From e2afae6303e871a31a061d03359cfcd5dd86c088 Mon Sep 17 00:00:00 2001
From: Quentin Rameau <quinq@fifth.space>
Date: Sun, 1 Apr 2018 19:49:58 +0200
Subject: sed: prevent overflow of length from bb_get_chunk_from_file

This fragment did not work right:

                temp = bb_get_chunk_from_file(fp, &len);
                if (temp) {
                        /* len > 0 here, it's ok to do temp[len-1] */
                        char c = temp[len-1];

With "int len" _sign-extending_, temp[len-1] can refer to a wrong location
if len > 0x7fffffff.

Signed-off-by: Quentin Rameau <quinq@fifth.space>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
 include/libbb.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'include')

diff --git a/include/libbb.h b/include/libbb.h
index fa878433e..309c58734 100644
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -911,7 +911,7 @@ extern void xprint_and_close_file(FILE *file) FAST_FUNC;
  * end of line. If end isn't NULL, length of the chunk is stored in it.
  * Returns NULL if EOF/error.
  */
-extern char *bb_get_chunk_from_file(FILE *file, int *end) FAST_FUNC;
+extern char *bb_get_chunk_from_file(FILE *file, size_t *end) FAST_FUNC;
 /* Reads up to (and including) TERMINATING_STRING: */
 extern char *xmalloc_fgets_str(FILE *file, const char *terminating_string) FAST_FUNC RETURNS_MALLOC;
 /* Same, with limited max size, and returns the length (excluding NUL): */
-- 
cgit v1.2.3