sd-event: validate ssi_signo fits in signed int

Coverity flags si.ssi_signo as tainted data from read(), and warns
that casting it to signed could produce a negative value. Add an
explicit range check against INT_MAX before the SIGNAL_VALID check
to prove the cast is safe.

CID#1548033

Follow-up for c8b53fcfd3463679e6475e9b57b61a97dac1a287

diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c
index ad82f308baac521f22f43ea05204a32287781f3f..19feff5668852dca46d91b503087ae788369fc0a 100644 (file)
--- a/src/libsystemd/sd-event/sd-event.c
+++ b/src/libsystemd/sd-event/sd-event.c
@@ -3804,11 +3804,11 @@ static int process_signal(sd_event *e, struct signal_data *d, uint32_t events, i
                 if (_unlikely_(n != sizeof(si)))
                         return -EIO;
 
-                if (_unlikely_(!SIGNAL_VALID(si.ssi_signo)))
+                if (_unlikely_(si.ssi_signo > INT_MAX)) /* Ensure value fits in int before casting */
                         return -EIO;
 
-                /* Silence static analyzers */
-                assert(si.ssi_signo < _NSIG);
+                if (_unlikely_(!SIGNAL_VALID(si.ssi_signo)))
+                        return -EIO;
 
                 if (e->signal_sources)
                         s = e->signal_sources[si.ssi_signo];