]> git.ipfire.org Git - thirdparty/curl.git/commitdiff
projects / thirdparty / curl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: be7cccf)
curl: guard against size_t wraparound in no-clobber code
authorDaniel Gustafsson <daniel@yesql.se>
Sat, 30 Apr 2022 19:17:40 +0000 (21:17 +0200)
committerDaniel Gustafsson <daniel@yesql.se>
Sat, 30 Apr 2022 19:17:40 +0000 (21:17 +0200)
When generating the new filename, make sure we aren't overflowing the
size_t limit when calculating the new length. This is mostly academic
but good code hygeine nonetheless.

Closes: #8771
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
src/tool_cb_wrt.c patch | blob | blame | history

diff --git a/src/tool_cb_wrt.c b/src/tool_cb_wrt.c
index 46fe87934f0316c542d8a2404b55249894202606..df132d84c207422ec11a66f722643b1b1eec9ef7 100644 (file)
--- a/src/tool_cb_wrt.c
+++ b/src/tool_cb_wrt.c
@@ -88,7 +88,15 @@ bool tool_create_output_file(struct OutStruct *outs,
     if(config->file_clobber_mode == CLOBBER_NEVER && fd == -1) {
       int next_num = 1;
       size_t len = strlen(fname);
-      char *newname = malloc(len + 13); /* nul + 1-11 digits + dot */
+      size_t newlen = len + 13; /* nul + 1-11 digits + dot */
+      char *newname;
+      /* Guard against wraparound in new filename */
+      if(newlen < len) {
+        free(aname);
+        errorf(global, "overflow in filename generation\n");
+        return FALSE;
+      }
+      newname = malloc(newlen);
       if(!newname) {
         errorf(global, "out of memory\n");
         return FALSE;
Mirror of https://github.com/curl/curl.git