diff options
| author | Eric Hawicz <erh+git@nimenees.com> | 2020-05-15 21:05:30 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-15 21:05:30 -0400 |
| commit | f2b7d0b5cbd0eccf4fb3c1851ec0864952be1057 (patch) | |
| tree | 4a107b9f34da1184a5f54f17b89f50d3d7a5f134 /printbuf.c | |
| parent | 0e1d83f980288ab9bda6b316c0d6df6b28a0688a (diff) | |
| parent | 74accb17cde1b88794b2b764cabaaf1f0858656c (diff) | |
| download | json-c-0.12.tar.gz | |
Merge pull request #611 from besser82/topic/besser82/json-c-0.12/CVE-2020-12762json-c-0.12
json-c-0.12.x: Fix CVE-2020-12762 - json-c through 0.14 has an integer overflow and out-of-bounds write ...
Diffstat (limited to 'printbuf.c')
| -rw-r--r-- | printbuf.c | 18 |
1 files changed, 17 insertions, 1 deletions
@@ -15,6 +15,7 @@ #include "config.h" +#include <limits.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -63,7 +64,16 @@ static int printbuf_extend(struct printbuf *p, int min_size) if (p->size >= min_size) return 0; - new_size = json_max(p->size * 2, min_size + 8); + /* Prevent signed integer overflows with large buffers. */ + if (min_size > INT_MAX - 8) + return -1; + if (p->size > INT_MAX / 2) + new_size = min_size + 8; + else { + new_size = p->size * 2; + if (new_size < min_size + 8) + new_size = min_size + 8; + } #ifdef PRINTBUF_DEBUG MC_DEBUG("printbuf_memappend: realloc " "bpos=%d min_size=%d old_size=%d new_size=%d\n", @@ -78,6 +88,9 @@ static int printbuf_extend(struct printbuf *p, int min_size) int printbuf_memappend(struct printbuf *p, const char *buf, int size) { + /* Prevent signed integer overflows with large buffers. */ + if (size > INT_MAX - p->bpos - 1) + return -1; if (p->size <= p->bpos + size + 1) { if (printbuf_extend(p, p->bpos + size + 1) < 0) return -1; @@ -94,6 +107,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len) if (offset == -1) offset = pb->bpos; + /* Prevent signed integer overflows with large buffers. */ + if (len > INT_MAX - offset) + return -1; size_needed = offset + len; if (pb->size < size_needed) { |