From befb7439c2cf4768bcca09651d6325e8f078e992 Mon Sep 17 00:00:00 2001 From: Sandro Santilli <strk@kbt.io> Date: Tue, 6 Jun 2017 09:37:10 +0200 Subject: [PATCH 04/29] Guard against buflen integer overflow (CVE-2017-8782) See #70 --- util/read.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/util/read.c b/util/read.c index b4296959..892e754d 100644 --- a/util/read.c +++ b/util/read.c @@ -20,6 +20,7 @@ * ****************************************************************************/ +#include <limits.h> #include <stdarg.h> #include <stdio.h> #include <stdlib.h> @@ -236,23 +237,33 @@ char *readBytes(FILE *f,int size) char *readString(FILE *f) { - int len = 0, buflen = 256; + unsigned int len = 0, buflen = 256; char c, *buf, *p; - buf = (char *)malloc(sizeof(char)*256); + buf = (char *)malloc(sizeof(char)*buflen); + if ( ! buf ) + { + fprintf(stderr, "failed allocating %d bytes\n", buflen); + exit(-1); + } p = buf; while((c=(char)readUInt8(f)) != '\0') { if(len >= buflen-2) { - buf = (char *)realloc(buf, sizeof(char)*(buflen+256)); - if ( ! buf ) + if ( buflen >= UINT_MAX - 256 ) { - fprintf(stderr, "failed reallocating %d bytes\n", buflen+256); + fprintf(stderr, "string null-termination missing after reading %d bytes, giving up\n", buflen); exit(-1); } buflen += 256; + buf = (char *)realloc(buf, sizeof(char)*(buflen)); + if ( ! buf ) + { + fprintf(stderr, "failed allocating %d bytes\n", buflen); + exit(-1); + } p = buf+len; } -- 2.14.3