0110-top: Prevent integer overflows in config_file() and other_selection().

author Qualys Security Advisory <qsa@qualys.com>

Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)

committer Craig Small <csmall@enc.com.au>

Sat, 9 Jun 2018 11:35:20 +0000 (21:35 +1000)
author Qualys Security Advisory <qsa@qualys.com>
Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)
committer Craig Small <csmall@enc.com.au>
Sat, 9 Jun 2018 11:35:20 +0000 (21:35 +1000)
diff --git a/top/top.c b/top/top.c

index 69719b07f9bd78e85967e98835858445920f259b..c53883401ac3236ab884472dd002f9aaeef64e1b 100644 (file)
--- a/top/top.c
+++ b/top/top.c
@@ -3303,6 +3303,9 @@ error Hey, fix the above fscanf 'PFLAGSSIZ' dependency !
        size_t lraw = strlen(Inspect.raw) +1;
        char *s;
  
+      if (i < 0 || (size_t)i >= INT_MAX / sizeof(struct I_ent)) break;
+      if (lraw >= INT_MAX - sizeof(fbuf)) break;
+
        if (!fgets(fbuf, sizeof(fbuf), fp)) break;
        lraw += strlen(fbuf) +1;
        Inspect.raw = alloc_r(Inspect.raw, lraw);
@@ -4165,6 +4168,9 @@ static void other_selection (int ch) {
           , inc ? N_txt(WORD_include_txt) : N_txt(WORD_exclude_txt)));
        return;
     }
+   if (Curwin->osel_prt && strlen(Curwin->osel_prt) >= INT_MAX - (sizeof(raw) + 6)) {
+      return;
+   }
     osel = alloc_c(sizeof(struct osel_s));
     osel->inc = inc;
     osel->enu = enu;
author	Qualys Security Advisory <qsa@qualys.com>
	Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)
committer	Craig Small <csmall@enc.com.au>
	Sat, 9 Jun 2018 11:35:20 +0000 (21:35 +1000)