Found by Covscan.
"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/utils/regedit_list.c:522: tainted_data_return: Called function ""get_window_height(list)"", and a possible return value may be less than zero.
samba-4.20.0rc2/source3/utils/regedit_list.c:522: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow.
samba-4.20.0rc2/source3/utils/regedit_list.c:526: overflow: The expression ""list->cursor_row -= page"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source3/utils/regedit_list.c:529: overflow_sink: ""list->cursor_row"", which might have underflowed, is passed to ""data_get_row_n(list, list->cursor_row)"".
527| list->start_row -= page;
528| }
529|-> tmp = data_get_row_n(list, list->cursor_row);
530| break;
531| case ML_CURSOR_PGDN:"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
#include "regedit_list.h"
#include "regedit.h"
+#define CLAMP(x, low, high) \
+ (((x) > (high)) ? (high) : (((x) < (low)) ? (low) : (x)))
+
struct multilist {
WINDOW *window;
WINDOW *pad;
return WERR_OK;
}
-static int get_window_height(struct multilist *list)
+static unsigned get_window_height(struct multilist *list)
{
- int height;
+ unsigned height;
height = list->window_height;
- if (list->cb->get_column_header) {
+ if (height > 0 && list->cb->get_column_header) {
height--;
}
- return height;
+ /* Clamp to some sensible values */
+ return CLAMP(height, 1, 16384);
}
static void fix_start_row(struct multilist *list)
{
- int height;
+ unsigned height;
/* adjust start_row so that the cursor appears on the screen */