diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-10-21 14:01:28 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-10-21 14:01:28 +0200 |
commit | 97569e154b80541cbad39d78231b7f360d4ff058 (patch) | |
tree | 14f9d425736b76d0b90390dad8f961556dc78fab | |
parent | bb604b2f42e8769947c6cf1c0242760ceb320929 (diff) |
strv: add an additional overflow check when enlarging strv()s
https://bugs.freedesktop.org/show_bug.cgi?id=76745
-rw-r--r-- | src/shared/strv.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/shared/strv.c b/src/shared/strv.c index 0df978d23b..efa648df88 100644 --- a/src/shared/strv.c +++ b/src/shared/strv.c @@ -380,13 +380,19 @@ char *strv_join_quoted(char **l) { int strv_push(char ***l, char *value) { char **c; - unsigned n; + unsigned n, m; if (!value) return 0; n = strv_length(*l); - c = realloc(*l, sizeof(char*) * (n + 2)); + + /* increase and check for overflow */ + m = n + 2; + if (m < n) + return -ENOMEM; + + c = realloc(*l, sizeof(char*) * (size_t) m); if (!c) return -ENOMEM; @@ -399,13 +405,19 @@ int strv_push(char ***l, char *value) { int strv_push_prepend(char ***l, char *value) { char **c; - unsigned n, i; + unsigned n, m, i; if (!value) return 0; n = strv_length(*l); - c = new(char*, n + 2); + + /* increase and check for overflow */ + m = n + 2; + if (m < n) + return -ENOMEM; + + c = new(char*, m); if (!c) return -ENOMEM; |