luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

curl: guard against size_t wraparound in no-clobber code

Browse Source 
When generating the new filename, make sure we aren't overflowing the
size_t limit when calculating the new length. This is mostly academic
but good code hygeine nonetheless.

Closes: #8771
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
This commit is contained in:
Daniel Gustafsson 2022-04-30 21:17:40 +02:00
parent be7cccf18e
commit 6d86193377
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/tool_cb_wrt.c
View File

@ -88,7 +88,15 @@ bool tool_create_output_file(struct OutStruct *outs,
if(config->file_clobber_mode == CLOBBER_NEVER && fd == -1) {
int next_num = 1;
size_t len = strlen(fname);
char *newname = malloc(len + 13); /* nul + 1-11 digits + dot */
size_t newlen = len + 13; /* nul + 1-11 digits + dot */
char *newname;
/* Guard against wraparound in new filename */
if(newlen < len) {
free(aname);
errorf(global, "overflow in filename generation\n");
return FALSE;
}
newname = malloc(newlen);
if(!newname) {
errorf(global, "out of memory\n");
return FALSE;