storm/w3m
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix integer overflow due to Strgrow

Browse Source 
Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31397
This commit is contained in:
Tatsuya Kinoshita
2021-02-26 19:38:20 +09:00
parent b47fbbf56a
commit f0aff94b2b
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Str.c
View File

@@ -21,10 +21,12 @@
#ifdef __EMX__ /* or include "fm.h" for HAVE_BCOPY? */ #ifdef __EMX__ /* or include "fm.h" for HAVE_BCOPY? */
#include <strings.h> #include <strings.h>
#endif #endif
#include <limits.h>
#include "Str.h" #include "Str.h"
#include "myctype.h" #include "myctype.h"
#define INITIAL_STR_SIZE 32 #define INITIAL_STR_SIZE 32
#define STR_SIZE_MAX INT_MAX
#ifdef STR_DEBUG #ifdef STR_DEBUG
/* This is obsolete, because "Str" can handle a '\0' character now. */ /* This is obsolete, because "Str" can handle a '\0' character now. */
@@ -237,9 +239,12 @@ Strgrow(Str x)
newlen = x->area_size * 6 / 5; newlen = x->area_size * 6 / 5;
if (newlen == x->area_size) if (newlen == x->area_size)
newlen += 2; newlen += 2;
if (newlen < 0 || newlen > STR_SIZE_MAX)
newlen = STR_SIZE_MAX;
x->ptr = GC_MALLOC_ATOMIC(newlen); x->ptr = GC_MALLOC_ATOMIC(newlen);
x->area_size = newlen; x->area_size = newlen;
bcopy((void *)old, (void *)x->ptr, x->length); bcopy((void *)old, (void *)x->ptr, x->length);
x->ptr[x->length] = '\0';
GC_free(old); GC_free(old);
} }