From 0f2318d9df4ff481048d8491b4b4c7d3da5e883a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 15 Nov 2017 09:48:29 +0100 Subject: [PATCH] utils kr_strcatdup: deal with overflowing size_t It's very unlikely to happen - sum of string lengths overflowing - even on a 32-bit platform, and the input seems not controllable by adversaries, but let's fix it anyway. --- lib/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/utils.c b/lib/utils.c index 8a039d5b1..b3c65d2dc 100644 --- a/lib/utils.c +++ b/lib/utils.c @@ -114,13 +114,16 @@ char* kr_strcatdup(unsigned n, ...) va_start(vl, n); for (unsigned i = 0; i < n; ++i) { char *item = va_arg(vl, char *); - total_len += strlen_safe(item); + const size_t new_len = total_len + strlen_safe(item); + if (unlikely(new_len < total_len)) return NULL; + total_len = new_len; } va_end(vl); /* Allocate result and fill */ char *result = NULL; if (total_len > 0) { + if (unlikely(total_len + 1 == 0)) return NULL; result = malloc(total_len + 1); } if (result) { -- 2.47.2