strv: add an additional overflow check when enlarging strv()s

https://bugs.freedesktop.org/show_bug.cgi?id=76745
author: Lennart Poettering <lennart@poettering.net> 2014-10-21 14:01:28 +0200
committer: Lennart Poettering <lennart@poettering.net> 2014-10-21 14:01:28 +0200
commit: 97569e154b80541cbad39d78231b7f360d4ff058 (patch)
tree: 14f9d425736b76d0b90390dad8f961556dc78fab /src/shared/strv.c
parent: bb604b2f42e8769947c6cf1c0242760ceb320929 (diff)
1 files changed, 16 insertions, 4 deletions
diff --git a/src/shared/strv.c b/src/shared/strv.c
index 0df978d23b..efa648df88 100644
--- a/src/shared/strv.c
+++ b/src/shared/strv.c
@@ -380,13 +380,19 @@ char *strv_join_quoted(char **l) {
 
 int strv_push(char ***l, char *value) {
         char **c;
-        unsigned n;
+        unsigned n, m;
 
         if (!value)
                 return 0;
 
         n = strv_length(*l);
-        c = realloc(*l, sizeof(char*) * (n + 2));
+
+        /* increase and check for overflow */
+        m = n + 2;
+        if (m < n)
+                return -ENOMEM;
+
+        c = realloc(*l, sizeof(char*) * (size_t) m);
         if (!c)
                 return -ENOMEM;
 
@@ -399,13 +405,19 @@ int strv_push(char ***l, char *value) {
 
 int strv_push_prepend(char ***l, char *value) {
         char **c;
-        unsigned n, i;
+        unsigned n, m, i;
 
         if (!value)
                 return 0;
 
         n = strv_length(*l);
-        c = new(char*, n + 2);
+
+        /* increase and check for overflow */
+        m = n + 2;
+        if (m < n)
+                return -ENOMEM;
+
+        c = new(char*, m);
         if (!c)
                 return -ENOMEM;
author	Lennart Poettering <lennart@poettering.net>	2014-10-21 14:01:28 +0200
committer	Lennart Poettering <lennart@poettering.net>	2014-10-21 14:01:28 +0200
commit	97569e154b80541cbad39d78231b7f360d4ff058 (patch)
tree	14f9d425736b76d0b90390dad8f961556dc78fab /src/shared/strv.c
parent	bb604b2f42e8769947c6cf1c0242760ceb320929 (diff)