From 94d0633ac6e323828f2f6dc89ee71d307e4c71f4 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 30 Oct 2024 11:08:03 +0100 Subject: Fix heap buffer overflow --- src/work.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/work.c b/src/work.c index fc65fd2..510fa07 100644 --- a/src/work.c +++ b/src/work.c @@ -4,7 +4,7 @@ #include #include #include -#include +#include #include #include #include @@ -118,11 +118,10 @@ process_file(const char *locl_filename, unsigned char **locl_buf) } else { ptrdiff_t nw = 0; for (;;) { - if (nw + st.st_blksize > basecap) { - if (ckd_mul(&basecap, basecap, 2)) { - errno = EOVERFLOW; - cerr(EXIT_FATAL, "realloc:"); - } + ptrdiff_t want = nw + st.st_blksize; + if (want > basecap) { + /* TODO: Check for overflow (top bit set) */ + basecap = (ptrdiff_t)stdc_bit_ceil((size_t)want); if ((baseptr = realloc(baseptr, basecap)) == nullptr) cerr(EXIT_FATAL, "realloc:"); } @@ -152,7 +151,9 @@ process_file(const char *locl_filename, unsigned char **locl_buf) (void)close(fd); #if DEBUG free(baseptr); + array_free(hl); baseptr = nullptr; + hl = nullptr; #endif return; -- cgit v1.2.3