mirror of
https://github.com/rkd77/elinks.git
synced 2024-10-01 03:36:26 -04:00
Detect all overflows in BitTorrent parse_bencoding_integer.
The previous check (integer > (off_t) integer * 10) did not detect all
overflows. Examples with 32-bit off_t:
integer = 0x1C71C71D (0x100000000/9 rounded up);
integer * 10 = 0x11C71C722, wraps to 0x1C71C722 which is > integer.
integer = 0x73333333;
integer * 10 = 0x47FFFFFFE, wraps to 0x7FFFFFFE which is > integer.
Examples with 64-bit off_t:
integer = 0x1C71C71C71C71C72 (0x10000000000000000/9 rounded up);
integer * 10 = 0x11C71C71C71C71C74, wraps to 0x1C71C71C71C71C74
which is > integer.
integer = 0x7333333333333333;
integer * 10 = 0x47FFFFFFFFFFFFFFE, wraps to 0x7FFFFFFFFFFFFFFE
which is > integer.
It is unclear to me what effect an undetected overflow would actually
have from the user's viewpoint, so I'm not adding a NEWS entry.
(cherry picked from commit a25fd18e56
)
This commit is contained in:
parent
9699a03e74
commit
721af4e749
@ -340,9 +340,13 @@ parse_bencoding_integer(struct scanner_token *token)
|
||||
}
|
||||
|
||||
for (; pos < length && isdigit(string[pos]); pos++) {
|
||||
if (integer > (off_t) integer * 10)
|
||||
off_t newint = integer * 10 + string[pos] - '0';
|
||||
|
||||
/* Check for overflow. This assumes wraparound,
|
||||
* even though C does not guarantee that. */
|
||||
if (newint / 10 != integer)
|
||||
return 0;
|
||||
integer = (off_t) integer * 10 + string[pos] - '0';
|
||||
integer = newint;
|
||||
}
|
||||
|
||||
if (sign == -1)
|
||||
|
Loading…
Reference in New Issue
Block a user