Mercurial > libjeffpc
changeset 749:869264dad80b
cbor: guard against integer overflow when checking buffer size
Found by afl.
Signed-off-by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
author | Josef 'Jeff' Sipek <jeffpc@josefsipek.net> |
---|---|
date | Tue, 09 Apr 2019 11:21:21 -0400 |
parents | 92fcaa240219 |
children | 577f448cfb45 |
files | fmt_cbor.c |
diffstat | 1 files changed, 5 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/fmt_cbor.c Thu Jun 13 00:34:37 2019 +0300 +++ b/fmt_cbor.c Tue Apr 09 11:21:21 2019 -0400 @@ -607,8 +607,11 @@ if (ret) return ret; - /* can't handle strings longer than what fits in memory */ - if (parsed_len > SIZE_MAX) + /* + * We can't handle strings longer than what fits in memory (the +1 + * is for nul termination). + */ + if (parsed_len >= SIZE_MAX) return -EOVERFLOW; out = malloc(parsed_len + 1);