The check for overflow in StrUtil_SafeStrcat needs work.

Might as well avoid protential overflow while also checking for
"insane" string lengths.

diff --git a/open-vm-tools/lib/misc/strutil.c b/open-vm-tools/lib/misc/strutil.c
index e4a0ed5efb6660d87a10221002efb1c7b0163706..2bbccd8b6855165d561e410e4873da459d620d4d 100644 (file)
--- a/open-vm-tools/lib/misc/strutil.c
+++ b/open-vm-tools/lib/misc/strutil.c
@@ -26,8 +26,10 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#if !defined(_WIN32)
+#if defined(_WIN32)
 #include <strings.h> /* For strncasecmp */
+#else
+#include <stdint.h>
 #endif
 #include "vmware.h"
 #include "strutil.h"
@@ -36,6 +38,10 @@
 #include "vm_ctype.h"
 #include "util.h"
 
+#ifndef SIZE_MAX /* SIZE_MAX is new in C99 */
+#define SIZE_MAX ((size_t) -1)
+#endif
+
 
 /*
  *-----------------------------------------------------------------------------
@@ -1140,15 +1146,21 @@ StrUtil_SafeDynBufPrintf(DynBuf *b,        // IN/OUT
  */
 
 void
-StrUtil_SafeStrcat(char **prefix,    // IN/OUT
-                   const char *str)  // IN
+StrUtil_SafeStrcat(char **prefix,    // IN/OUT:
+                   const char *str)  // IN:
 {
    char *tmp;
-   size_t plen = *prefix != NULL ? strlen(*prefix) : 0;
+   size_t plen = (*prefix == NULL) ? 0 : strlen(*prefix);
    size_t slen = strlen(str);
 
-   /* Check for overflow */
-   VERIFY((size_t)-1 - plen > slen + 1);
+   /*
+    * If we're manipulating strings that are anywhere near max(size_t)/2 in
+    * length we're doing something very wrong. Avoid potential overflow by
+    * checking for "insane" operations. Prevent the problem before it gets
+    * started.
+    */
+
+   VERIFY((plen < (SIZE_MAX/2)) && (slen < (SIZE_MAX/2)));
 
    tmp = Util_SafeRealloc(*prefix, plen + slen + 1 /* NUL */);