Module Name: src Committed By: christos Date: Wed Jan 23 02:00:00 UTC 2019
Modified Files: src/lib/libwrap: expandm.c Log Message: limit allocation to PTRDIFF_T to appease gcc-7, from mrg@ To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/lib/libwrap/expandm.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/lib/libwrap/expandm.c diff -u src/lib/libwrap/expandm.c:1.8 src/lib/libwrap/expandm.c:1.9 --- src/lib/libwrap/expandm.c:1.8 Sun Jan 13 22:30:25 2019 +++ src/lib/libwrap/expandm.c Tue Jan 22 21:00:00 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: expandm.c,v 1.8 2019/01/14 03:30:25 kre Exp $ */ +/* $NetBSD: expandm.c,v 1.9 2019/01/23 02:00:00 christos Exp $ */ /*- * Copyright (c) 2019 The NetBSD Foundation, Inc. @@ -29,7 +29,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include <sys/cdefs.h> -__RCSID("$NetBSD: expandm.c,v 1.8 2019/01/14 03:30:25 kre Exp $"); +__RCSID("$NetBSD: expandm.c,v 1.9 2019/01/23 02:00:00 christos Exp $"); #include <limits.h> #include <stdio.h> @@ -60,16 +60,30 @@ expandm(const char *fmt, const char *sf, for (char *p = m; p >= ptr && *p == '%'; p--) cnt++; - if (__predict_false((m - ptr) >= INT_MAX)) { + size_t nlen = (size_t)(m - ptr); + /* + * we can't exceed INT_MAX because int is used as + * a format width + */ + if (__predict_false(nlen >= INT_MAX)) { size_t blen = buf ? strlen(buf) : 0; - size_t nlen = (size_t)(m - ptr); + size_t tlen = nlen + blen; - nbuf = realloc(buf, blen + nlen + 1); + /* + * We can't exceed PTRDIFF_MAX because we would + * not be able to address the pointers + */ + if (tlen >= PTRDIFF_MAX) { + errno = EINVAL; + goto out; + } + + nbuf = realloc(buf, tlen + 1); if (nbuf == NULL) goto out; memcpy(nbuf + blen, ptr, nlen); - nbuf[blen + nlen] = '\0'; + nbuf[tlen] = '\0'; ptr += nlen; buf = nbuf; }