tload: Prevent integer overflows of ncols, nrows, and scr_size.

author Qualys Security Advisory <qsa@qualys.com>

Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)

committer Craig Small <csmall@enc.com.au>

Fri, 18 May 2018 21:32:21 +0000 (07:32 +1000)
author Qualys Security Advisory <qsa@qualys.com>
Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)
committer Craig Small <csmall@enc.com.au>
Fri, 18 May 2018 21:32:21 +0000 (07:32 +1000)
diff --git a/tload.c b/tload.c

index 4b925e3705f466f64187ef13df5f5fa77ee3cfa9..509c5ff41020398671e44a645322f8607f93429f 100644 (file)
--- a/tload.c
+++ b/tload.c
@@ -43,6 +43,7 @@
  #include <sys/ioctl.h>
  #include <termios.h>
  #include <unistd.h>
+#include <limits.h>
  
  static char *screen;
  
@@ -70,9 +71,13 @@ static void setsize(int i)
                 if (win.ws_row > 0)
                         nrows = win.ws_row;
         }
+       if (ncols < 2 || ncols >= INT_MAX)
+               xerrx(EXIT_FAILURE, _("screen too small or too large"));
+       if (nrows < 2 || nrows >= INT_MAX / ncols)
+               xerrx(EXIT_FAILURE, _("screen too small or too large"));
         scr_size = nrows * ncols;
         if (scr_size < 2)
-               xerr(EXIT_FAILURE, _("screen too small"));
+               xerrx(EXIT_FAILURE, _("screen too small"));
         if (screen == NULL)
                 screen = (char *)xmalloc(scr_size);
         else
author	Qualys Security Advisory <qsa@qualys.com>
	Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)
committer	Craig Small <csmall@enc.com.au>
	Fri, 18 May 2018 21:32:21 +0000 (07:32 +1000)