From: Bruno Haible Date: Tue, 4 Nov 2003 20:18:19 +0000 (+0000) Subject: Check size overflow before invoking malloc. X-Git-Tag: v0.13~106 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f772014b08216f94eeba741a1f477cfe874f2749;p=thirdparty%2Fgettext.git Check size overflow before invoking malloc. --- diff --git a/gettext-tools/ChangeLog b/gettext-tools/ChangeLog index 714018d8b..9ae2db44f 100644 --- a/gettext-tools/ChangeLog +++ b/gettext-tools/ChangeLog @@ -1,3 +1,7 @@ +2003-11-04 Bruno Haible + + * configure.ac: Invoke gl_XSIZE. + 2003-10-31 Bruno Haible * configure.ac: Also check for waitid. diff --git a/gettext-tools/configure.ac b/gettext-tools/configure.ac index e7e2c7bd2..bda1dee38 100644 --- a/gettext-tools/configure.ac +++ b/gettext-tools/configure.ac @@ -128,6 +128,7 @@ gl_FUNC_READLINK gl_XREADLINK gl_CANONICALIZE gt_SETLOCALE +gl_XSIZE gt_PREREQ_HOSTNAME diff --git a/gettext-tools/lib/ChangeLog b/gettext-tools/lib/ChangeLog index f23bdee58..8b01c4728 100644 --- a/gettext-tools/lib/ChangeLog +++ b/gettext-tools/lib/ChangeLog @@ -1,6 +1,14 @@ +2003-11-04 Bruno Haible + + * xsize.h: New file. + * linebreak.c: Include xsize.h. + (mbs_possible_linebreaks, mbs_width_linebreaks): Check malloc() + argument for overflow. + * Makefile.am (libgettextlib_la_SOURCES): Add xsize.h. + 2003-10-31 Bruno Haible - * wait-process.h (wait_process): Use waitid with WNOWAIT if available, + * wait-process.c (wait_process): Use waitid with WNOWAIT if available, to avoid (extremely rare) race condition. 2003-10-27 Bruno Haible diff --git a/gettext-tools/lib/Makefile.am b/gettext-tools/lib/Makefile.am index d947f015c..514ec8ba5 100644 --- a/gettext-tools/lib/Makefile.am +++ b/gettext-tools/lib/Makefile.am @@ -73,7 +73,8 @@ libgettextlib_la_SOURCES = \ xalloc.h xmalloc.c xstrdup.c \ xerror.h xerror.c \ xreadlink.h xreadlink.c \ - xsetenv.h xsetenv.c + xsetenv.h xsetenv.c \ + xsize.h # Sources that are compiled only on platforms that lack the functions. diff --git a/gettext-tools/lib/linebreak.c b/gettext-tools/lib/linebreak.c index 87071e907..c063d2f0d 100644 --- a/gettext-tools/lib/linebreak.c +++ b/gettext-tools/lib/linebreak.c @@ -26,6 +26,7 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #include #include #include "c-ctype.h" +#include "xsize.h" #include "utf8-ucs4.h" @@ -1533,7 +1534,9 @@ mbs_possible_linebreaks (const char *s, size_t n, const char *encoding, { /* Convert the string to UTF-8 and build a translation table from offsets into s to offsets into the translated string. */ - char *memory = malloc (n * sizeof (size_t) + m + m); + size_t memory_size = xsum3 (xtimes (n, sizeof (size_t)), m, m); + char *memory = + (size_in_bounds_p (memory_size) ? malloc (memory_size) : NULL); if (memory != NULL) { size_t *offtable = (size_t *) memory; @@ -1628,7 +1631,11 @@ mbs_width_linebreaks (const char *s, size_t n, { /* Convert the string to UTF-8 and build a translation table from offsets into s to offsets into the translated string. */ - char *memory = malloc (n * sizeof (size_t) + m + m + (o != NULL ? m : 0)); + size_t memory_size = + xsum4 (xtimes (n, sizeof (size_t)), m, m, + (o != NULL ? m : 0)); + char *memory = + (size_in_bounds_p (memory_size) ? malloc (memory_size) : NULL); if (memory != NULL) { size_t *offtable = (size_t *) memory; diff --git a/gettext-tools/lib/xsize.h b/gettext-tools/lib/xsize.h new file mode 100644 index 000000000..4410193e6 --- /dev/null +++ b/gettext-tools/lib/xsize.h @@ -0,0 +1,89 @@ +/* xsize.h -- Checked size_t computations. + + Copyright (C) 2003 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ + +#ifndef _XSIZE_H +#define _XSIZE_H + +/* Get size_t. */ +#include + +/* Get SIZE_MAX. */ +#if HAVE_STDINT_H +# include +#endif +#ifndef SIZE_MAX +# define SIZE_MAX ((size_t) -1) +#endif + +/* The size of memory objects is often computed through expressions of + type size_t. Example: + void* p = malloc (header_size + n * element_size). + These computations can lead to overflow. When this happens, malloc() + returns a piece of memory that is way too small, and the program then + crashes while attempting to fill the memory. + To avoid this, the functions and macros in this file check for overflow. + The convention is that SIZE_MAX represents overflow. + malloc (SIZE_MAX) is not guaranteed to fail -- think of a malloc + implementation that uses mmap --, it's recommended to use SIZE_OVERFLOW_P + before invoking malloc(). + The example thus becomes: + size_t size = xsum (header_size, xtimes (n, element_size)); + void *p = (!SIZE_OVERFLOW_P (size) ? malloc (size) : NULL); +*/ + +/* Convert an arbitrary value >= 0 to type size_t. */ +#define xcast_size_t(N) \ + ((N) <= SIZE_MAX ? (size_t) (N) : SIZE_MAX) + +/* Sum of two sizes, with overflow check. */ +static inline size_t +xsum (size_t size1, size_t size2) +{ + size_t sum = size1 + size2; + return (sum >= size1 ? sum : SIZE_MAX); +} + +/* Sum of three sizes, with overflow check. */ +static inline size_t +xsum3 (size_t size1, size_t size2, size_t size3) +{ + return xsum (xsum (size1, size2), size3); +} + +/* Sum of four sizes, with overflow check. */ +static inline size_t +xsum4 (size_t size1, size_t size2, size_t size3, size_t size4) +{ + return xsum (xsum (xsum (size1, size2), size3), size4); +} + +/* Multiplication of a count with an element size, with overflow check. + The count must be >= 0 and the element size must be > 0. + This is a macro, not an inline function, so that it works correctly even + when N is of a wider tupe and N > SIZE_MAX. */ +#define xtimes(N, ELSIZE) \ + ((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX) + +/* Check for overflow. */ +#define size_overflow_p(SIZE) \ + ((SIZE) == SIZE_MAX) +/* Check against overflow. */ +#define size_in_bounds_p(SIZE) \ + ((SIZE) != SIZE_MAX) + +#endif /* _XSIZE_H */ diff --git a/gettext-tools/m4/ChangeLog b/gettext-tools/m4/ChangeLog index 9116e5d96..a4e58fdce 100644 --- a/gettext-tools/m4/ChangeLog +++ b/gettext-tools/m4/ChangeLog @@ -1,3 +1,8 @@ +2003-11-04 Bruno Haible + + * xsize.m4: New file. + * Makefile.am (EXTRA_DIST): Add it. + 2003-10-21 Bruno Haible * canonicalize.m4 (gl_PREREQ_CANONICALIZE): Also test for readlink(). diff --git a/gettext-tools/m4/Makefile.am b/gettext-tools/m4/Makefile.am index 1a50530e8..26f947c28 100644 --- a/gettext-tools/m4/Makefile.am +++ b/gettext-tools/m4/Makefile.am @@ -68,4 +68,5 @@ strerror_r.m4 \ tmpdir.m4 \ unionwait.m4 \ unlocked-io.m4 \ -xreadlink.m4 +xreadlink.m4 \ +xsize.m4 diff --git a/gettext-tools/m4/xsize.m4 b/gettext-tools/m4/xsize.m4 new file mode 100644 index 000000000..ee30a4d45 --- /dev/null +++ b/gettext-tools/m4/xsize.m4 @@ -0,0 +1,13 @@ +# xsize.m4 serial 1 +dnl Copyright (C) 2003 Free Software Foundation, Inc. +dnl This file is free software, distributed under the terms of the GNU +dnl General Public License. As a special exception to the GNU General +dnl Public License, this file may be distributed as part of a program +dnl that contains a configuration script generated by Autoconf, under +dnl the same distribution terms as the rest of that program. + +AC_DEFUN([gl_XSIZE], +[ + dnl Prerequisites of lib/xsize.h. + AC_CHECK_HEADERS(stdint.h) +])