summaryrefslogtreecommitdiff
path: root/src/core/wee-string.c
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2019-09-17 21:26:52 +0200
committerSébastien Helleu <flashcode@flashtux.org>2019-09-17 21:26:52 +0200
commitf7b84fcc67baf6221b89ffcb75a946ae045cb0df (patch)
treea7da45a5fd55874eb7e9ed49e7c052d10b0b7f60 /src/core/wee-string.c
parent63a05d72d90cce719b45cc9ab8248da12905d9b5 (diff)
downloadweechat-f7b84fcc67baf6221b89ffcb75a946ae045cb0df.zip
Fixed segfault during excessive evaluation.
It is possible to trigger a segmentation fault while processing an evaluation of repeating string. On a Linux 64 bit system, enter this (or adjust arguments for 32 bit accordingly): /eval -n ${repeat:1073741824,----} It will overflow an integer calculation because int instead of size_t is used. Proper check of int limitations fixes this issue. I haven't changed this specific piece of code to size_t because it would crash in other parts of the code tree instead. For now, int is a limitating factor when it comes to strings (and should be enough for sane use cases). Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Diffstat (limited to 'src/core/wee-string.c')
-rw-r--r--src/core/wee-string.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/core/wee-string.c b/src/core/wee-string.c
index 19a25b28b..5025958a1 100644
--- a/src/core/wee-string.c
+++ b/src/core/wee-string.c
@@ -26,6 +26,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
+#include <limits.h>
#include <stdarg.h>
#include <string.h>
#include <ctype.h>
@@ -224,6 +225,10 @@ string_repeat (const char *string, int count)
return strdup (string);
length_string = strlen (string);
+
+ if (count >= INT_MAX / length_string)
+ return NULL;
+
length_result = (length_string * count) + 1;
result = malloc (length_result);
if (!result)