Mercurial > libjeffpc

changeset 749:869264dad80b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
cbor: guard against integer overflow when checking buffer size Found by afl. Signed-off-by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
author Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
date Tue, 09 Apr 2019 11:21:21 -0400
parents 92fcaa240219
children 577f448cfb45
files fmt_cbor.c
diffstat 1 files changed, 5 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/fmt_cbor.c	Thu Jun 13 00:34:37 2019 +0300
+++ b/fmt_cbor.c	Tue Apr 09 11:21:21 2019 -0400
@@ -607,8 +607,11 @@
 	if (ret)
 		return ret;
 
-	/* can't handle strings longer than what fits in memory */
-	if (parsed_len > SIZE_MAX)
+	/*
+	 * We can't handle strings longer than what fits in memory (the +1
+	 * is for nul termination).
+	 */
+	if (parsed_len >= SIZE_MAX)
 		return -EOVERFLOW;
 
 	out = malloc(parsed_len + 1);