top: Prevent integer overflows in config_file() and other_selection().

This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent 9c745975b2
commit 8ab8c1a469

View File

@ -3797,6 +3797,9 @@ error Hey, fix the above fscanf 'PFLAGSSIZ' dependency !
size_t lraw = strlen(Inspect.raw) +1; size_t lraw = strlen(Inspect.raw) +1;
char *s; char *s;
if (i < 0 || (size_t)i >= INT_MAX / sizeof(struct I_ent)) break;
if (lraw >= INT_MAX - sizeof(fbuf)) break;
if (!fgets(fbuf, sizeof(fbuf), fp)) break; if (!fgets(fbuf, sizeof(fbuf), fp)) break;
lraw += strlen(fbuf) +1; lraw += strlen(fbuf) +1;
Inspect.raw = alloc_r(Inspect.raw, lraw); Inspect.raw = alloc_r(Inspect.raw, lraw);
@ -4644,6 +4647,9 @@ static void other_selection (int ch) {
, inc ? N_txt(WORD_include_txt) : N_txt(WORD_exclude_txt))); , inc ? N_txt(WORD_include_txt) : N_txt(WORD_exclude_txt)));
return; return;
} }
if (Curwin->osel_prt && strlen(Curwin->osel_prt) >= INT_MAX - (sizeof(raw) + 6)) {
return;
}
osel = alloc_c(sizeof(struct osel_s)); osel = alloc_c(sizeof(struct osel_s));
osel->inc = inc; osel->inc = inc;
osel->enu = enu; osel->enu = enu;