Home Explore 引导页 在线工具 Blog
Register Sign In
Pchen0
/
ccan
mirror of https://git.ozlabs.org/~ccan/ccan
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

tal/talloc: fix overflow on 64 bit systems

Arguably a bug in talloc_realloc_array, which uses an unsigned for 
size, resulting in silent truncation and a memcpy into a too-small
buffer.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Rusty Russell 11 years ago
parent
7207c7822b
commit
36c52c260e
1 changed files with 7 additions and 0 deletions
Unified View Show Diff Stats
  1. 7 0
      ccan/tal/talloc/talloc.c

+ 7 - 0
ccan/tal/talloc/talloc.c
View File 

@@ -141,6 +141,13 @@ bool tal_talloc_resize_(tal_t **ctxp, size_t size, size_t count)
 
 		*ctxp = newp;
 
 		*ctxp = newp;
 
 		return true;
 
 		return true;
 
 	}
 
 	}
 
+
 
+	/* count is unsigned, not size_t, so check for overflow here! */
 
+	if ((unsigned)count != count) {
 
+		call_error("Resize overflos");
 
+		return false;
 
+	}
 
+
 
 	newp = _talloc_realloc_array(NULL, *ctxp, size, count, NULL);
 
 	newp = _talloc_realloc_array(NULL, *ctxp, size, count, NULL);
 
 	if (!newp) {
 
 	if (!newp) {
 
 		call_error("Resize failure");
 
 		call_error("Resize failure");