Detect all overflows in BitTorrent parse_bencoding_integer.

The previous check (integer > (off_t) integer * 10) did not detect all overflows. Examples with 32-bit off_t: integer = 0x1C71C71D (0x100000000/9 rounded up); integer * 10 = 0x11C71C722, wraps to 0x1C71C722 which is > integer. integer = 0x73333333; integer * 10 = 0x47FFFFFFE, wraps to 0x7FFFFFFE which is > integer. Examples with 64-bit off_t: integer = 0x1C71C71C71C71C72 (0x10000000000000000/9 rounded up); integer * 10 = 0x11C71C71C71C71C74, wraps to 0x1C71C71C71C71C74 which is > integer. integer = 0x7333333333333333; integer * 10 = 0x47FFFFFFFFFFFFFFE, wraps to 0x7FFFFFFFFFFFFFFE which is > integer. It is unclear to me what effect an undetected overflow would actually have from the user's viewpoint, so I'm not adding a NEWS entry. (cherry picked from commit a25fd18e56)
2024-10-01 03:36:26 -04:00 · 2008-01-26 16:42:27 +02:00 · 2008-01-26 16:42:27 +02:00 · 721af4e749
commit 721af4e749
parent 9699a03e74
1 changed files with 6 additions and 2 deletions
--- a/src/protocol/bittorrent/bencoding.c
+++ b/src/protocol/bittorrent/bencoding.c
@ -340,9 +340,13 @@ parse_bencoding_integer(struct scanner_token *token)
 	}

 	for (; pos < length && isdigit(string[pos]); pos++) {
-		if (integer > (off_t) integer * 10)
+		off_t newint = integer * 10 + string[pos] - '0';
+
+		/* Check for overflow.  This assumes wraparound,
+		 * even though C does not guarantee that.  */
+		if (newint / 10 != integer)
 			return 0;
-		integer = (off_t) integer * 10 + string[pos] - '0';
+		integer = newint;
 	}

 	if (sign == -1)