1
0

002-Fix-integer-overflows.patch 2.5 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283
  1. From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001
  2. From: Tobias Stoeckmann <tobias@stoeckmann.org>
  3. Date: Mon, 4 May 2020 19:47:25 +0200
  4. Subject: [PATCH] Fix integer overflows.
  5. The data structures linkhash and printbuf are limited to 2 GB in size
  6. due to a signed integer being used to track their current size.
  7. If too much data is added, then size variable can overflow, which is
  8. an undefined behaviour in C programming language.
  9. Assuming that a signed int overflow just leads to a negative value,
  10. like it happens on many sytems (Linux i686/amd64 with gcc), then
  11. printbuf is vulnerable to an out of boundary write on 64 bit systems.
  12. ---
  13. linkhash.c | 7 +++++--
  14. printbuf.c | 19 ++++++++++++++++---
  15. 2 files changed, 21 insertions(+), 5 deletions(-)
  16. --- a/linkhash.c
  17. +++ b/linkhash.c
  18. @@ -498,7 +498,12 @@ int lh_table_insert(struct lh_table *t,
  19. unsigned long h, n;
  20. t->inserts++;
  21. - if(t->count >= t->size * LH_LOAD_FACTOR) lh_table_resize(t, t->size * 2);
  22. + if(t->count >= t->size * LH_LOAD_FACTOR) {
  23. + /* Avoid signed integer overflow with large tables. */
  24. + int new_size = (t->size > INT_MAX / 2) ? INT_MAX : (t->size * 2);
  25. + if (t->size != INT_MAX)
  26. + lh_table_resize(t, new_size);
  27. + }
  28. h = t->hash_fn(k);
  29. n = h % t->size;
  30. --- a/printbuf.c
  31. +++ b/printbuf.c
  32. @@ -15,6 +15,7 @@
  33. #include "config.h"
  34. +#include <limits.h>
  35. #include <stdio.h>
  36. #include <stdlib.h>
  37. #include <string.h>
  38. @@ -63,7 +64,16 @@ static int printbuf_extend(struct printb
  39. if (p->size >= min_size)
  40. return 0;
  41. - new_size = json_max(p->size * 2, min_size + 8);
  42. + /* Prevent signed integer overflows with large buffers. */
  43. + if (min_size > INT_MAX - 8)
  44. + return -1;
  45. + if (p->size > INT_MAX / 2)
  46. + new_size = min_size + 8;
  47. + else {
  48. + new_size = p->size * 2;
  49. + if (new_size < min_size + 8)
  50. + new_size = min_size + 8;
  51. + }
  52. #ifdef PRINTBUF_DEBUG
  53. MC_DEBUG("printbuf_memappend: realloc "
  54. "bpos=%d min_size=%d old_size=%d new_size=%d\n",
  55. @@ -78,6 +88,9 @@ static int printbuf_extend(struct printb
  56. int printbuf_memappend(struct printbuf *p, const char *buf, int size)
  57. {
  58. + /* Prevent signed integer overflows with large buffers. */
  59. + if (size > INT_MAX - p->bpos - 1)
  60. + return -1;
  61. if (p->size <= p->bpos + size + 1) {
  62. if (printbuf_extend(p, p->bpos + size + 1) < 0)
  63. return -1;
  64. @@ -94,6 +107,9 @@ int printbuf_memset(struct printbuf *pb,
  65. if (offset == -1)
  66. offset = pb->bpos;
  67. + /* Prevent signed integer overflows with large buffers. */
  68. + if (len > INT_MAX - offset)
  69. + return -1;
  70. size_needed = offset + len;
  71. if (pb->size < size_needed)
  72. {