diff options
| author | Damien Miller <djm@mindrot.org> | 2011-01-12 13:32:03 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2011-01-12 13:32:03 +1100 |
| commit | 4927aaf4460de407855676a0ad36bf39704e74a2 (patch) | |
| tree | 3e9df47e08fcbb1de66f841f54d69c4d01c72f64 /openbsd-compat/glob.c | |
| parent | b66e91783186ad68b7a11fd67a81795fdbe103d8 (diff) | |
- djm@cvs.openbsd.org 2011/01/12 01:53:14
avoid some integer overflows mostly with GLOB_APPEND and GLOB_DOOFFS
and sanity check arguments (these will be unnecessary when we switch
struct glob members from being type into to size_t in the future);
"looks ok" tedu@ feedback guenther@
Diffstat (limited to 'openbsd-compat/glob.c')
| -rw-r--r-- | openbsd-compat/glob.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c index 692e81045..0341225cd 100644 --- a/openbsd-compat/glob.c +++ b/openbsd-compat/glob.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: glob.c,v 1.34 2010/10/08 21:48:42 nicm Exp $ */ | 1 | /* $OpenBSD: glob.c,v 1.35 2011/01/12 01:53:14 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1989, 1993 | 3 | * Copyright (c) 1989, 1993 |
| 4 | * The Regents of the University of California. All rights reserved. | 4 | * The Regents of the University of California. All rights reserved. |
| @@ -184,6 +184,11 @@ glob(const char *pattern, int flags, int (*errfunc)(const char *, int), | |||
| 184 | pglob->gl_errfunc = errfunc; | 184 | pglob->gl_errfunc = errfunc; |
| 185 | pglob->gl_matchc = 0; | 185 | pglob->gl_matchc = 0; |
| 186 | 186 | ||
| 187 | if (pglob->gl_offs < 0 || pglob->gl_pathc < 0 || | ||
| 188 | pglob->gl_offs >= INT_MAX || pglob->gl_pathc >= INT_MAX || | ||
| 189 | pglob->gl_pathc >= INT_MAX - pglob->gl_offs - 1) | ||
| 190 | return GLOB_NOSPACE; | ||
| 191 | |||
| 187 | bufnext = patbuf; | 192 | bufnext = patbuf; |
| 188 | bufend = bufnext + MAXPATHLEN - 1; | 193 | bufend = bufnext + MAXPATHLEN - 1; |
| 189 | if (flags & GLOB_NOESCAPE) | 194 | if (flags & GLOB_NOESCAPE) |
| @@ -752,10 +757,13 @@ globextend(const Char *path, glob_t *pglob, struct glob_lim *limitp, | |||
| 752 | struct stat **statv; | 757 | struct stat **statv; |
| 753 | 758 | ||
| 754 | newn = 2 + pglob->gl_pathc + pglob->gl_offs; | 759 | newn = 2 + pglob->gl_pathc + pglob->gl_offs; |
| 755 | if (SIZE_MAX / sizeof(*pathv) <= newn || | 760 | if (pglob->gl_offs >= INT_MAX || |
| 761 | pglob->gl_pathc >= INT_MAX || | ||
| 762 | newn >= INT_MAX || | ||
| 763 | SIZE_MAX / sizeof(*pathv) <= newn || | ||
| 756 | SIZE_MAX / sizeof(*statv) <= newn) { | 764 | SIZE_MAX / sizeof(*statv) <= newn) { |
| 757 | nospace: | 765 | nospace: |
| 758 | for (i = pglob->gl_offs; i < newn - 2; i++) { | 766 | for (i = pglob->gl_offs; i < (ssize_t)(newn - 2); i++) { |
| 759 | if (pglob->gl_pathv && pglob->gl_pathv[i]) | 767 | if (pglob->gl_pathv && pglob->gl_pathv[i]) |
| 760 | free(pglob->gl_pathv[i]); | 768 | free(pglob->gl_pathv[i]); |
| 761 | if ((pglob->gl_flags & GLOB_KEEPSTAT) != 0 && | 769 | if ((pglob->gl_flags & GLOB_KEEPSTAT) != 0 && |
| @@ -870,7 +878,7 @@ match(Char *name, Char *pat, Char *patend) | |||
| 870 | ++pat; | 878 | ++pat; |
| 871 | while (((c = *pat++) & M_MASK) != M_END) { | 879 | while (((c = *pat++) & M_MASK) != M_END) { |
| 872 | if ((c & M_MASK) == M_CLASS) { | 880 | if ((c & M_MASK) == M_CLASS) { |
| 873 | int idx = *pat & M_MASK; | 881 | Char idx = *pat & M_MASK; |
| 874 | if (idx < NCCLASSES && | 882 | if (idx < NCCLASSES && |
| 875 | cclasses[idx].isctype(k)) | 883 | cclasses[idx].isctype(k)) |
| 876 | ok = 1; | 884 | ok = 1; |