diff options
author | Paul Eggert <eggert@cs.ucla.edu> | 2020-12-29 17:08:11 -0800 |
---|---|---|
committer | Paul Eggert <eggert@cs.ucla.edu> | 2020-12-29 17:12:25 -0800 |
commit | 6a5be910cc575aa9f48bf0a31280f8a72e533063 (patch) | |
tree | 287c97486c85cbfc020131e3252bac17b5e9e0c9 /lib/canonicalize-lgpl.c | |
parent | b29d62dfaf8c55b18e9c8f30322a9bcde5255cb7 (diff) | |
download | gnulib-6a5be910cc575aa9f48bf0a31280f8a72e533063.tar.gz |
canonicalize: fix ptrdiff_t overflow bug
Problem reported by Adhemerval Zanella in:
https://sourceware.org/pipermail/libc-alpha/2020-December/121182.html
* lib/canonicalize-lgpl.c, lib/canonicalize.c:
Include intprops.h.
(NARROW_ADDRESSES): New constant.
* lib/canonicalize-lgpl.c (realpath_stk):m
* lib/canonicalize.c (canonicalize_filename_mode_stk):
Work even if strlen (END) does not fit in idx_t, or if adding
N to it overflows.
* modules/canonicalize, modules/canonicalize-lgpl (Depends-on):
Add intprops.
Diffstat (limited to 'lib/canonicalize-lgpl.c')
-rw-r--r-- | lib/canonicalize-lgpl.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/lib/canonicalize-lgpl.c b/lib/canonicalize-lgpl.c index 04fe95253f..e8b10f0e7d 100644 --- a/lib/canonicalize-lgpl.c +++ b/lib/canonicalize-lgpl.c @@ -40,6 +40,7 @@ #include <eloop-threshold.h> #include <filename.h> #include <idx.h> +#include <intprops.h> #include <scratch_buffer.h> #ifdef _LIBC @@ -85,6 +86,10 @@ # define IF_LINT(Code) /* empty */ #endif +/* True if adding two valid object sizes might overflow idx_t. + As a practical matter, this cannot happen on 64-bit machines. */ +enum { NARROW_ADDRESSES = IDX_MAX >> 31 >> 31 == 0 }; + #ifndef DOUBLE_SLASH_IS_DISTINCT_ROOT # define DOUBLE_SLASH_IS_DISTINCT_ROOT false #endif @@ -338,7 +343,12 @@ realpath_stk (const char *name, char *resolved, idx_t end_idx IF_LINT (= 0); if (end_in_extra_buffer) end_idx = end - extra_buf; - idx_t len = strlen (end); + size_t len = strlen (end); + if (NARROW_ADDRESSES && INT_ADD_OVERFLOW (len, n)) + { + __set_errno (ENOMEM); + goto error; + } while (extra_buffer.length <= len + n) { if (!scratch_buffer_grow_preserve (&extra_buffer)) |