summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaiki Ueno <dueno@redhat.com>2016-09-22 14:47:18 +0200
committerDaiki Ueno <ueno@gnu.org>2016-12-06 13:12:00 +0100
commit65e8ad30e7832f3a979f88f4308cfa4f9a969829 (patch)
tree86e54a766517caee2209c387048cdc6bcdd37e47
parent99c3d823fc96c47af4810a5ee091501721159a48 (diff)
common, trust: Avoid integer overflow
This fixes issues pointed in: https://bugzilla.redhat.com/show_bug.cgi?id=985445 except for p11-kit/conf.c:read_config_file(), which was rewritten using mmap() and thus length calculation is no longer needed.
-rw-r--r--common/compat.c8
-rw-r--r--common/path.c2
-rw-r--r--common/url.c2
-rw-r--r--trust/base64.c5
4 files changed, 14 insertions, 3 deletions
diff --git a/common/compat.c b/common/compat.c
index de5b99b..02e6408 100644
--- a/common/compat.c
+++ b/common/compat.c
@@ -41,6 +41,7 @@
#define _XOPEN_SOURCE 700
#include "compat.h"
+#include "debug.h"
#include <assert.h>
#include <dirent.h>
@@ -503,8 +504,11 @@ strconcat (const char *first,
va_start (va, first);
- for (arg = first; arg; arg = va_arg (va, const char*))
- length += strlen (arg);
+ for (arg = first; arg; arg = va_arg (va, const char*)) {
+ size_t old_length = length;
+ length += strlen (arg);
+ return_val_if_fail (length >= old_length, NULL);
+ }
va_end (va);
diff --git a/common/path.c b/common/path.c
index 34c00cb..8b8b66c 100644
--- a/common/path.c
+++ b/common/path.c
@@ -214,7 +214,9 @@ p11_path_build (const char *path,
len = 1;
va_start (va, path);
while (path != NULL) {
+ size_t old_len = len;
len += strlen (path) + 1;
+ return_val_if_fail (len >= old_len, NULL);
path = va_arg (va, const char *);
}
va_end (va);
diff --git a/common/url.c b/common/url.c
index 4b7e47b..884c584 100644
--- a/common/url.c
+++ b/common/url.c
@@ -71,7 +71,7 @@ p11_url_decode (const char *value,
*/
if (*value == '%') {
value++;
- if (value + 2 > end) {
+ if (end - value < 2) {
free (result);
return NULL;
}
diff --git a/trust/base64.c b/trust/base64.c
index a9eb966..01ed8ef 100644
--- a/trust/base64.c
+++ b/trust/base64.c
@@ -43,9 +43,11 @@
#include "config.h"
#include "base64.h"
+#include "debug.h"
#include <assert.h>
#include <ctype.h>
+#include <limits.h>
#include <stdlib.h>
#include <string.h>
@@ -99,6 +101,7 @@ p11_b64_pton (const char *src,
state = 1;
break;
case 1:
+ return_val_if_fail (tarindex < INT_MAX, -1);
if (target) {
if ((size_t) tarindex + 1 >= targsize)
return (-1);
@@ -110,6 +113,7 @@ p11_b64_pton (const char *src,
state = 2;
break;
case 2:
+ return_val_if_fail (tarindex < INT_MAX, -1);
if (target) {
if ((size_t) tarindex + 1 >= targsize)
return (-1);
@@ -121,6 +125,7 @@ p11_b64_pton (const char *src,
state = 3;
break;
case 3:
+ return_val_if_fail (tarindex < INT_MAX, -1);
if (target) {
if ((size_t) tarindex >= targsize)
return (-1);