commit adb5b46b04b12055639e35d04162e69f2c51f2ff
parent 5896396de8e35ebc1cc2049a715567d791998b11
Author: FRIGN <dev@frign.de>
Date: Tue, 1 Dec 2015 17:59:42 +0100
Guard realloc against size_t overflow
Unlikely, but better safe than sorry.
Diffstat:
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/ed.c b/ed.c
@@ -8,6 +8,7 @@
#include <ctype.h>
#include <limits.h>
#include <setjmp.h>
+#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -74,7 +75,8 @@ addchar(char c)
char *p;
if (sizetxt >= memtxt) {
- if (!(p = realloc(text, memtxt + LINESIZE)))
+ if (memtxt > SIZE_MAX - LINESIZE ||
+ !(p = realloc(text, memtxt + LINESIZE)))
error("out of memory");
memtxt += LINESIZE;
text = p;
@@ -90,7 +92,8 @@ makeline(char *s, int *off)
char c, *begin = s;
if (lastidx >= idxsize) {
- if (!(lp = realloc(zero, (idxsize + NUMLINES) * sizeof(*lp))))
+ if (idxsize > SIZE_MAX - NUMLINES ||
+ !(lp = realloc(zero, (idxsize + NUMLINES) * sizeof(*lp))))
error("out of memory");
idxsize += NUMLINES;
zero = lp;
@@ -458,7 +461,8 @@ doread(char *fname)
break;
if (s[n-1] != '\n') {
if (n == len) {
- if (!(p = realloc(s, len + 1)))
+ if (len == SIZE_MAX ||
+ !(p = realloc(s, len + 1)))
error("out of memory");
++len;
s = p;
@@ -926,7 +930,8 @@ readcmd(int isglobal)
if (optprompt)
fputs(prompt, stdout);
if (!buf || s == buf + size - 2) {
- if (!(p = realloc(buf, size+CMDSIZE)))
+ if (size > SIZE_MAX - CMDSIZE ||
+ !(p = realloc(buf, size + CMDSIZE)))
error("out of memory");
buf = p;
s = !size ? p : p + size - 2;
