ref: b2162f3f8c5612a6cbeddacf972cdecf36a3b32d
parent: 726f4aa85ece511878dfe1cb2132c34d882e5621
author: Quentin Rameau <quinq@fifth.space>
date: Sat Jun 18 11:25:28 EDT 2016
[driver] fix possible overflow in newitem()
--- a/driver/posix/scc.c
+++ b/driver/posix/scc.c
@@ -32,7 +32,8 @@
char bin[16];
char *outfile;
struct items args;
- int nparams, in, out, init;
+ unsigned nparams;
+ int in, out, init;
pid_t pid;
} tools[] = { [CC1] = { .bin = "cc1", .cmd = PREFIX "/libexec/scc/", },@@ -56,7 +57,7 @@
static void
terminate(void)
{- int i;
+ unsigned i;
if (!kflag) {for (i = 0; i < objtmp.n; ++i)
@@ -165,7 +166,8 @@
settool(int tool, char *infile, int nexttool)
{struct tool *t = &tools[tool];
- int i, fds[2];
+ unsigned i;
+ int fds[2];
static int fdin = -1;
switch (tool) {@@ -277,7 +279,8 @@
validatetools(void)
{struct tool *t;
- int i, tool, st, failed = LAST_TOOL;
+ unsigned i;
+ int tool, st, failed = LAST_TOOL;
for (tool = 0; tool < LAST_TOOL; ++tool) {t = &tools[tool];
--- a/inc/cc.h
+++ b/inc/cc.h
@@ -16,12 +16,12 @@
struct items {char **s;
- int n;
+ unsigned n;
};
extern void die(const char *fmt, ...);
extern void dbg(const char *fmt, ...);
-extern char **newitem(char **array, int num, char *item);
+extern char **newitem(char **array, unsigned num, char *item);
extern void *xmalloc(size_t size);
extern void *xcalloc(size_t nmemb, size_t size);
extern char *xstrdup(const char *s);
--- a/lib/newitem.c
+++ b/lib/newitem.c
@@ -1,10 +1,14 @@
#include "../inc/cc.h"
char **
-newitem(char **array, int num, char *item)
+newitem(char **array, unsigned num, char *item)
{- char **ar = xrealloc(array, (num + 1) * sizeof(char **));
+ char **ar;
+ if ((num + 1) < num)
+ die("newitem: overflow (%u + 1)", num);+
+ ar = xrealloc(array, (num + 1) * sizeof(char **));
ar[num] = item;
return ar;