From: Frédéric Marchal <fmarchal@users.sourceforge.net>
Date: Sun, 4 Sep 2011 14:19:12 +0000 (+0000)
Subject: Check for an integer overflow in getword_atoll
X-Git-Tag: v2.3.2~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=816a2597482b919233853f3322f56a455ee3ad8c;p=thirdparty%2Fsarg.git

Check for an integer overflow in getword_atoll

Just to be sure we are reading correct data, the number build by
getword_atoll is checked for any overflow.
---

diff --git a/util.c b/util.c
index 45519b9..b03acb6 100644
--- a/util.c
+++ b/util.c
@@ -172,6 +172,7 @@ int getword_atoll(long long int *number, struct getwordstruct *gwarea, char stop
 {
 	int x;
 	int sign=+1;
+	int digit;
 
 	if (gwarea->current[0] == '-') {
 		gwarea->current++;
@@ -181,7 +182,12 @@ int getword_atoll(long long int *number, struct getwordstruct *gwarea, char stop
 	}
 	*number=0LL;
 	for(x=0;isdigit(gwarea->current[x]);x++) {
-		*number=(*number * 10) + gwarea->current[x]-'0';
+		digit=gwarea->current[x]-'0';
+		if (*number >= (LLONG_MAX-digit)/10) {
+			debuga(_("Integer overflow detected in getword_atoll in line %s\n"),gwarea->beginning);
+			return(-1);
+		}
+		*number=(*number * 10) + digit;
 	}
 	if(gwarea->current[x] && gwarea->current[x]!=stop) {
 		printf("SARG: getword_atoll loop detected after %d bytes.\n",x);