* src/sum.c (bsd_sum_stream): Detect overflow when updating length.
(sysv_sum_stream): Likewise.
---
src/sum.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/src/sum.c b/src/sum.c
index 1633c86c5..4e1efe9e1 100644
--- a/src/sum.c
+++ b/src/sum.c
@@ -73,6 +73,11 @@ bsd_sum_stream (FILE *stream, void *resstream, uintmax_t
*length)
checksum += buffer[i];
checksum &= 0xffff; /* Keep it within bounds. */
}
+ if (total_bytes + sum < total_bytes)
+ {
+ errno = EOVERFLOW;
+ goto cleanup_buffer;
+ }
total_bytes += sum;
}
@@ -84,6 +89,11 @@ final_process:;
checksum += buffer[i];
checksum &= 0xffff; /* Keep it within bounds. */
}
+ if (total_bytes + sum < total_bytes)
+ {
+ errno = EOVERFLOW;
+ goto cleanup_buffer;
+ }
total_bytes += sum;
memcpy (resstream, &checksum, sizeof checksum);
@@ -139,6 +149,11 @@ sysv_sum_stream (FILE *stream, void *resstream, uintmax_t
*length)
for (size_t i = 0; i < sum; i++)
s += buffer[i];
+ if (total_bytes + sum < total_bytes)
+ {
+ errno = EOVERFLOW;
+ goto cleanup_buffer;
+ }
total_bytes += sum;
}
@@ -146,6 +161,11 @@ final_process:;
for (size_t i = 0; i < sum; i++)
s += buffer[i];
+ if (total_bytes + sum < total_bytes)
+ {
+ errno = EOVERFLOW;
+ goto cleanup_buffer;
+ }
total_bytes += sum;
int r = (s & 0xffff) + ((s & 0xffffffff) >> 16);
--
2.26.2
