RepoMirrors
/
musl
mirror of git://git.musl-libc.org/musl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix incorrect overflow check for allocation in fmemopen 

when a null buffer pointer is passed to fmemopen, requesting it
allocate its own memory buffer, extremely large size arguments near
SIZE_MAX could overflow and result in underallocation. this results
from omission of the size of the cookie structure in the overflow
check but inclusion of it in the calloc call.

instead of accounting for individual small contributions to the total
allocation size needed, simply reject sizes larger than PTRDIFF_MAX,
which will necessarily fail anyway. then adding arbitrary fixed-size
structures is safe without matching up the expressions in the
comparison and the allocation.
This commit is contained in:
Rich Felker 2018-02-11 20:48:14 -05:00
parent 249b621f9e
commit 75cba9c67f
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/stdio/fmemopen.c
View File

@ -81,7 +81,7 @@ FILE *fmemopen(void *restrict buf, size_t size, const char *restrict mode)
return 0;
}
if (!buf && size > SIZE_MAX-sizeof(FILE)-BUFSIZ-UNGET) {
if (!buf && size > PTRDIFF_MAX) {
errno = ENOMEM;
return 0;
}