scc

simple C compiler
git clone git://git.2f30.org/scc
Log | Files | Refs | README | LICENSE
commit 86f5bf37e46015bab156c5e462f4a16cd502d552
parent 91088df2692cc0c89f0828c12dd8ff8850e39de3
Author: Quentin Rameau <quinq@fifth.space>
Date:   Sat, 18 Jun 2016 15:25:28 +0200

[driver] fix possible overflow in newitem()

Diffstat:

Mdriver/posix/scc.c | 11+++++++----


Minc/cc.h | 4++--


Mlib/newitem.c | 8++++++--


3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/driver/posix/scc.c b/driver/posix/scc.c
@@ -32,7 +32,8 @@ static struct tool {
 	char   bin[16];
 	char  *outfile;
 	struct items args;
-	int    nparams, in, out, init;
+	unsigned nparams;
+	int    in, out, init;
 	pid_t  pid;
 } tools[] = {
 	[CC1]    = { .bin = "cc1",   .cmd = PREFIX "/libexec/scc/", },
@@ -56,7 +57,7 @@ extern int failure;
 static void
 terminate(void)
 {
-	int i;
+	unsigned i;
 
 	if (!kflag) {
 		for (i = 0; i < objtmp.n; ++i)
@@ -165,7 +166,8 @@ static int
 settool(int tool, char *infile, int nexttool)
 {
 	struct tool *t = &tools[tool];
-	int i, fds[2];
+	unsigned i;
+	int fds[2];
 	static int fdin = -1;
 
 	switch (tool) {
@@ -277,7 +279,8 @@ static int
 validatetools(void)
 {
 	struct tool *t;
-	int i, tool, st, failed = LAST_TOOL;
+	unsigned i;
+	int tool, st, failed = LAST_TOOL;
 
 	for (tool = 0; tool < LAST_TOOL; ++tool) {
 		t = &tools[tool];
diff --git a/inc/cc.h b/inc/cc.h
@@ -16,12 +16,12 @@ extern int debug;
 
 struct items {
 	char **s;
-	int n;
+	unsigned n;
 };
 
 extern void die(const char *fmt, ...);
 extern void dbg(const char *fmt, ...);
-extern char **newitem(char **array, int num, char *item);
+extern char **newitem(char **array, unsigned num, char *item);
 extern void *xmalloc(size_t size);
 extern void *xcalloc(size_t nmemb, size_t size);
 extern char *xstrdup(const char *s);
diff --git a/lib/newitem.c b/lib/newitem.c
@@ -1,10 +1,14 @@
 #include "../inc/cc.h"
 
 char **
-newitem(char **array, int num, char *item)
+newitem(char **array, unsigned num, char *item)
 {
-	char **ar = xrealloc(array, (num + 1) * sizeof(char **));
+	char **ar;
 
+	if ((num + 1) < num)
+		die("newitem: overflow (%u + 1)", num);
+
+	ar = xrealloc(array, (num + 1) * sizeof(char **));
 	ar[num] = item;
 
 	return ar;