From e2afae6303e871a31a061d03359cfcd5dd86c088 Mon Sep 17 00:00:00 2001 From: Quentin Rameau Date: Sun, 1 Apr 2018 19:49:58 +0200 Subject: sed: prevent overflow of length from bb_get_chunk_from_file This fragment did not work right: temp = bb_get_chunk_from_file(fp, &len); if (temp) { /* len > 0 here, it's ok to do temp[len-1] */ char c = temp[len-1]; With "int len" _sign-extending_, temp[len-1] can refer to a wrong location if len > 0x7fffffff. Signed-off-by: Quentin Rameau Signed-off-by: Denys Vlasenko --- libbb/get_line_from_file.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'libbb') diff --git a/libbb/get_line_from_file.c b/libbb/get_line_from_file.c index 941ea12b5..d10066937 100644 --- a/libbb/get_line_from_file.c +++ b/libbb/get_line_from_file.c @@ -10,16 +10,19 @@ */ #include "libbb.h" -char* FAST_FUNC bb_get_chunk_from_file(FILE *file, int *end) +char* FAST_FUNC bb_get_chunk_from_file(FILE *file, size_t *end) { int ch; - unsigned idx = 0; + size_t idx = 0; char *linebuf = NULL; while ((ch = getc(file)) != EOF) { /* grow the line buffer as necessary */ - if (!(idx & 0xff)) + if (!(idx & 0xff)) { + if (idx == ((size_t)-1) - 0xff) + bb_error_msg_and_die(bb_msg_memory_exhausted); linebuf = xrealloc(linebuf, idx + 0x100); + } linebuf[idx++] = (char) ch; if (ch == '\0') break; @@ -49,7 +52,7 @@ char* FAST_FUNC xmalloc_fgets(FILE *file) /* Get line. Remove trailing \n */ char* FAST_FUNC xmalloc_fgetline(FILE *file) { - int i; + size_t i; char *c = bb_get_chunk_from_file(file, &i); if (i && c[--i] == '\n') -- cgit v1.2.3