[hackers] [scc] [driver] fix possible overflow in newitem() || Quentin Rameau

From: <git_AT_suckless.org>
Date: Tue, 21 Jun 2016 08:32:08 +0200 (CEST)

commit 86f5bf37e46015bab156c5e462f4a16cd502d552
Author: Quentin Rameau <quinq_AT_fifth.space>
AuthorDate: Sat Jun 18 15:25:28 2016 +0200
Commit: Quentin Rameau <quinq_AT_fifth.space>
CommitDate: Sat Jun 18 15:33:00 2016 +0200

    [driver] fix possible overflow in newitem()

diff --git a/driver/posix/scc.c b/driver/posix/scc.c
index 71d8185..7a056ea 100644
--- a/driver/posix/scc.c
+++ b/driver/posix/scc.c
_AT_@ -32,7 +32,8 @@ static struct tool {
         char bin[16];
         char *outfile;
         struct items args;
- int nparams, in, out, init;
+ unsigned nparams;
+ int in, out, init;
         pid_t pid;
 } tools[] = {
         [CC1] = { .bin = "cc1", .cmd = PREFIX "/libexec/scc/", },
_AT_@ -56,7 +57,7 @@ extern int failure;
 static void
 terminate(void)
 {
- int i;
+ unsigned i;
 
         if (!kflag) {
                 for (i = 0; i < objtmp.n; ++i)
_AT_@ -165,7 +166,8 @@ static int
 settool(int tool, char *infile, int nexttool)
 {
         struct tool *t = &tools[tool];
- int i, fds[2];
+ unsigned i;
+ int fds[2];
         static int fdin = -1;
 
         switch (tool) {
_AT_@ -277,7 +279,8 @@ static int
 validatetools(void)
 {
         struct tool *t;
- int i, tool, st, failed = LAST_TOOL;
+ unsigned i;
+ int tool, st, failed = LAST_TOOL;
 
         for (tool = 0; tool < LAST_TOOL; ++tool) {
                 t = &tools[tool];
diff --git a/inc/cc.h b/inc/cc.h
index 33f5bca..005bb46 100644
--- a/inc/cc.h
+++ b/inc/cc.h
_AT_@ -16,12 +16,12 @@ extern int debug;
 
 struct items {
         char **s;
- int n;
+ unsigned n;
 };
 
 extern void die(const char *fmt, ...);
 extern void dbg(const char *fmt, ...);
-extern char **newitem(char **array, int num, char *item);
+extern char **newitem(char **array, unsigned num, char *item);
 extern void *xmalloc(size_t size);
 extern void *xcalloc(size_t nmemb, size_t size);
 extern char *xstrdup(const char *s);
diff --git a/lib/newitem.c b/lib/newitem.c
index 97a2560..50bb56b 100644
--- a/lib/newitem.c
+++ b/lib/newitem.c
_AT_@ -1,10 +1,14 @@
 #include "../inc/cc.h"
 
 char **
-newitem(char **array, int num, char *item)
+newitem(char **array, unsigned num, char *item)
 {
- char **ar = xrealloc(array, (num + 1) * sizeof(char **));
+ char **ar;
 
+ if ((num + 1) < num)
+ die("newitem: overflow (%u + 1)", num);
+
+ ar = xrealloc(array, (num + 1) * sizeof(char **));
         ar[num] = item;
 
         return ar;
Received on Tue Jun 21 2016 - 08:32:08 CEST