On 03/03/2016 03:55 PM, Marcel Böhme wrote:
@@ -4254,7 +4255,9 @@
Please use "diff -p" so that we get information about which function is
being patched. Are all the places being patched really problematic ones
where an input file could realistically cause an overflow, or just the
string functions?
}
else
{
- work -> typevec_size *= 2;
+ if (work -> typevec_size > INT_MAX / 2)
+ return;
I'm concerned about just returning without any kind of error indication.
Not sure what we should be calling from libiberty, but I was thinking
maybe xmalloc_failed.
@@ -4765,11 +4776,14 @@
{
tem = s->p - s->b;
n += tem;
+ if ( n > INT_MAX / 2)
+ return 0;
n *= 2;
s->b = XRESIZEVEC (char, s->b, n);
s->p = s->b + tem;
s->e = s->b + n;
}
Might also want to guard against overflow from the first addition.
Bernd
