ref: a6f27269f135c7f8f4d3ce30c9e15769f7201ed9
parent: 6c4171b1e9cf8e8793921aa04455d588f936e017
author: Roberto E. Vargas Caballero <k0ga@shike2.com>
date: Thu Nov 11 10:18:21 EST 2021
cc2: Check for overflow in array() The input of cc2 is considered trusted, but it does not hurt to check it again.
--- a/src/cmd/cc/cc2/cc2.h
+++ b/src/cmd/cc/cc2/cc2.h
@@ -139,6 +139,7 @@
EWTACKU, /* switch stack underflow */
ENOSWTC, /* Out of switch statement */
EBBUILT, /* Unknown builtin */
+ EOVERFL, /* Numerical overflow */
ENUMERR
};
--- a/src/cmd/cc/cc2/parser.c
+++ b/src/cmd/cc/cc2/parser.c
@@ -1,4 +1,5 @@
#include <errno.h>
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -572,7 +573,11 @@
base = pop();
tp = pop();
tp->flags = ARRF;
- tp->size = size->u.i * base->size; /* FIXME check for overflow */
+
+ if (size->u.i > LONG_MAX/base->size)
+ error(EOVERFL);
+
+ tp->size = size->u.i * base->size;
tp->align = base->align;
delnode(size);