diff options
author | Todd C. Miller <Todd.Miller@sudo.ws> | 2023-02-23 08:19:18 -0700 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2023-02-23 08:19:18 -0700 |
commit | 7c616b25d5949fabe1eae4d36beabfa2b6024cae (patch) | |
tree | 50e9adac414852fa2efc594cb052a8c5f5eb6e7d | |
parent | bcbc043daadf3f18ad68cfb641acd1441ee769b9 (diff) | |
download | sudo-7c616b25d5949fabe1eae4d36beabfa2b6024cae.tar.gz |
sudo_lbuf_expand: check for overflow when rounding to the nearest power of 2.
Problem deteced by oss-fuzz using the fuzz_sudoers fuzzer.
-rw-r--r-- | lib/util/lbuf.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/util/lbuf.c b/lib/util/lbuf.c index 72bcac26f..452e0d130 100644 --- a/lib/util/lbuf.c +++ b/lib/util/lbuf.c @@ -70,6 +70,7 @@ sudo_lbuf_expand(struct sudo_lbuf *lbuf, unsigned int extra) debug_decl(sudo_lbuf_expand, SUDO_DEBUG_UTIL); if (lbuf->len + extra + 1 <= lbuf->len) { + errno = ENOMEM; sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, "integer overflow updating lbuf->len"); lbuf->error = 1; @@ -80,6 +81,13 @@ sudo_lbuf_expand(struct sudo_lbuf *lbuf, unsigned int extra) unsigned int new_size = sudo_pow2_roundup(lbuf->len + extra + 1); char *new_buf; + if (new_size < lbuf->size) { + errno = ENOMEM; + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "integer overflow updating lbuf->size"); + lbuf->error = 1; + debug_return_bool(false); + } if (new_size < 1024) new_size = 1024; if ((new_buf = realloc(lbuf->buf, new_size)) == NULL) { |