projects / awesomized / libmemcached / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree | github
raw | patch | inline | side by side (parent: d34fb75)
This fixes the overflow size_t possible problem in the string functions (yes,
author <brian@gir.local> <>
Fri, 26 Oct 2007 08:05:48 +0000 (01:05 -0700)
committer <brian@gir.local> <>
Fri, 26 Oct 2007 08:05:48 +0000 (01:05 -0700)
not likely to ever happen).

lib/memcached_string.c patch | blob | history
tests/test.c patch | blob | history

diff --git a/lib/memcached_string.c b/lib/memcached_string.c
index e2f140178f8f44b54b5ed2277474791a41929f9e..30d8e1754bd767f2ed495e5b48734baec66f5a96 100644 (file)
--- a/lib/memcached_string.c
+++ b/lib/memcached_string.c
@@ -6,12 +6,19 @@ memcached_return memcached_string_check(memcached_string_st *string, size_t need
   {
     size_t current_offset= string->end - string->string;
     char *new_value;
-    size_t adjust= (need - (size_t)(string->current_size - (size_t)(string->end - string->string))) / string->block_size;
+    size_t adjust;
+    size_t new_size;
 
+    /* This is the block multiplier. To keep it larger and surive division errors we must round it up */
+    adjust= (need - (size_t)(string->current_size - (size_t)(string->end - string->string))) / string->block_size;
     adjust++;
 
-    new_value= (char *)realloc(string->string, 
-                               sizeof(char) * ((adjust * string->block_size) + string->current_size));
+    new_size= sizeof(char) * (size_t)((adjust * string->block_size) + string->current_size);
+    /* Test for overflow */
+    if (new_size < need)
+      return MEMCACHED_MEMORY_ALLOCATION_FAILURE;
+
+    new_value= (char *)realloc(string->string, new_size);
 
     if (new_value == NULL)
       return MEMCACHED_MEMORY_ALLOCATION_FAILURE;
@@ -80,9 +87,10 @@ memcached_return memcached_string_append(memcached_st *ptr, memcached_string_st
 
   if (rc != MEMCACHED_SUCCESS)
     return rc;
-  
+
+  WATCHPOINT_ASSERT(length <= string->current_size);
   WATCHPOINT_ASSERT(string->string);
-  WATCHPOINT_ASSERT(string->end >= string->string && string->end <= string->string + string->current_size);
+  WATCHPOINT_ASSERT(string->end >= string->string);
 
   memcpy(string->end, value, length);
   string->end+= length;
diff --git a/tests/test.c b/tests/test.c
index 258feb441234877b50fbea9b7169744e7cdd4ef1..7d1a523caa84c9a500f013b126843cdb0f1b11a8 100644 (file)
--- a/tests/test.c
+++ b/tests/test.c
@@ -683,7 +683,7 @@ void string_alloc_with_size_toobig(memcached_st *memc)
 {
   memcached_string_st *string;
 
-  string= memcached_string_create(memc, UINT64_MAX);
+  string= memcached_string_create(memc, INT64_MAX);
   assert(string == NULL);
 }
 
@@ -726,7 +726,7 @@ void string_alloc_append_toobig(memcached_st *memc)
     rc= memcached_string_append(memc, string, buffer, SMALL_STRING_LEN);
     assert(rc == MEMCACHED_SUCCESS);
   }
-  rc= memcached_string_append(memc, string, buffer, UINT64_MAX);
+  rc= memcached_string_append(memc, string, buffer, INT64_MAX);
   assert(rc == MEMCACHED_MEMORY_ALLOCATION_FAILURE);
   memcached_string_free(memc, string);
 }
Resurrection of libmemcached