proc/readproc.c: Harden vectorize_this_str().
This detects an integer overflow of "strlen + 1", prevents an integer overflow of "tot + adj + (2 * pSZ)", and avoids calling snprintf with a string longer than INT_MAX. Truncate rather than fail, since the callers do not expect a failure of this function.
This commit is contained in:
parent
39dcf47bc8
commit
6939463606
@ -801,9 +801,10 @@ static int read_unvectored(char *restrict const dst, unsigned sz, const char* wh
|
|||||||
static char** vectorize_this_str (const char* src) {
|
static char** vectorize_this_str (const char* src) {
|
||||||
#define pSZ (sizeof(char*))
|
#define pSZ (sizeof(char*))
|
||||||
char *cpy, **vec;
|
char *cpy, **vec;
|
||||||
int adj, tot;
|
size_t adj, tot;
|
||||||
|
|
||||||
tot = strlen(src) + 1; // prep for our vectors
|
tot = strlen(src) + 1; // prep for our vectors
|
||||||
|
if (tot < 1 || tot >= INT_MAX) tot = INT_MAX-1; // integer overflow?
|
||||||
adj = (pSZ-1) - ((tot + pSZ-1) & (pSZ-1)); // calc alignment bytes
|
adj = (pSZ-1) - ((tot + pSZ-1) & (pSZ-1)); // calc alignment bytes
|
||||||
cpy = xcalloc(tot + adj + (2 * pSZ)); // get new larger buffer
|
cpy = xcalloc(tot + adj + (2 * pSZ)); // get new larger buffer
|
||||||
snprintf(cpy, tot, "%s", src); // duplicate their string
|
snprintf(cpy, tot, "%s", src); // duplicate their string
|
||||||
|
Loading…
x
Reference in New Issue
Block a user