diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2022-01-11 18:55:41 +0100 |
---|---|---|
committer | BenBE <BenBE@geshi.org> | 2022-01-11 21:42:57 +0100 |
commit | fde12434432f51ed773957824aa9460f5cc99e85 (patch) | |
tree | 468aa292eefef248d6f8205b3110e6611d2f7ac3 | |
parent | 6eab39c0abeb8770c184015792cd5805a4789040 (diff) |
Fix out of boundary writes in XUtils
It is possible to exceed the unsigned int data type on 64 bit systems
with enough available RAM. Use size_t in all places instead.
Proof of Concept: Create a 4 GB line in .htoprc file and run htop
$ dd if=/dev/zero bs=1024 count=4194304 | tr '\0' 'a' > ~/.htoprc
$ htop
Segmentation fault
Also avoid overflow of stack based "match" array in String_getToken.
-rw-r--r-- | XUtils.c | 11 |
1 files changed, 7 insertions, 4 deletions
@@ -101,6 +101,7 @@ inline bool String_contains_i(const char* s1, const char* s2) { char* String_cat(const char* s1, const char* s2) { const size_t l1 = strlen(s1); const size_t l2 = strlen(s2); + assert(SIZE_MAX - l1 > l2); char* out = xMalloc(l1 + l2 + 1); memcpy(out, s1, l1); memcpy(out + l1, s2, l2); @@ -122,10 +123,10 @@ char* String_trim(const char* in) { } char** String_split(const char* s, char sep, size_t* n) { - const unsigned int rate = 10; + const size_t rate = 10; char** out = xCalloc(rate, sizeof(char*)); size_t ctr = 0; - unsigned int blocks = rate; + size_t blocks = rate; const char* where; while ((where = strchr(s, sep)) != NULL) { size_t size = (size_t)(where - s); @@ -177,6 +178,8 @@ char* String_getToken(const char* line, const unsigned short int numMatch) { if (inWord == 1) { if (count == numMatch && line[i] != ' ' && line[i] != '\0' && line[i] != '\n' && line[i] != (char)EOF) { + if (foundCount == sizeof(match) / sizeof(match[0]) - 1) + break; match[foundCount] = line[i]; foundCount++; } @@ -188,8 +191,8 @@ char* String_getToken(const char* line, const unsigned short int numMatch) { } char* String_readLine(FILE* fd) { - const unsigned int step = 1024; - unsigned int bufSize = step; + const size_t step = 1024; + size_t bufSize = step; char* buffer = xMalloc(step + 1); char* at = buffer; for (;;) { |