- edited description
sed(1) size_t overflow bug may cause memory allocation error.
Issue #133
resolved
process.c, the size of appends array allocation(appendx and appendnum) is potentially size_t overflow.
if (appendx >= appendnum) {
appends = erealloc(appends,
sizeof(struct s_appends) *
(appendnum * 2));
appendnum *= 2;
}
should be:
#define MAX_APPENDS (SIZE_MAX / sizeof(struct s_appends))
if (appendx >= appendnum) {
if (appendnum > MAX_APPENDS / 2)
errx(EXIT_FAILURE, "%s", strerror(ENOMEM));
appendnum *= 2;
appends = erealloc(appends,
sizeof(struct s_appends) * appendnum );
}
OpenBSD seems use their own API xreallocarray(3) http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/sed/process.c#rev1.20 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/sed/process.c#rev1.22
Comments (4)
-
reporter -
reporter - changed title to sed(1) size_t overflow bug may cause memory allocation error.
- edited description
-
reporter BUGFIX: Issue
#133-- sed(1) size_t overflow bug may cause memory allocation error.→ <<cset 6fdec15c02bc>>
-
reporter BUGFIX: Issue
#133- pam_ftpusers doesn't understand tnftp's ftpusers(5) format. remove pam_ftpusers, it didn't work with tnftpd's /etc/ftpusers and maybe nobody use this. if you still want to access control via /etc/ftpusers, use my pam_tnftpusers module. https://bitbucket.org/tnozaki/pam_tnftpusers/src→ <<cset e2553a367e2d>>
- Log in to comment