You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
28 lines
940 B
Diff
28 lines
940 B
Diff
From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001
|
|
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
Date: Mon, 4 May 2020 19:41:16 +0200
|
|
Subject: [PATCH 1/2] Protect array_list_del_idx against size_t overflow.
|
|
|
|
If the assignment of stop overflows due to idx and count being
|
|
larger than SIZE_T_MAX in sum, out of boundary access could happen.
|
|
|
|
It takes invalid usage of this function for this to happen, but
|
|
I decided to add this check so array_list_del_idx is as safe against
|
|
bad usage as the other arraylist functions.
|
|
---
|
|
arraylist.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
--- a/arraylist.c
|
|
+++ b/arraylist.c
|
|
@@ -135,6 +135,9 @@ array_list_del_idx( struct array_list *a
|
|
{
|
|
size_t i, stop;
|
|
|
|
+ /* Avoid overflow in calculation with large indices. */
|
|
+ if (idx > SIZE_T_MAX - count)
|
|
+ return -1;
|
|
stop = idx + count;
|
|
if ( idx >= arr->length || stop > arr->length ) return -1;
|
|
for ( i = idx; i < stop; ++i ) {
|