diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2019-09-17 21:26:52 +0200 |
---|---|---|
committer | Sébastien Helleu <flashcode@flashtux.org> | 2019-09-17 21:26:52 +0200 |
commit | f7b84fcc67baf6221b89ffcb75a946ae045cb0df (patch) | |
tree | a7da45a5fd55874eb7e9ed49e7c052d10b0b7f60 /src/core/wee-string.c | |
parent | 63a05d72d90cce719b45cc9ab8248da12905d9b5 (diff) | |
download | weechat-f7b84fcc67baf6221b89ffcb75a946ae045cb0df.zip |
Fixed segfault during excessive evaluation.
It is possible to trigger a segmentation fault while processing
an evaluation of repeating string. On a Linux 64 bit system,
enter this (or adjust arguments for 32 bit accordingly):
/eval -n ${repeat:1073741824,----}
It will overflow an integer calculation because int instead of
size_t is used. Proper check of int limitations fixes this issue.
I haven't changed this specific piece of code to size_t because it
would crash in other parts of the code tree instead. For now, int
is a limitating factor when it comes to strings (and should be
enough for sane use cases).
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Diffstat (limited to 'src/core/wee-string.c')
-rw-r--r-- | src/core/wee-string.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/core/wee-string.c b/src/core/wee-string.c index 19a25b28b..5025958a1 100644 --- a/src/core/wee-string.c +++ b/src/core/wee-string.c @@ -26,6 +26,7 @@ #include <stdlib.h> #include <stdio.h> #include <errno.h> +#include <limits.h> #include <stdarg.h> #include <string.h> #include <ctype.h> @@ -224,6 +225,10 @@ string_repeat (const char *string, int count) return strdup (string); length_string = strlen (string); + + if (count >= INT_MAX / length_string) + return NULL; + length_result = (length_string * count) + 1; result = malloc (length_result); if (!result) |