blob: 15ecbe477b17bae491e315f7a13e7e5bac1e989b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 4 May 2020 19:41:16 +0200
Subject: [PATCH] Protect array_list_del_idx against size_t overflow.
If the assignment of stop overflows due to idx and count being
larger than SIZE_T_MAX in sum, out of boundary access could happen.
It takes invalid usage of this function for this to happen, but
I decided to add this check so array_list_del_idx is as safe against
bad usage as the other arraylist functions.
---
arraylist.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arraylist.c b/arraylist.c
index 12ad8af6d3..e5524aca75 100644
--- a/arraylist.c
+++ b/arraylist.c
@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count)
{
size_t i, stop;
+ /* Avoid overflow in calculation with large indices. */
+ if (idx > SIZE_T_MAX - count)
+ return -1;
stop = idx + count;
if (idx >= arr->length || stop > arr->length)
return -1;
|