From af74fab1ddf85752014fc5530440481059183dd9 Mon Sep 17 00:00:00 2001 From: Date: Fri, 26 Oct 2007 01:05:48 -0700 Subject: [PATCH] This fixes the overflow size_t possible problem in the string functions (yes, not likely to ever happen). --- lib/memcached_string.c | 18 +++++++++++++----- tests/test.c | 4 ++-- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/lib/memcached_string.c b/lib/memcached_string.c index e2f14017..30d8e175 100644 --- a/lib/memcached_string.c +++ b/lib/memcached_string.c @@ -6,12 +6,19 @@ memcached_return memcached_string_check(memcached_string_st *string, size_t need { size_t current_offset= string->end - string->string; char *new_value; - size_t adjust= (need - (size_t)(string->current_size - (size_t)(string->end - string->string))) / string->block_size; + size_t adjust; + size_t new_size; + /* This is the block multiplier. To keep it larger and surive division errors we must round it up */ + adjust= (need - (size_t)(string->current_size - (size_t)(string->end - string->string))) / string->block_size; adjust++; - new_value= (char *)realloc(string->string, - sizeof(char) * ((adjust * string->block_size) + string->current_size)); + new_size= sizeof(char) * (size_t)((adjust * string->block_size) + string->current_size); + /* Test for overflow */ + if (new_size < need) + return MEMCACHED_MEMORY_ALLOCATION_FAILURE; + + new_value= (char *)realloc(string->string, new_size); if (new_value == NULL) return MEMCACHED_MEMORY_ALLOCATION_FAILURE; @@ -80,9 +87,10 @@ memcached_return memcached_string_append(memcached_st *ptr, memcached_string_st if (rc != MEMCACHED_SUCCESS) return rc; - + + WATCHPOINT_ASSERT(length <= string->current_size); WATCHPOINT_ASSERT(string->string); - WATCHPOINT_ASSERT(string->end >= string->string && string->end <= string->string + string->current_size); + WATCHPOINT_ASSERT(string->end >= string->string); memcpy(string->end, value, length); string->end+= length; diff --git a/tests/test.c b/tests/test.c index 258feb44..7d1a523c 100644 --- a/tests/test.c +++ b/tests/test.c @@ -683,7 +683,7 @@ void string_alloc_with_size_toobig(memcached_st *memc) { memcached_string_st *string; - string= memcached_string_create(memc, UINT64_MAX); + string= memcached_string_create(memc, INT64_MAX); assert(string == NULL); } @@ -726,7 +726,7 @@ void string_alloc_append_toobig(memcached_st *memc) rc= memcached_string_append(memc, string, buffer, SMALL_STRING_LEN); assert(rc == MEMCACHED_SUCCESS); } - rc= memcached_string_append(memc, string, buffer, UINT64_MAX); + rc= memcached_string_append(memc, string, buffer, INT64_MAX); assert(rc == MEMCACHED_MEMORY_ALLOCATION_FAILURE); memcached_string_free(memc, string); } -- 2.30.2