list = xrealloc(list, size * sizeof *list);
|
||||||
}
|
}
|
||||||
if (list && (opt_long || opt_longlong || opt_echo)) {
|
if (list && (opt_long || opt_longlong || opt_echo)) {
|
||||||
@ -624,10 +630,8 @@ static struct el * select_procs (int *num)
|
|||||||
|
|
||||||
// eventually grow output buffer
|
// eventually grow output buffer
|
||||||
if (matches == size) {
|
if (matches == size) {
|
||||||
size = size * 5 / 4 + 4;
|
grow_size(size);
|
||||||
list = realloc(list, size * sizeof *list);
|
list = xrealloc(list, size * sizeof *list);
|
||||||
if (list == NULL)
|
|
||||||
exit (EXIT_FATAL);
|
|
||||||
}
|
}
|
||||||
if (opt_long || opt_longlong) {
|
if (opt_long || opt_longlong) {
|
||||||
list[matches].str = xstrdup (cmdoutput);
|
list[matches].str = xstrdup (cmdoutput);
|
||||||
|
Loading…
Reference in New Issue
Block a user