luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

strtoofft: fix the overflow check

Browse Source 
... to not rely on wrapping, since it is an undefined behavior that is
not what always might happen. This is in our private strtoff() parser
function, used only on platforms without a native version.

Reported-by: vulnerabilityspotter on hackerone
Closes #12990
This commit is contained in:
Daniel Stenberg 2024-02-25 22:52:40 +01:00
parent f47487c219
commit e2bd0c111e
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 7 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lib/strtoofft.c
View File

@ -79,11 +79,10 @@ static int get_char(char c, int base);
static curl_off_t strtooff(const char *nptr, char **endptr, int base)
{
char *end;
int is_negative = 0;
int overflow;
bool is_negative = FALSE;
bool overflow = FALSE;
int i;
curl_off_t value = 0;
curl_off_t newval;
/* Skip leading whitespace. */
end = (char *)nptr;
@ -93,7 +92,7 @@ static curl_off_t strtooff(const char *nptr, char **endptr, int base)
/* Handle the sign, if any. */
if(end[0] == '-') {
is_negative = 1;
is_negative = TRUE;
end++;
}
else if(end[0] == '+') {
@ -129,19 +128,15 @@ static curl_off_t strtooff(const char *nptr, char **endptr, int base)
}
/* Loop handling digits. */
value = 0;
overflow = 0;
for(i = get_char(end[0], base);
i != -1;
end++, i = get_char(end[0], base)) {
newval = base * value + i;
if(newval < value) {
/* We've overflowed. */
overflow = 1;
if(value > (CURL_OFF_T_MAX - i) / base) {
overflow = TRUE;
break;
}
else
value = newval;
value = base * value + i;
}
if(!overflow) {