From e2afae6303e871a31a061d03359cfcd5dd86c088 Mon Sep 17 00:00:00 2001
From: Quentin Rameau <quinq@fifth.space>
Date: Sun, 1 Apr 2018 19:49:58 +0200
Subject: sed: prevent overflow of length from bb_get_chunk_from_file

This fragment did not work right:

                temp = bb_get_chunk_from_file(fp, &len);
                if (temp) {
                        /* len > 0 here, it's ok to do temp[len-1] */
                        char c = temp[len-1];

With "int len" _sign-extending_, temp[len-1] can refer to a wrong location
if len > 0x7fffffff.

Signed-off-by: Quentin Rameau <quinq@fifth.space>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
 editors/sed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'editors/sed.c')

diff --git a/editors/sed.c b/editors/sed.c
index 9d800c2c3..470220859 100644
--- a/editors/sed.c
+++ b/editors/sed.c
@@ -988,7 +988,7 @@ static void flush_append(char *last_puts_char)
 static char *get_next_line(char *gets_char, char *last_puts_char)
 {
 	char *temp = NULL;
-	int len;
+	size_t len;
 	char gc;
 
 	flush_append(last_puts_char);
-- 
cgit v1.2.3