summaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorSébastien Helleu <flashcode@flashtux.org>2016-10-08 13:10:56 +0200
committerSébastien Helleu <flashcode@flashtux.org>2016-10-08 13:10:56 +0200
commit997f47f77a135d9119bc167bbe7e5aaede078259 (patch)
tree8f7c9bb0d4a719aaed6bd7fd030ca6a985ccf8ef /src/core
parent485aff59c4664ae6e2b39556537616336f66d685 (diff)
downloadweechat-997f47f77a135d9119bc167bbe7e5aaede078259.zip
core: fix integer overflow in calls to realloc (issue #809)
Diffstat (limited to 'src/core')
-rw-r--r--src/core/wee-util.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/core/wee-util.c b/src/core/wee-util.c
index b1f567916..0dccb1861 100644
--- a/src/core/wee-util.c
+++ b/src/core/wee-util.c
@@ -24,6 +24,7 @@
#endif
#include <stdlib.h>
+#include <stdint.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
@@ -672,6 +673,8 @@ util_file_get_content (const char *filename)
while (!feof (f))
{
+ if (fp > SIZE_MAX - (1024 * sizeof (char)))
+ goto error;
buffer2 = (char *) realloc (buffer, (fp + (1024 * sizeof (char))));
if (!buffer2)
goto error;
@@ -681,6 +684,8 @@ util_file_get_content (const char *filename)
goto error;
fp += count;
}
+ if (fp > SIZE_MAX - sizeof (char))
+ goto error;
buffer2 = (char *) realloc (buffer, fp + sizeof (char));
if (!buffer2)
goto error;